嵌入式 Jetty 9 中基于 SSL 的 WebSocket
WebSocket over SSL in embedded Jetty 9
对于这个问题,我准备了一个测试项目 WssEmbedded,它在 localhost:8080
和 localhost:8443
.
监听传入的 WebSocket 连接
在 MyHandler class 中,我为此创建了 2 个连接器:
public class MyHandler extends WebSocketHandler {
@Override
public void configure(WebSocketServletFactory factory) {
factory.register(MyListener.class);
}
public static void main(String[] args) throws Exception {
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("keystore.jks");
sslContextFactory.setKeyStorePassword("OBF:1l1a1s3g1yf41xtv20731xtn1yf21s3m1kxs");
Server server = new Server();
server.setHandler(new MyHandler());
ServerConnector wsConnector = new ServerConnector(server);
wsConnector.setHost("127.0.0.1");
wsConnector.setPort(8080);
server.addConnector(wsConnector);
ServerConnector wssConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()));
wssConnector.setHost("127.0.0.1");
wssConnector.setPort(8443);
server.addConnector(wssConnector);
server.start();
server.join();
}
}
我已将 key/certificate 对添加到 keystore.jks
中:
keytool -genkey -alias key1 -keyalg RSA -keypass password1 -keystore keystore.jks -storepass password1
服务器启动没有问题:
2016-06-22 13:34:45.254:INFO::main: Logging initialized @641ms
2016-06-22 13:34:45.404:INFO:oejs.Server:main: jetty-9.3.9.v20160517
2016-06-22 13:34:45.544:INFO:oejs.AbstractConnector:main: Started ServerConnector@3b354e17{HTTP/1.1,[http/1.1]}{127.0.0.1:8080}
2016-06-22 13:34:45.594:INFO:oejus.SslContextFactory:main: x509=X509@64d2d351(key1,h=[],w=[]) for SslContextFactory@1b68b9a4(file:///C:/Users/user1/jetty-newbie/WssEmbedded/keystore.jks,null)
2016-06-22 13:34:46.084:INFO:oejs.AbstractConnector:main: Started ServerConnector@1e53a15{SSL,[ssl]}{127.0.0.1:8443}
2016-06-22 13:34:46.084:INFO:oejs.Server:main: Started @1476ms
那我准备了一个简单的WssClient项目来测试上面的服务器:
public static void main(String[] args) {
final String WS_URL = "ws://127.0.0.1:8080";
MyListener socket = new MyListener("Hello world");
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setTrustAll(true);
WebSocketClient client = new WebSocketClient(sslContextFactory);
try {
client.start();
URI uri = new URI(WS_URL);
ClientUpgradeRequest cur = new ClientUpgradeRequest();
client.connect(socket, uri, cur);
socket.awaitClose(5, TimeUnit.SECONDS);
} catch (Throwable t) {
t.printStackTrace();
} finally {
try {
client.stop();
} catch (Exception e) {
e.printStackTrace();
}
}
}
客户端运行良好并打印:
2016-06-22 13:36:06.130:INFO::main: Logging initialized @205ms
onWebSocketConnect: /127.0.0.1:8080
REQUEST:
Hello world
RESPONSE:
Hello /127.0.0.1:58518
onWebSocketClose: 1000 null
服务器运行良好并打印:
2016-06-22 13:35:54.057:INFO:daw.MyListener:qtp1597462040-19: onWebSocketConnect: /127.0.0.1:58511
2016-06-22 13:35:54.097:INFO:daw.MyListener:qtp1597462040-14: onWebSocketText: Hello world
2016-06-22 13:35:54.107:INFO:daw.MyListener:qtp1597462040-13: onWebSocketClose: 1000 - null
但是,当我更改为 WS_URL = "wss://127.0.0.1:8443"
时,它失败了:
2016-06-22 13:36:29.063:INFO::main: Logging initialized @208ms
onWebSocketError: java.nio.channels.ClosedChannelException
请问我错过了什么?如何调试?
