OkHttp 从 2.5 升级到 2.6 中断了 HTTPS 测试
OkHttp Upgrading from 2.5 to 2.6 breaks HTTPS tests
我正在努力将 Apache NiFi 的 OkHttp 版本从 2.5 更新到 2.6。这样做时,所有 HTTPS 测试都会失败,并出现以下异常:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
测试使用围绕 Jetty 服务器的包装器作为它连接的主机。主机和客户端的信任库和密钥库是相同的。由于某种原因,从 2.5 到 2.6 的更改导致服务器提前关闭。
我唯一要更改的是 Maven 中的 OkHttp 版本从 2.5 到 2.6。测试 class 在这里(实现在 TestInvokeHttpCommon 中):
https://github.com/apache/nifi/blob/8c2323dc8d0e107f1a99898370c7515fa9603122/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestInvokeHttpSSL.java
问题确实是一个特定的密码套件 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 从新版本的 OkHttp 中被淘汰了。要解决此问题,可以使用代码提供自定义 ConnectionSpec 实例,如@JesseWilson 所建议的。
ConnectionSpec.Builder obsoleteSpecBuilder = new ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS);
obsoleteSpecBuilder = obsoleteSpecBuilder.cipherSuites("TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
ConnectionSpec obsoleteSpec = obsoleteSpecBuilder.build();
okHttpClient.setConnectionSpecs(Arrays.asList(obsoleteSpec));
然而,根本问题是 Jetty 使用的密钥库和信任库没有任何有效的 RSA 或 DSA 密钥(有一个 DSA 密钥,但它在 2 年前就过期了。显然,日期检查在之前的版本中没有激活测试)。没有这些密钥,Jetty 无法提供任何 RSA/DSA-dependent 密码套件,因此一旦删除 TLS_*DSS* 密码套件,客户端就没有兼容的密码套件。
将 RSA 密钥添加到密钥库和信任库解决了这个问题,而无需依赖旧密码套件。
hw12203:...src/test/resources alopresto
10s @ 12:43:08 $ keytool -genkey -keyalg RSA -alias localhost -keystore localhost-ks.jks -validity 360 -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: Apache NiFi
What is the name of your organization?
[Unknown]: Apache
What is the name of your City or Locality?
[Unknown]: Santa Monica
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US correct?
[no]: yes
Enter key password for <localhost>
(RETURN if same as keystore password):
hw12203:...src/test/resources alopresto
23s @ 12:46:09 $ keytool -exportcert -alias localhost -file localhost.der -keystore localhost-ks.jks
Enter keystore password:
Certificate stored in file <localhost.der>
hw12203:...src/test/resources alopresto
2s @ 12:46:34 $ keytool -import -alias localhost -file localhost.der -keystore localhost-ts.jks
Enter keystore password:
Owner: CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
Issuer: CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
Serial number: 6f3e5921
Valid from: Tue Jan 05 12:46:04 PST 2016 until: Fri Dec 30 12:46:04 PST 2016
Certificate fingerprints:
MD5: 9F:CE:78:6D:18:0B:CF:7D:57:50:02:10:BA:98:27:62
SHA1: FA:70:D1:5C:BE:90:D3:CA:A0:3D:5E:67:62:D1:25:F6:31:2E:59:31
SHA256: A8:09:89:7C:19:6E:05:5B:CB:04:09:2C:30:5B:35:85:23:0F:C6:8A:12:00:4C:9F:39:5E:40:43:86:3E:FB:09
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AB 88 BA FA F7 F5 AE 22 69 E4 B6 89 3D FB B0 61 ......."i...=..a
0010: 30 95 A3 27 0..'
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
我正在努力将 Apache NiFi 的 OkHttp 版本从 2.5 更新到 2.6。这样做时,所有 HTTPS 测试都会失败,并出现以下异常:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
测试使用围绕 Jetty 服务器的包装器作为它连接的主机。主机和客户端的信任库和密钥库是相同的。由于某种原因,从 2.5 到 2.6 的更改导致服务器提前关闭。
我唯一要更改的是 Maven 中的 OkHttp 版本从 2.5 到 2.6。测试 class 在这里(实现在 TestInvokeHttpCommon 中): https://github.com/apache/nifi/blob/8c2323dc8d0e107f1a99898370c7515fa9603122/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestInvokeHttpSSL.java
问题确实是一个特定的密码套件 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 从新版本的 OkHttp 中被淘汰了。要解决此问题,可以使用代码提供自定义 ConnectionSpec 实例,如@JesseWilson 所建议的。
ConnectionSpec.Builder obsoleteSpecBuilder = new ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS);
obsoleteSpecBuilder = obsoleteSpecBuilder.cipherSuites("TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
ConnectionSpec obsoleteSpec = obsoleteSpecBuilder.build();
okHttpClient.setConnectionSpecs(Arrays.asList(obsoleteSpec));
然而,根本问题是 Jetty 使用的密钥库和信任库没有任何有效的 RSA 或 DSA 密钥(有一个 DSA 密钥,但它在 2 年前就过期了。显然,日期检查在之前的版本中没有激活测试)。没有这些密钥,Jetty 无法提供任何 RSA/DSA-dependent 密码套件,因此一旦删除 TLS_*DSS* 密码套件,客户端就没有兼容的密码套件。
将 RSA 密钥添加到密钥库和信任库解决了这个问题,而无需依赖旧密码套件。
hw12203:...src/test/resources alopresto
10s @ 12:43:08 $ keytool -genkey -keyalg RSA -alias localhost -keystore localhost-ks.jks -validity 360 -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: Apache NiFi
What is the name of your organization?
[Unknown]: Apache
What is the name of your City or Locality?
[Unknown]: Santa Monica
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US correct?
[no]: yes
Enter key password for <localhost>
(RETURN if same as keystore password):
hw12203:...src/test/resources alopresto
23s @ 12:46:09 $ keytool -exportcert -alias localhost -file localhost.der -keystore localhost-ks.jks
Enter keystore password:
Certificate stored in file <localhost.der>
hw12203:...src/test/resources alopresto
2s @ 12:46:34 $ keytool -import -alias localhost -file localhost.der -keystore localhost-ts.jks
Enter keystore password:
Owner: CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
Issuer: CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US
Serial number: 6f3e5921
Valid from: Tue Jan 05 12:46:04 PST 2016 until: Fri Dec 30 12:46:04 PST 2016
Certificate fingerprints:
MD5: 9F:CE:78:6D:18:0B:CF:7D:57:50:02:10:BA:98:27:62
SHA1: FA:70:D1:5C:BE:90:D3:CA:A0:3D:5E:67:62:D1:25:F6:31:2E:59:31
SHA256: A8:09:89:7C:19:6E:05:5B:CB:04:09:2C:30:5B:35:85:23:0F:C6:8A:12:00:4C:9F:39:5E:40:43:86:3E:FB:09
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AB 88 BA FA F7 F5 AE 22 69 E4 B6 89 3D FB B0 61 ......."i...=..a
0010: 30 95 A3 27 0..'
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore