个人中心
文章发布
退出
作者热门文章
- android - 多次调用 OnPrimaryClipChangedListener
- android - 无法更新 RecyclerView 中的 TextView 字段
- android.database.CursorIndexOutOfBoundsException : Index 0 requested, 光标大小为 0
- android - 使用 AppCompat 时,我们是否需要明确指定其 UI 组件(Spinner、EditText)颜色
27
4
我正在尝试使用 SSLEngine 实现 SSL 握手,我需要同时作为服务器和客户端来执行此操作,但是我被卡住了,我无法弄清楚原因。
握手正确开始,交换了 Hello,交换了 key ,但随后我进入了 NEED_UNWRAP 状态。
这是我正在使用的握手代码:
protected boolean doHandshake(InputStream inputStream, OutputStream outputStream, SSLEngine engine, Socket socket) throws IOException {
Log.d(TAG,"About to do handshake...");
Log.d(TAG,engine.getHandshakeStatus().toString());
int dataSize;
SSLEngineResult result;
Log.d(TAG,"Line 1");
HandshakeStatus handshakeStatus;
Log.d(TAG,"Line 2");
// NioSslPeer's fields myAppData and peerAppData are supposed to be large enough to hold all message data the peer
// will send and expects to receive from the other peer respectively. Since the messages to be exchanged will usually be less
// than 16KB long the capacity of these fields should also be smaller. Here we initialize these two local buffers
// to be used for the handshake, while keeping client's buffers at the same size.
if (socket!=null)
{
inputStream=socket.getInputStream();
outputStream=socket.getOutputStream();
}
Log.d(TAG,"Line 3");
int appBufferSize = engine.getSession().getApplicationBufferSize();
Log.d(TAG,"Line 4");
ByteBuffer myAppData = ByteBuffer.allocate(appBufferSize);
Log.d(TAG,"Line 5");
ByteBuffer peerAppData = ByteBuffer.allocate(appBufferSize);
Log.d(TAG,"Line 6");
try {
myNetData.clear();
peerNetData.clear();
}
catch (Exception e){Log.e(TAG,e.getMessage());}
Log.d(TAG,"Line 7");
Log.d(TAG,"Line 8");
handshakeStatus = engine.getHandshakeStatus();
Log.d(TAG,"Line 9");
Log.d(TAG,"Before the while: " + (handshakeStatus != SSLEngineResult.HandshakeStatus.FINISHED && handshakeStatus != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING));
byte[] buffer=new byte[16384];
while (handshakeStatus != SSLEngineResult.HandshakeStatus.FINISHED && handshakeStatus != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
Log.d(TAG,handshakeStatus.toString());
switch (handshakeStatus) {
case NEED_UNWRAP:
Log.d(TAG,"Got here...");
buffer=new byte[16384];
peerAppData.clear();
int readdata=inputStream.read(buffer);
Log.d(TAG,"Read data amount: " + readdata);
if ( readdata < 0) {
Log.d(TAG,"No data....");
if (engine.isInboundDone() && engine.isOutboundDone()) {
return false;
}
try {
engine.closeInbound();
} catch (SSLException e) {
Log.e(TAG,"This engine was forced to close inbound, without having received the proper SSL/TLS close notification message from the peer, due to end of stream.");
}
engine.closeOutbound();
// After closeOutbound the engine will be set to WRAP state, in order to try to send a close message to the client.
handshakeStatus = engine.getHandshakeStatus();
break;
}
HackerService.bytesToHex(buffer);
peerNetData.put(buffer,6,readdata-6);
Log.d(TAG,"before data flipped...");
peerNetData.flip();
Log.d(TAG,"data flipped...");
try {
result = engine.unwrap(peerNetData, peerAppData);
Log.d(TAG,"data unwrapped...");
peerNetData.compact();
Log.d(TAG,"data compacted...");
handshakeStatus = result.getHandshakeStatus();
Log.d(TAG,"Handshake status: " + handshakeStatus);
} catch (SSLException sslException) {
Log.e(TAG,"A problem was encountered while processing the data that caused the SSLEngine to abort. Will try to properly close connection..." + sslException.getMessage());
engine.closeOutbound();
handshakeStatus = engine.getHandshakeStatus();
break;
}
switch (result.getStatus()) {
case OK:
break;
case BUFFER_OVERFLOW:
// Will occur when peerAppData's capacity is smaller than the data derived from peerNetData's unwrap.
peerAppData = enlargeApplicationBuffer(engine, peerAppData);
break;
case BUFFER_UNDERFLOW:
// Will occur either when no data was read from the peer or when the peerNetData buffer was too small to hold all peer's data.