更新:
认为问题可能是上面使用的自签名证书,我为我的网站域slova.de
和www.slova.de
(它们指向不同的IP)获得了有效期为3年的Thawte证书地址!)并使用 Oracle jdk1.8.0_91-1.8.0_91-fcs.x86_64:
在 CentOS 7 Linux 上将其导入密钥库
# keytool -importcert -file /etc/pki/tls/certs/slova.de.crt -keystore keystore.jks -storepass password1
Owner: CN=slova.de
Issuer: CN=thawte DV SSL SHA256 CA, OU=Domain Validated SSL, O="thawte, Inc.", C=US
Serial number: 9354a665699cafbfa7875490d5a9894
Valid from: Mon Apr 04 02:00:00 CEST 2016 until: Fri Apr 05 01:59:59 CEST 2019
Certificate fingerprints:
MD5: 33:BB:62:8A:09:24:11:0F:C9:40:AA:68:F4:CD:2A:B7
SHA1: 52:E2:B6:79:55:F4:FE:05:0D:2E:7C:18:78:58:22:16:ED:28:4F:B6
SHA256: A3:D3:83:4E:99:01:BF:AE:FB:EB:59:40:23:74:1D:28:93:4B:20:15:1D:E1:AC:1A:97:31:C6:0C:9B:E1:2D:03
Signature algorithm name: SHA256withRSA
Version: 3
如您所见,我现在有一个受信任的证书:
# keytool -list -keystore keystore.jks -storepass password1
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
key1, Jun 22, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 8F:7D:8E:E0:8F:9E:39:A1:0C:23:D3:FF:4B:47:F5:0D:BA:EC:EE:F3
mykey, Jun 22, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 52:E2:B6:79:55:F4:FE:05:0D:2E:7C:18:78:58:22:16:ED:28:4F:B6
然后我在 www.slova.de:8443
启动了 WssEmbedded 程序(在我的 Linux 服务器上它的 IP 地址与 slova.de
不同,Apache 运行宁):
# java -classpath $CPATHS de.afarber.wssembedded.MyHandler 144.76.184.154:8443
2016-06-22 19:45:21.093:INFO::main: Logging initialized @73ms
2016-06-22 19:45:21.144:INFO:oejs.Server:main: jetty-9.3.9.v20160517
2016-06-22 19:45:21.167:INFO:oejs.AbstractConnector:main: Started ServerConnector@6a38e57f{HTTP/1.1,[http/1.1]}{www.slova.de:8080}
2016-06-22 19:45:21.188:INFO:oejus.SslContextFactory:main: x509=X509@7a46a697(key1,h=[],w=[]) for SslContextFactory@5f205aa(file:///usr/share/java/words/keystore.jks,null)
2016-06-22 19:45:21.189:INFO:oejus.SslContextFactory:main: x509=X509@6d86b085(mykey,h=[slova.de, www.slova.de],w=[]) for SslContextFactory@5f205aa(file:///usr/share/java/words/keystore.jks,null)
2016-06-22 19:45:21.327:INFO:oejs.AbstractConnector:main: Started ServerConnector@71bbf57e{SSL,[ssl]}{www.slova.de:8443}
2016-06-22 19:45:21.327:INFO:oejs.Server:main: Started @309ms
然后我在 Macbook 的 NetBeans 中 运行 WssClient 对抗 wss://www.slova.de:8443
:
Executing command line: /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/bin/java -Xdebug -Xrunjdwp:transport=dt_socket,server=n,address=56634 -classpath /Users/afarber/src/jetty-newbie/WssClient/target/classes:/Users/afarber/.m2/repository/org/eclipse/jetty/websocket/websocket-client/9.3.9.v20160517/websocket-client-9.3.9.v20160517.jar:/Users/afarber/.m2/repository/org/eclipse/jetty/jetty-util/9.3.9.v20160517/jetty-util-9.3.9.v20160517.jar:/Users/afarber/.m2/repository/org/eclipse/jetty/jetty-io/9.3.9.v20160517/jetty-io-9.3.9.v20160517.jar:/Users/afarber/.m2/repository/org/eclipse/jetty/websocket/websocket-common/9.3.9.v20160517/websocket-common-9.3.9.v20160517.jar:/Users/afarber/.m2/repository/org/eclipse/jetty/websocket/websocket-api/9.3.9.v20160517/websocket-api-9.3.9.v20160517.jar de.afarber.wssclient.Main
2016-06-22 19:45:31.718:INFO::main: Logging initialized @325ms
onWebSocketError: java.nio.channels.ClosedChannelException
(WssEmbedded 服务器输出没有任何变化)。
请帮忙,如何让 WSS 与嵌入式 Jetty 9 一起工作?
添加 -Dorg.eclipse.jetty.LEVEL=DEBUG -Djavax.net.debug=ssl
后,Jetty mailing list 的友好人士指出,由于缺少 HttpConnectionFactory
.
,服务器端出现了 NPE。
我错过了从 embedded/LikeJettyXML 示例中复制该部分的内容。
wssembedded/MyHandler.java 中的以下代码效果更好:
public static void main(String[] args) throws Exception {
Server server = new Server();
server.setHandler(new MyHandler());
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(8443);
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("keystore.jks");
sslContextFactory.setKeyStorePassword("OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0");
ServerConnector wsConnector = new ServerConnector(server);
wsConnector.setHost("localhost");
wsConnector.setPort(8080);
server.addConnector(wsConnector);
ServerConnector wssConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,
HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(https_config)); // THIS WAS MISSING
wssConnector.setHost("localhost");
wssConnector.setPort(8443);
server.addConnector(wssConnector);
server.start();
server.join();
}
对于这个问题,我准备了一个测试项目 WssEmbedded,它在 localhost:8080
和 localhost:8443
.
