个人中心
文章发布
退出
作者热门文章
- iOS/Objective-C 元类和类别
- objective-c - -1001 错误,当 NSURLSession 通过 httpproxy 和/etc/hosts
- java - 使用网络类获取 url 地址
- ios - 推送通知中不播放声音
29
4
我正在运行 RabbitMQ 3.6.1/Erlang 18.3,发现我无法使用 Spring AMQP 1.5.4.RELEASE Java 客户端与代理建立 TLSv1 或 TLSv1.1 session 。但是,我能够与代理建立 TLSv1.2 session 。我的 RabbitMQ 代理配置为支持所有三个 tlsv1、tlsv1.1 和 tlsv1.2。我在 OS X 上使用 Java 1.8.0_77-b03。
这是我的 RabbitMQ 配置:
https://gist.github.com/ae6rt/de06d1efecf62fbe8cef31774d9be3d7
代理上的 Erlang 报告 ssl 版本
# erl
Eshell V7.3 (abort with ^G)
1> ssl:versions().
[{ssl_app,"7.3"},
{supported,['tlsv1.2','tlsv1.1',tlsv1]},
{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
这是 RabbitMQ 在失败时记录的错误:
=ERROR REPORT==== 22-Apr-2016::03:19:02 ===
SSL: hello: tls_handshake.erl:167:Fatal error: insufficient security
在 TLS 设置期间,我使用 tcpdump 嗅探安全端口 5671 上的流量。这是 tshark 对该数据的格式化:
Frame 4: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 21, 2016 20:09:38.053439000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1461294578.053439000 seconds
[Time delta from previous captured frame: 0.013675000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.013840000 seconds]
Frame Number: 4
Frame Length: 210 bytes (1680 bits)
Capture Length: 210 bytes (1680 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
Ethernet II, Src: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c), Dst: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Destination: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Address: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Address: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.2.2, Dst: 172.17.0.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 196
Identification: 0x0a1e (2590)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: TCP (6)
Header checksum: 0xb901 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.0.2.2
Destination: 172.17.0.2
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 39141 (39141), Dst Port: 5671 (5671), Seq: 1, Ack: 1, Len: 156
Source Port: 39141
Destination Port: 5671
[Stream index: 0]
[TCP Segment Len: 156]
Sequence number: 1 (relative sequence number)
[Next sequence number: 157 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
Window size value: 65535
[Calculated window size: 65535]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x6ef9 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.000165000 seconds]
[Bytes in flight: 156]
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 151
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 147
Version: TLS 1.0 (0x0301)
Random
GMT Unix Time: Apr 21, 2016 20:09:38.000000000 PDT
Random Bytes: 742380f15c78a0409bd2817911699637f5c7879f27bf6dc1...
Session ID Length: 0
Cipher Suites Length: 44
Cipher Suites (22 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 62
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 52
Elliptic Curves Length: 50
Elliptic curves (25 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: sect163k1 (0x0001)
Elliptic curve: sect163r2 (0x0003)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: sect233k1 (0x0006)
Elliptic curve: sect233r1 (0x0007)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Elliptic curve: sect163r1 (0x0002)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: sect193r1 (0x0004)
Elliptic curve: sect193r2 (0x0005)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: sect239k1 (0x0008)
Elliptic curve: secp256k1 (0x0016)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Frame 6: 61 bytes on wire (488 bits), 61 bytes captured (488 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 21, 2016 20:09:38.053842000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1461294578.053842000 seconds
[Time delta from previous captured frame: 0.000377000 seconds]
[Time delta from previous displayed frame: 0.000403000 seconds]
[Time since reference or first frame: 0.014243000 seconds]
Frame Number: 6
Frame Length: 61 bytes (488 bits)
Capture Length: 61 bytes (488 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
Ethernet II, Src: 02:42:ac:11:00:02 (02:42:ac:11:00:02), Dst: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Destination: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Address: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Address: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.17.0.2, Dst: 10.0.2.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 47