peerNetData = handleBufferUnderflow(engine, peerNetData);
break;
case CLOSED:
if (engine.isOutboundDone()) {
return false;
} else {
engine.closeOutbound();
handshakeStatus = engine.getHandshakeStatus();
break;
}
default:
throw new IllegalStateException("Invalid SSL status: " + result.getStatus());
}
break;
case NEED_WRAP:
myNetData.clear();
Log.d(TAG,"Enetering need wrap");
try {
result = engine.wrap(myAppData, myNetData);
Log.d(TAG,"Got a result" + myAppData.toString());
handshakeStatus = result.getHandshakeStatus();
Log.d(TAG,"Handskes is: " + handshakeStatus.toString());
} catch (SSLException sslException) {
Log.e(TAG,"A problem was encountered while processing the data that caused the SSLEngine to abort. Will try to properly close connection...");
engine.closeOutbound();
handshakeStatus = engine.getHandshakeStatus();
break;
}
switch (result.getStatus()) {
case OK :
Log.d(TAG,"Case WRAP, OK");
myNetData.flip();
// while (myNetData.hasRemaining()) {
byte[] arr = new byte[myNetData.remaining()+6];
myNetData.get(arr,6,myNetData.remaining());
arr[0]=0;
arr[1]=3;
arr[2]=(byte) ((arr.length-4)/256);
arr[3]=(byte) ((arr.length-4)%256);
arr[4]=buffer[4];
arr[5]=buffer[5];
HackerService.bytesToHex(arr);
outputStream.write(arr);
// }
break;
case BUFFER_OVERFLOW:
Log.d(TAG,"Case WRAP,OverFlow");
// Will occur if there is not enough space in myNetData buffer to write all the data that would be generated by the method wrap.
// Since myNetData is set to session's packet size we should not get to this point because SSLEngine is supposed
// to produce messages smaller or equal to that, but a general handling would be the following:
myNetData = enlargePacketBuffer(engine, myNetData);
break;
case BUFFER_UNDERFLOW:
throw new SSLException("Buffer underflow occured after a wrap. I don't think we should ever get here.");
case CLOSED:
try {
Log.d(TAG,"Before WRAP FLIP");
myNetData.flip();
Log.d(TAG,"After WRAP FLIP");
while (myNetData.hasRemaining()) {
Log.d(TAG,myNetData.toString());
arr = new byte[myNetData.remaining()];
myNetData.get(arr);
outputStream.write(arr);
}
// At this point the handshake status will probably be NEED_UNWRAP so we make sure that peerNetData is clear to read.
peerNetData.clear();
} catch (Exception e) {
Log.e(TAG,"Failed to send server's CLOSE message due to socket channel's failure.");
handshakeStatus = engine.getHandshakeStatus();
}
break;
default:
throw new IllegalStateException("Invalid SSL status: " + result.getStatus());
}
break;
case NEED_TASK:
Log.d(TAG,"Need task");
Runnable task;
while ((task = engine.getDelegatedTask()) != null) {
executor.execute(task);
}
handshakeStatus = engine.getHandshakeStatus();
break;
case FINISHED:
break;
case NOT_HANDSHAKING:
break;
default:
throw new IllegalStateException("Invalid SSL status: " + handshakeStatus);
}
}
Log.d(TAG,"Handshake completed");
return true;
}
这是我的 SSLEngine 创建类:
public static SSLEngine Builder(Context context) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, UnrecoverableKeyException, KeyManagementException {
InputStream openRawResource = context.getResources().openRawResource(context.getResources().getIdentifier("mykey", "raw", context.getPackageName()));
KeyStore instance = KeyStore.getInstance("PKCS12");
instance.load(openRawResource, "passcode".toCharArray());
KeyManagerFactory instance2 = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
instance2.init(instance, "passcode".toCharArray());
SSLContext instance3 = SSLContext.getInstance("TLSv1.2");
instance3.init(instance2.getKeyManagers(), new TrustManager[]{new TrustmanagerHelper()}, new SecureRandom());
SSLEngine createSSLEngine = instance3.createSSLEngine();
createSSLEngine.setNeedClientAuth(true);
return createSSLEngine;
}
当我作为客户端尝试握手时。正如您从日志中看到的那样,我从 NEED_WRAP 开始,向服务器发送数据,状态到达 NEED_UNWRAP(这是正确的)服务器响应,我解析答案没有任何错误,但我没有前进到 NEED_WRAP,而是卡在了 NEED_UNWRAP。 ..
About to do handshake...