在 MyHandler class 中,我为此创建了 2 个连接器:
public class MyHandler extends WebSocketHandler {
@Override
public void configure(WebSocketServletFactory factory) {
factory.register(MyListener.class);
}
public static void main(String[] args) throws Exception {
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("keystore.jks");
sslContextFactory.setKeyStorePassword("OBF:1l1a1s3g1yf41xtv20731xtn1yf21s3m1kxs");
Server server = new Server();
server.setHandler(new MyHandler());
ServerConnector wsConnector = new ServerConnector(server);
wsConnector.setHost("127.0.0.1");
wsConnector.setPort(8080);
server.addConnector(wsConnector);
ServerConnector wssConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()));
wssConnector.setHost("127.0.0.1");
wssConnector.setPort(8443);
server.addConnector(wssConnector);
server.start();
server.join();
}
}
我已将 key/certificate 对添加到 keystore.jks
中:
keytool -genkey -alias key1 -keyalg RSA -keypass password1 -keystore keystore.jks -storepass password1
服务器启动没有问题:
2016-06-22 13:34:45.254:INFO::main: Logging initialized @641ms
2016-06-22 13:34:45.404:INFO:oejs.Server:main: jetty-9.3.9.v20160517
2016-06-22 13:34:45.544:INFO:oejs.AbstractConnector:main: Started ServerConnector@3b354e17{HTTP/1.1,[http/1.1]}{127.0.0.1:8080}
2016-06-22 13:34:45.594:INFO:oejus.SslContextFactory:main: x509=X509@64d2d351(key1,h=[],w=[]) for SslContextFactory@1b68b9a4(file:///C:/Users/user1/jetty-newbie/WssEmbedded/keystore.jks,null)
2016-06-22 13:34:46.084:INFO:oejs.AbstractConnector:main: Started ServerConnector@1e53a15{SSL,[ssl]}{127.0.0.1:8443}
2016-06-22 13:34:46.084:INFO:oejs.Server:main: Started @1476ms
那我准备了一个简单的WssClient项目来测试上面的服务器:
public static void main(String[] args) {
final String WS_URL = "ws://127.0.0.1:8080";
MyListener socket = new MyListener("Hello world");
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setTrustAll(true);
WebSocketClient client = new WebSocketClient(sslContextFactory);
try {
client.start();
URI uri = new URI(WS_URL);
ClientUpgradeRequest cur = new ClientUpgradeRequest();
client.connect(socket, uri, cur);
socket.awaitClose(5, TimeUnit.SECONDS);
} catch (Throwable t) {
t.printStackTrace();
} finally {
try {
client.stop();
} catch (Exception e) {
e.printStackTrace();
}
}
}
客户端运行良好并打印:
2016-06-22 13:36:06.130:INFO::main: Logging initialized @205ms
onWebSocketConnect: /127.0.0.1:8080
REQUEST:
Hello world
RESPONSE:
Hello /127.0.0.1:58518
onWebSocketClose: 1000 null
服务器运行良好并打印:
2016-06-22 13:35:54.057:INFO:daw.MyListener:qtp1597462040-19: onWebSocketConnect: /127.0.0.1:58511
2016-06-22 13:35:54.097:INFO:daw.MyListener:qtp1597462040-14: onWebSocketText: Hello world
2016-06-22 13:35:54.107:INFO:daw.MyListener:qtp1597462040-13: onWebSocketClose: 1000 - null
但是,当我更改为 WS_URL = "wss://127.0.0.1:8443"
时,它失败了:
2016-06-22 13:36:29.063:INFO::main: Logging initialized @208ms
onWebSocketError: java.nio.channels.ClosedChannelException
请问我错过了什么?如何调试?
