java - SSL 通信中的 Apache CXF 异常 : SocketTimeOut

Question

所以这是交易。我有一个 Web 服务 WSDL，我需要在公司网络外部进行 SOAP 调用。 Web 服务是 HTTPS SOAP，需要客户端证书。我已经从 wsdl2java 生成了 Java 客户端代码，一切似乎进展顺利。

我现在不能做的是通过 CXF 从 Web 服务接收响应。 SSL 握手似乎只是花花公子，甚至到了 CXF 尝试执行 HTTP POST 的地步，但等待响应超时(如下所示):

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: false
Is secure renegotiation: false
*** HelloRequest (empty)
main, SEND TLSv1 ALERT:  warning, description = no_renegotiation
Padded plaintext before ENCRYPTION:  len = 24
0000: 01 64 01 FD 5B 38 03 A6   70 41 57 58 6D 75 60 F7  .d..[8..pAWXmu`.
0010: 93 1F 02 F3 C4 46 01 01                            .....F..
main, WRITE: TLSv1 Alert, length = 24
[Raw write]: length = 29
0000: 15 03 01 00 18 0C 9B DF   1B 60 AB 12 EE C7 CF C9  .........`......
0010: 62 97 A5 5D 5F 14 48 E1   9F AD 8A 08 05           b..]_.H......
main, handling exception: java.net.SocketTimeoutException: Read timed out
main, called close()
main, called closeInternal(true)
main, SEND TLSv1 ALERT:  warning, description = close_notify
Padded plaintext before ENCRYPTION:  len = 24
0000: 01 00 BD 99 7A 7C 72 1F   BB 11 2D AB 3F 53 C9 CD  ....z.r...-.?S..

... continuing on

现在，如果我使用 curl 或类似的东西，我可以在不到一秒的时间内得到响应，所以我知道网络服务没有问题。下面是创建服务端口所需的全部代码，包括使用 TLS 和 HTTP 代理的设置。我也有一个非常简单的 JUnit 测试来创建和运行它:

public static MYPORT setupTLS(MYPORT port) throws IOException,
        GeneralSecurityException {

    HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port)
            .getConduit();


    String keyPassword = "password";
    KeyStore keyStore = KeyStore.getInstance("pkcs12");
    URL pkcs12_file = MECTPortFactory.class.getResource(System
            .getProperty("pkcs12.keyFile"));
    InputStream keyFile = pkcs12_file.openStream();
    keyStore.load(keyFile, keyPassword.toCharArray());
    KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);

    TLSClientParameters tlsCP = new TLSClientParameters();
    tlsCP.setKeyManagers(myKeyManagers);
    tlsCP.setDisableCNCheck(true);
    FiltersType cipher_suite_filter = new FiltersType();
    cipher_suite_filter.getInclude().add("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
    cipher_suite_filter.getExclude().add(".*_DH_anon_.*");
    tlsCP.setCipherSuitesFilter(cipher_suite_filter);
    httpConduit.setTlsClientParameters(tlsCP);
    httpConduit.setClient(getHttpClient());

    return port;
}

private static HTTPClientPolicy getHttpClient() {
    HTTPClientPolicy client_policy = new HTTPClientPolicy();
    client_policy.setProxyServer("PROXY_SERVER_ADDRESS");
    client_policy.setProxyServerPort(8080);
    client_policy.setAutoRedirect(true);
    client_policy.setConnection(ConnectionType.KEEP_ALIVE);
    client_policy.setAllowChunking(true);
    client_policy.setReceiveTimeout(10000);
    return client_policy;
}

private static KeyManager[] getKeyManagers(KeyStore keyStore,
        String keyPassword) throws GeneralSecurityException, IOException {
    String alg = KeyManagerFactory.getDefaultAlgorithm();
    char[] keyPass = keyPassword != null ? keyPassword.toCharArray() : null;
    KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
    fac.init(keyStore, keyPass);
    return fac.getKeyManagers();
}

编辑:

我已经摆弄了一些客户端设置，例如更改是否为 AutoRedirect、AllowChunking 等，没有任何区别，所以我认为这不会导致错误.

编辑2:

我没有收到网络服务的响应。 如何排查和解决导致 CXF 超时而不是收到响应的问题？

Answer 1

我的天哪!我想通了。

所以我浏览了互联网并发现了这个小 gem :

How to configure SoapUI with client certificate authentication

它引用了来自 Oracle/Sun 的一条非常重要的注释:

Transport Layer Security (TLS) Renegotiation Issue Readme

Applications that receive a renegotiation request from the peer will respond according to the type of connection in place:

TLSv1: A warning Alert message of type "no_renegotiation(100)" will be sent to the peer and the connection will remain open.

然后，再往下:

Renegotiations can be re-enabled for those applications that need it by setting the new system property sun.security.ssl.allowUnsafeRenegotiation to true before the JSSE library is initialized. There are several ways to set this property:

1. Command Line:

   % java -Dsun.security.ssl.allowUnsafeRenegotiation=true Main

2. Java Control Panel (Java Plug-in / Java Web Start) - Runtime Environment.

3. Within the application:

   java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", true);

Note that TLS/SSL renegotiation will not occur unless both client and server have enabled renegotiations.

那么它的长短呢？ System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");

还有东西。只是。工作。