NEED_WRAP
Line 1
Line 2
Line 4
Line 5
Line 6
Line 7
Line 8
Line 9
Before the while: true
NEED_WRAP
Enetering need wrap
Got a resultjava.nio.HeapByteBuffer[pos=0 lim=16384 cap=16384]
Handskes is: NEED_UNWRAP
Case WRAP, OK
ByteTohex: 00030088000316030100810100007D03030E62BFCFF988.......
NEED_UNWRAP
Got here...
Read data amount: 2296 (THIS MATCHES THE NUMBER OF BYTES SENT BY THE SERVER!!!!)
ByteTohex: 000308F40003160303005B0200005703035B203DA285349B7C88A76CA6AA3.....
before data flipped...
data flipped...
data unwrapped...
data compacted...
Handshake status: NEED_UNWRAP
NEED_UNWRAP
Got here...
如果我尝试作为服务器进行握手,日志如下所示。正如您从日志中看到的那样,第一次读取很好,我响应了客户端,我从客户端获得了第二位数据,而不是有一个 NEED_WRAP 并且能够继续握手我被击中了带有 NEED_UNWRAP 消息,但是当然没有更多的数据可以从客户端读取....
About to do handshake...
NEED_UNWRAP
Line 1
Line 2
Line 3
Line 4
Line 5
Line 6
Line 7
Line 8
Line 9
Before the while: true
NEED_UNWRAP
Got here...
06-12 23:42:14.017 7523-7620/uk.co.borconi,emil.myapp D/MyApp: Read data amount: 297
06-12 23:42:14.020 7523-7620/uk.co.borconi,emil.myapp D/MyApp: ByteTohex: 00030125000316....
before data flipped...
data flipped...
06-12 23:42:14.029 7523-7620/uk.co.borconi,emil.myapp D/MyApp: data unwrapped...
data compacted...
Handshake status: NEED_WRAP
NEED_WRAP
Enetering need wrap
Got a resultjava.nio.HeapByteBuffer[pos=0 lim=16384 cap=16384]
Handskes is: NEED_UNWRAP
Case WRAP, OK
06-12 23:42:14.030 7523-7620/uk.co.borconi,emil.myapp D/MyApp: ByteTohex: 00030881000316.....
NEED_UNWRAP
Got here...
06-12 23:42:14.038 7523-7620/uk.co.borconi,emil.myapp D/MyApp: Read data amount: 132
06-12 23:42:14.039 7523-7620/uk.co.borconi,emil.myapp D/MyApp: ByteTohex: 00030080000316....
before data flipped...
data flipped...
06-12 23:42:14.040 7523-7620/uk.co.borconi,emil.myapp D/MyApp: data unwrapped...
data compacted...
Handshake status: NEED_UNWRAP
NEED_UNWRAP
Got here...
在发布之前,我确实在 StackOverflow 上查看了一些类似的问题,但它们主要是关于顺序错误的,我认为在这种情况下我是对的......我很确定我错过了显而易见的,但我似乎无法弄清楚...
最佳答案
追逐我自己的故事 2 天后,我终于找到了这里描述的问题:https://github.com/netty/netty/issues/5975
I found that our stream-based wrapper around SSLEngine doesn't read all incoming data from the SSLEngine when there is no new incoming data from the network, so the application gets stuck waiting for incoming data. After some debugging I found out that with netty's openssl SSLEngine unwrap seems to produce plain text data in smaller chunks (probably single TLS frames) and keeps buffering the rest of the data internally. The src buffer is fully consumed but calling unwrap again with an empty src buffer will still produce more data. This differs from what the JDK SSLEngine does in two points:
- the JDK SSLEngine consumes and produces as much data as possible in one go while the openssl one produces less output in one call
- the JDK SSLEngine doesn't buffer encrypted data internally between calls to unwrap but "puts them back" into the src buffer
所以即使我的代码是“正确的”,我也需要执行多个循环,所以现在我的解包代码看起来像这样:
peerNetData.put(buffer,6,readdata-6);
Log.d(TAG,"before data flipped...");
peerNetData.flip();
Log.d(TAG,"data flipped...");
try {
do {
result = engine.unwrap(peerNetData, peerAppData);
Log.d(TAG,"data unwrapped...");
Log.d(TAG,"Handskes is: " + result.getHandshakeStatus().toString() +" Current Status: " +result.getStatus() + " Bytes consumed: " + result.bytesConsumed() + " bytes produce: " + result.bytesProduced());
} while (peerNetData.hasRemaining() || result.bytesProduced()>0);
peerNetData.compact();
Log.d(TAG,"data compacted...");
handshakeStatus = result.getHandshakeStatus();
Log.d(TAG,"Handshake status: " + handshakeStatus);
.....................................................