更新:
认为问题可能是上面使用的自签名证书,我为我的网站域slova.de
和www.slova.de
(它们指向不同的IP)获得了有效期为3年的Thawte证书地址!)并使用 Oracle jdk1.8.0_91-1.8.0_91-fcs.x86_64:
# keytool -importcert -file /etc/pki/tls/certs/slova.de.crt -keystore keystore.jks -storepass password1
Owner: CN=slova.de
Issuer: CN=thawte DV SSL SHA256 CA, OU=Domain Validated SSL, O="thawte, Inc.", C=US
Serial number: 9354a665699cafbfa7875490d5a9894
Valid from: Mon Apr 04 02:00:00 CEST 2016 until: Fri Apr 05 01:59:59 CEST 2019
Certificate fingerprints:
MD5: 33:BB:62:8A:09:24:11:0F:C9:40:AA:68:F4:CD:2A:B7
SHA1: 52:E2:B6:79:55:F4:FE:05:0D:2E:7C:18:78:58:22:16:ED:28:4F:B6
SHA256: A3:D3:83:4E:99:01:BF:AE:FB:EB:59:40:23:74:1D:28:93:4B:20:15:1D:E1:AC:1A:97:31:C6:0C:9B:E1:2D:03
Signature algorithm name: SHA256withRSA
Version: 3
如您所见,我现在有一个受信任的证书:
# keytool -list -keystore keystore.jks -storepass password1
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
key1, Jun 22, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 8F:7D:8E:E0:8F:9E:39:A1:0C:23:D3:FF:4B:47:F5:0D:BA:EC:EE:F3
mykey, Jun 22, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 52:E2:B6:79:55:F4:FE:05:0D:2E:7C:18:78:58:22:16:ED:28:4F:B6
然后我在 www.slova.de:8443
启动了 WssEmbedded 程序(在我的 Linux 服务器上它的 IP 地址与 slova.de
不同,Apache 运行宁):
# java -classpath $CPATHS de.afarber.wssembedded.MyHandler 144.76.184.154:8443
2016-06-22 19:45:21.093:INFO::main: Logging initialized @73ms
2016-06-22 19:45:21.144:INFO:oejs.Server:main: jetty-9.3.9.v20160517
2016-06-22 19:45:21.167:INFO:oejs.AbstractConnector:main: Started ServerConnector@6a38e57f{HTTP/1.1,[http/1.1]}{www.slova.de:8080}
2016-06-22 19:45:21.188:INFO:oejus.SslContextFactory:main: x509=X509@7a46a697(key1,h=[],w=[]) for SslContextFactory@5f205aa(file:///usr/share/java/words/keystore.jks,null)
2016-06-22 19:45:21.189:INFO:oejus.SslContextFactory:main: x509=X509@6d86b085(mykey,h=[slova.de, www.slova.de],w=[]) for SslContextFactory@5f205aa(file:///usr/share/java/words/keystore.jks,null)
2016-06-22 19:45:21.327:INFO:oejs.AbstractConnector:main: Started ServerConnector@71bbf57e{SSL,[ssl]}{www.slova.de:8443}
2016-06-22 19:45:21.327:INFO:oejs.Server:main: Started @309ms
然后我在 Macbook 的 NetBeans 中 运行 WssClient 对抗 wss://www.slova.de:8443
:
Executing command line: /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/bin/java -Xdebug -Xrunjdwp:transport=dt_socket,server=n,address=56634 -classpath /Users/afarber/src/jetty-newbie/WssClient/target/classes:/Users/afarber/.m2/repository/org/eclipse/jetty/websocket/websocket-client/9.3.9.v20160517/websocket-client-9.3.9.v20160517.jar:/Users/afarber/.m2/repository/org/eclipse/jetty/jetty-util/9.3.9.v20160517/jetty-util-9.3.9.v20160517.jar:/Users/afarber/.m2/repository/org/eclipse/jetty/jetty-io/9.3.9.v20160517/jetty-io-9.3.9.v20160517.jar:/Users/afarber/.m2/repository/org/eclipse/jetty/websocket/websocket-common/9.3.9.v20160517/websocket-common-9.3.9.v20160517.jar:/Users/afarber/.m2/repository/org/eclipse/jetty/websocket/websocket-api/9.3.9.v20160517/websocket-api-9.3.9.v20160517.jar de.afarber.wssclient.Main
2016-06-22 19:45:31.718:INFO::main: Logging initialized @325ms
onWebSocketError: java.nio.channels.ClosedChannelException
(WssEmbedded 服务器输出没有任何变化)。
请帮忙,如何让 WSS 与嵌入式 Jetty 9 一起工作?
添加 -Dorg.eclipse.jetty.LEVEL=DEBUG -Djavax.net.debug=ssl
后,Jetty mailing list 的友好人士指出,由于缺少 HttpConnectionFactory
.
我错过了从 embedded/LikeJettyXML 示例中复制该部分的内容。
wssembedded/MyHandler.java 中的以下代码效果更好:
public static void main(String[] args) throws Exception {
Server server = new Server();
server.setHandler(new MyHandler());
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(8443);
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("keystore.jks");
sslContextFactory.setKeyStorePassword("OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0");
ServerConnector wsConnector = new ServerConnector(server);
wsConnector.setHost("localhost");
wsConnector.setPort(8080);
server.addConnector(wsConnector);
ServerConnector wssConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,
HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(https_config)); // THIS WAS MISSING
wssConnector.setHost("localhost");
wssConnector.setPort(8443);
server.addConnector(wssConnector);
server.start();
server.join();
}