Identification: 0x3fb8 (16312)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x42fc [validation disabled]
[Good: False]
[Bad: False]
Source: 172.17.0.2
Destination: 10.0.2.2
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 5671 (5671), Dst Port: 39141 (39141), Seq: 1, Ack: 157, Len: 7
Source Port: 5671
Destination Port: 39141
[Stream index: 0]
[TCP Segment Len: 7]
Sequence number: 1 (relative sequence number)
[Next sequence number: 8 (relative sequence number)]
Acknowledgment number: 157 (relative ack number)
Header Length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
Window size value: 30016
[Calculated window size: 30016]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0xb836 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.000165000 seconds]
[Bytes in flight: 7]
Secure Sockets Layer
TLSv1 Record Layer: Alert (Level: Fatal, Description: Insufficient Security)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Insufficient Security (71)
这是 Spring 连接失败:
org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: Received fatal alert: insufficient_security
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.DataOutputStream.flush(DataOutputStream.java:123)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:129)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:134)
at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:277)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:647)
at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:273)
at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:510)
at com.xoom.inf.amqp.TlsTest.contactBrokerOverTLS(TlsTest.java:42)
我的 RabbitMQ 代理配置为协商 tlsv1、tlsv1.1 和 tlsv1.2。为什么当代理应该支持 tlsv1 和 tlsv1.1 时,TLS 设置会失败?同一个 Java 客户端可以与 RabbitMQ 3.3.1/Erlang R16B02 代理协商 TLSv1。
谢谢。
最佳答案
Erlang ssl 应用程序在 18.3.x 系列中有一些回归。其中之一导致了您所看到的情况:客户端在握手期间被拒绝,服务器端登录了 insufficient security。如果我没记错的话,这出现在补丁 18.3.3 中,并在 18.3.4 中得到修复。这不是客户端的问题。
在 18.3.2 中有一个回归,在 18.3.3 中修复,它阻止 RabbitMQ 完全启动(由于密码套件表示的变化)。
因此建议继续使用 18.3(初始版本)或更新到 19.x。
关于java - RabbitMQ 3.6.1/Erlang 18.3 TLS 安全性不足故障,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36784391/
29
4
0
我正在尝试构建一个托管在服务器上的 Blazor 应用程序,起点位于一个 razor 页面内。 类似的东西: 我的问题是: 如果 Razor 页面具有授权属性,所有 blazor 代码都不是通过身份
对tomcat中管道和阀门机制不懂的小伙伴,参考本篇文章 领域 目前可知结构,如图所示,下面继续分析 GenericPrincipal类 LoginConfig类 Authenticator接口 在T
我刚刚开始学习 React 中的授权和身份验证,我在使用 JWT 完成我的第一个简单登录系统后编写了这篇文章,因为大多数人都知道您在浏览器中存储了一个 token ,然后将其与保存的进行比较现在,当验
我正在为grails项目寻找安全插件。 Spring安全核心1.2.7.3看起来很棒,但是似乎已经有将近一年没有开发了。有谁知道是这样吗? 还有其他好的插件吗? 我也正在使用mongodb,想知道sp
我有一个 WCF 服务,它使用具有消息安全性和用户名身份验证的 NetTcpBinding。在此之前,我使用 WsHttpBinding 但我切换到 NetTcp,因为我可以使用回调。 我的服务配置如
我正在考虑使用 cakePHP 构建一个 Web 应用程序。我的问题是我必须自己编写多少安全内容来防止(SQL 注入(inject)等)? cakePHP 自己处理什么安全问题,我必须编写什么代码?
任何人都有关于为安全环境强化/配置 TFS 的信息? 最佳答案 TFS 使用 Windows 身份验证,因此它与您的网络一样安全。我建议您还查看有关加强网络安全的资源。 Team Foundation
就目前而言,这个问题不适合我们的问答形式。我们希望答案得到事实、引用资料或专业知识的支持,但这个问题可能会引发辩论、争论、投票或扩展讨论。如果您觉得这个问题可以改进并可能重新打开,visit the
我一直想知道 codeigniter 设置有多安全。因为数据库密码等信息存储在主应用程序文件夹的配置文件中,黑客可以检索到这些信息吗?我知道您可以将应用程序文件夹移动到远离 Web 根目录的位置,但如
在客户端使用 PouchDB 访问远程服务器时要遵循的最佳安全实践是什么? https://pouchdb.com/getting-started.html上的例子使用代码与远程服务器同步: var
已结束。此问题正在寻求书籍、工具、软件库等的推荐。它不满足Stack Overflow guidelines 。目前不接受答案。 我们不允许提出寻求书籍、工具、软件库等推荐的问题。您可以编辑问题,以便
我正在开发一个网络应用程序,用户可以在其中上传文件并执行它们。我的意思是,他们可以上传 html 文件,然后通过单击,他们可以在我的 Web 应用程序内的 iframe 中执行该文件并查看渲染的 ht
试图澄清 -AsPlainText ConvertTo-SecureString 中的参数小命令: -AsPlainText Specifies a plain text string to conv
我正在玩 coreos 和 digitalocean,我想开始允许我的容器之间进行内部通信。 我已经为所有主机设置了私有(private)网络,现在我想确保某些容器只打开到 localhost 和内部
我们有两台机器: 服务器 客户 服务器正在运行 Clojure + Ring + ...标准 ClojureScript webstack。 客户端 = 某些运行 Chorme/Firefox/Saf
让我们有一个函数 foo 和一个类 Bar: fun foo(key: String): String? { // returns string or null } class Bar(x: St
已关闭。此问题不符合Stack Overflow guidelines 。目前不接受答案。 这个问题似乎不是关于 a specific programming problem, a software
确保只有正确的用户才能在 Sharepoint 2007 中看到 Web 部件的最佳做法是什么? 有人向我建议了安全组和受众。 最佳答案 这取决于您是在谈论 Web 部件的呈现还是从 Web 部件库添
我试图说服一个团队,使用 jQuery JSONP 调用与不受信任的第三方可能是不安全的。我正在使用标准 jQuery 代码: $.ajax({ url:unsecureserver+"?js
我有以下ajax调用,它检查用户是否是付费成员(member),如果是,则相应地运行某些功能。这可行,但我担心安全性。如果有人在控制台中更改此 ajax 代码,强制 #button 成功运行功能而无需
我是一名优秀的程序员,十分优秀!