Fatal编程技术网
  • java/
  • SSL/TLS连接重置-如何强制Java客户端使用SNI?

SSL/TLS连接重置-如何强制Java客户端使用SNI?

java tomcat ssl

SSL/TLS连接重置-如何强制Java客户端使用SNI?,java,tomcat,ssl,sni,Java,Tomcat,Ssl,Sni,我有两个:一个STS服务器和一个本地主机上的SpringWeb应用程序。它成功了。我已经测试了OAuth2授权代码授权流-完全正常 我将STS移到了另一台机器上,web应用程序在获取访问令牌(完整跟踪)时出现了问题(从STS重定向后停止/出错;刚开始从以下位置获取令牌:https://sts-machine/authz/oauth2-resource/oauth/tokenendpoint;在访问url时停止:https://localwebapp:7443/swd/webLogin?code=

我有两个:一个STS服务器和一个本地主机上的SpringWeb应用程序。它成功了。我已经测试了OAuth2授权代码授权流-完全正常

我将STS移到了另一台机器上,web应用程序在获取访问令牌(完整跟踪)时出现了问题(从STS重定向后停止/出错;刚开始从以下位置获取令牌:
https://sts-machine/authz/oauth2-resource/oauth/token
endpoint;在访问url时停止:
https://localwebapp:7443/swd/webLogin?code=306b88903d394f0b8145b2e8035fd306&state=PtTrt8
):

因此,当webapp尝试从以下位置交换访问令牌中的“代码”时,会重置连接:
https://sts-machine/authz/oauth2-resource/oauth/token

有趣的事实:手动发出请求效果很好!(手动交换访问令牌的代码)使用Chrome应用程序“高级Rest客户端应用程序”和“Fiddler”请求生成器进行测试

我使用wiresharks嗅探了这两台机器。两台机器上的结果相同-屏幕截图:(其中:10.1.0.121是localwebapp机器,10.1.0.80是sts机器)

为什么要重置连接?

有关配置的详细信息:

localwebapp:运行在tc Pivotal服务器(类似Tomcat)上,Win 8.1

sts机器:Thinktecture授权服务器是否位于IIS上,Win Server 2012

更新1 我发现: 
openssl s_客户端-连接sts计算机:443
不工作,但: 
openssl s_客户端-连接sts机器:443-servername sts机器
可以工作!这表明Java客户端上存在问题。试图解决设置系统属性的问题:
jsse.enableSNIExtension
true
,但没有任何成功…如何强制JVM使用SNI?您可以指定哪一个您正在使用的ch Spring版本? 我们今天与SNI漏洞进行了斗争,解决方案是: *升级到commons/httpclient 4.3.2+(我们使用4.3.5)
*重要提示!将DefaultHttpClient替换为HttpClientBuilder,因为DefaultHttpClient仍然随httpclient 4.3.x提供,但不支持SNI。我遇到了相同的问题,也有一个旧版本的httpclient。我将Java从1.8.0_92升级到1.8.0_241,问题得到了解决。

当我将地址更改为不带SSL的地址时(HTTP而非HTTPS):
http://sts-machine/authz/oauth2-resource/oauth/token
一切正常。因此我假设SSL/TLS层存在问题。我试图通过设置JAVA_OPTS=-Dhttps.protocols=“TLSv1,TLSv1.1,TLSv1.2”-Djdk.TLS.client.protocols=“TLSv1,TLSv1.1,TLSv1.2”来强制Tomcat至少使用TLSv1在server.xml SSL连接器中,我设置了sslEnabledProtocols=“TLSv1,TLSv1.1,TLSv1.2”。但https连接仍出现错误500…知道吗?SNI仅从Java 7提供,您正在运行该版本吗?您应该启用JSSE调试输出。刚刚与jinfo进行了检查:
Java.runtime.version=1.7.0_60-b19
因此默认情况下应启用SNI。我使用
-Djavax.net.debug=SSL、握手、信任管理器
optio运行服务器n、 这导致了。我还使用了简单控制台,jre7和jre8也有同样的问题。当我在我的代理(nginx)中强制TLS时,我也有同样的问题。启用SSL调试时,或多或少都是相同的stacktrace。您发现了更多信息吗?不幸的是,这对我来说仍然是一个未解决的问题。我没有找到合适的解决方案。因为在IIS上,我只有一个网站,所以我在服务器端禁用了SNI选项,所以JVM(“客户端”)不使用它。 
SEVERE: Servlet.service() for servlet [swdServlet] in context with path [/swd] threw exception
error="access_denied", error_description="Error requesting access token."
    at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:144)
    at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:198)
    at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:142)
    at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:118)
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:221)
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:173)
    at org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:90)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:57)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:108)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:136)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:526)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:655)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:146)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:279)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://sts-machine/authz/oauth2-resource/oauth/token":Connection reset; nested exception is java.net.SocketException: Connection reset
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:557)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:510)
    at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:136)
    ... 47 more
Caused by: java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:196)
    at java.net.SocketInputStream.read(SocketInputStream.java:122)
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
    at sun.security.ssl.InputRecord.read(InputRecord.java:480)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:46)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:52)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:541)
    ... 49 more