关于java - SSLEngine 握手卡在第二个循环,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50826957/
27
4
0
当我测试我的网站性能时,我注意到 SSL 握手是连接设置的一部分。我了解(页面的)第一个请求需要完整的 SSL 握手。 但是,如果您从 pingdom 测试中注意到,只有某些其他资源在进行 SSL 握
在 SSL 握手期间,浏览器会根据需要使用提供的 URL 从主机 Web 服务器下载任何中间证书。我相信浏览器附带来自公共(public) CA 的预安装证书,这些证书只有根证书的公钥。 1) 当使用
在配置了客户端身份验证的 TLS 握手中,有一个步骤,服务器接收客户端的证书并选择是否信任它(例如,在 Java 中,它是通过 TrustManager 完成的)。 我想知道来自服务器的最终“信任失败
我正在尝试了解 Android 与服务器的 TLS 连接。有人可以纠正我吗? 有两种启动 TLS 连接的方式。首先,只有服务器有证书,客户端决定是否信任它。其次,客户端和服务器都获得了证书。我说得对吗
我正在创建一个社交网站,我希望用户在其中聊天并接收实时通知,例如 Facebook,我尝试搜索可能的解决方案并找到了 ejabberd 的 pubsub 模块(我正在使用 ejabberd 进行聊天)
我正在编写一个应用程序来(非正式地)替换在 adobe air 中制作的客户端,他们使用 RTMP 作为连接协议(protocol),我必须创建自己的类来实现它:< 据我所知,RTMP 属于 TCP
我正在做一个关于 TLS 握手的学术项目,我已经捕获了由多个客户端(谷歌浏览器、Firefox ......)生成的一些 TLS 流量,我想看看对于给定的浏览器,客户端 hello 消息是否总是相同的
我使用 openssl 实现了一个 DTLS 服务器。 (我有一个 udp 套接字,我正在使用内存 bio 与 openssl 通信。)但是,如果丢包,DTLS 握手可能需要 1-2 秒,这在我的情况
我编写了一个 PHP 程序来执行包含 openssl 命令的批处理文件: openssl s_client -showcerts -connect google.com:443 >test.cert
我编写了一个 PHP 程序来执行包含 openssl 命令的批处理文件: openssl s_client -showcerts -connect google.com:443 >test.cert
客户: var socket = new WebSocket('ws://localhost:8183/websession'); socket.onopen =
当有这么多证书时,浏览器如何知道在 ssl 握手中的客户端身份验证步骤中将哪个证书发送到服务器。我的意思是它如何识别哪个证书适用于哪个服务器 最佳答案 现在是 CyberMonk 的问题 如果您在
我正在尝试使用 python 连接到 XMPP 服务器。我有要连接的 XML,只是不确定如何进行连接的 TLS 部分?我可以找到很多 HTTPS TLS 示例和 XMPP 示例,只是不知道如何将两者放
我需要在我的 Python 服务器中实现 Websocket 握手。我的 python 服务器正在使用 Twisted 进行事件处理。我找到了 this webpage这解释了这个过程,但是当涉及到这
是否可以在当前 SSL 连接保持事件状态时重新协商 SSL 握手。当新的握手成功时,服务器应响应新握手的确认。 我搜索过 SSL 重新协商,但找不到任何具体内容。有谁知道这样的事情是否可能? 最佳答案
我编写了一个客户端-服务器应用程序,旨在通过局域网交换文件(以及其他内容)。在服务器模式下,应用程序监听具有特定标识 header 的 TCP 连接。在客户端模式下,它会尝试与用户提供的 IP 地址建
我有两台服务器通过 SSL 进行通信。 server1 通过 SSL 启动到 server2 的 SSL 连接。服务器 1 有一个 key 大小为 1k 的 keystore ,而服务器 2 有一个
架构是中间层 Liberty 服务器,它接收 http 请求和代理到各种后端,一些是 REST,一些只是 JSON。当我为 SSL 配置时(仅通过非常酷的 envVars)......似乎我得到了每个
我需要一些关于 TLS 的解释:每次客户端想要将自己连接到服务器时是否都执行 TLS 握手?每次都重新创建 session key ? premasterkey 和 masterkey 也是吗?Cli
我正在尝试将 TimeoutMixin 合并到基于 SSL 的协议(protocol)中。但是,当超时发生并且它调用 transport.loseConnection() 时,什么也没有发生。我认为这
我是一名优秀的程序员,十分优秀!