我正在使用quickfix验证服务器的证书并导致致命的handshake_failure .
这就是我的看法:
-
初始握手已启动
-
客户端连接 .
-
服务器接受 .
-
发生TLS握手,在此期间:
o密码套件已成功协商 .
o客户端验证服务器证书
o服务器随意关闭套接字 . (SEND TLSv1 ALERT:warning,description = close_notify < - 但这看起来像一个干净的闭包 . )
o客户端被搁置
有人可以看看它 . 请 .
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
%% No cached client session
..
..
*** ClientHello, TLSv1
RandomCookie: GMT: 1468991703 bytes = { 167, 140, 147, 81, 176, 169, 230, 45, 229, 147, 246, 106, 201, 127, 79, 194, 88, 63, 1, 91, 34, 184, 35, 49, 119, 31, 227, 157 }
..
..
ISocketConnector-0, WRITE: TLSv1 Handshake, length = 149
MINA session created for FIX.4.4:ZZZZZ->YYYY: local=/X.X.X.X:XXXXXX, class org.apache.mina.transport.socket.nio.SocketSessionImpl, remote=/XXX.XXX.XXX.XX:YYYYY [quickfix.mina.initiator.InitiatorIoHandler:50]
SocketConnectorIoProcessor-0.0, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
..
..
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
%% Initialized: [Session-1885, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
SocketConnectorIoProcessor-0.0, READ: TLSv1 Handshake, length = 3224
*** Certificate chain
chain [0] = [
Version: V3
..
..
..
..
READ: TLSv1 Handshake, length = 14
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<Empty>
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
WRITE: TLSv1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
..
..
CONNECTION KEYGEN:
Client Nonce:
..
..
Server Nonce:
..
..
Master Secret:
..
..
Client MAC write Secret:
..
..
Server MAC write Secret:
..
..
Client write key:
...
Server write key:
..
Client write IV:
..
Server write IV:
..
..
WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 85, 227, 34, 74, 171, 223, 226, 95, 232, 234, 118, 50 }
WRITE: TLSv1 Handshake, length = 48
READ: TLSv1 Alert, length = 2
RECV TLSv1 ALERT: fatal, handshake_failure
fatal: engine already closedRethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
called closeOutbound()
closeOutboundInternal()
SEND TLSv1 ALERT: warning, description = close_notify
WRITE: TLSv1 Alert, length = 32
called closeInbound()
fatal: engine already closedRethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
called closeOutbound()
closeOutboundInternal()
1 回答
服务器需要客户端证书,但客户端不发送任何证书 . 因此,服务器使用handshake_failure警报关闭连接 .