我正在尝试让 Apache httpclient5 CloseableHttpAsyncClient 在发生关闭连接失败的情况下正确发送致命 TLS 警报。根据 TLS v1.2 协议,“每当实现遇到定义为致命警报的条件时,它必须在关闭连接之前发送适当的警报。”,因此客户端不接受服务器证书例如,因为它已过期,必须在关闭连接之前发送致命警报。
我正在使用 httpclient5 5.2.3 和 openjdk-17 以及默认的 JSSE 安全提供程序。
如果我尝试使用 CloseableHttpAsyncClient 发出基本的 http 请求,并通过系统属性配置 TLS,如下所示:
try (CloseableHttpAsyncClient client = HttpAsyncClients.createDefault()) {
client.start();
SimpleHttpRequest simpleHttpRequest = SimpleHttpRequest.create(Method.GET,
URI.create("https://expired.badssl.com"));
Future<SimpleHttpResponse> future = client.execute(simpleHttpRequest, null);
SimpleHttpResponse simpleHttpResponse = future.get();
} catch (Exception e) {
e.printStackTrace();
}
然后将其发送到证书过期的服务器。正如预期的那样,客户端不接受证书并关闭连接,但它不会通过发送致命 TLS 警报来通知服务器。
是否需要进行任何配置才能使httpclient5向服务器发送警报?
编辑:
运行代码示例时的日志:
2024-07-05T14:08:47.183+02:00 DEBUG 38589 --- [io-10666-exec-1] j.e.security : X509Certificate: Alg:SHA512withRSA, Serial:7ef6d57d52073136912...
2024-07-05T14:08:47.319+02:00 DEBUG 38589 --- [io-10666-exec-1] .c.h.i.a.InternalAbstractHttpAsyncClient : ex-0000000001 preparing request execution
2024-07-05T14:08:47.331+02:00 DEBUG 38589 --- [io-10666-exec-1] o.a.h.c.h.i.a.AsyncProtocolExec : ex-0000000001 target auth state: UNCHALLENGED
2024-07-05T14:08:47.332+02:00 DEBUG 38589 --- [io-10666-exec-1] o.a.h.c.h.i.a.AsyncProtocolExec : ex-0000000001 proxy auth state: UNCHALLENGED
2024-07-05T14:08:47.333+02:00 DEBUG 38589 --- [io-10666-exec-1] o.a.h.c.h.i.a.AsyncConnectExec : ex-0000000001 acquiring connection with route {s}->https://localhost:16270
2024-07-05T14:08:47.334+02:00 DEBUG 38589 --- [io-10666-exec-1] o.a.h.c.h.i.a.InternalHttpAsyncClient : ex-0000000001 acquiring endpoint (3 MINUTES)
2024-07-05T14:08:47.335+02:00 DEBUG 38589 --- [io-10666-exec-1] .i.n.PoolingAsyncClientConnectionManager : ex-0000000001 endpoint lease request (3 MINUTES) [route: {s}->https://localhost:16270][total available: 0; route allocated: 0 of 5; total allocated: 0 of 25]
2024-07-05T14:08:47.339+02:00 DEBUG 38589 --- [io-10666-exec-1] .i.n.PoolingAsyncClientConnectionManager : ex-0000000001 endpoint leased [route: {s}->https://localhost:16270][total available: 0; route allocated: 1 of 5; total allocated: 1 of 25]
2024-07-05T14:08:47.339+02:00 DEBUG 38589 --- [io-10666-exec-1] .i.n.PoolingAsyncClientConnectionManager : ex-0000000001 acquired ep-0000000001
2024-07-05T14:08:47.339+02:00 DEBUG 38589 --- [io-10666-exec-1] o.a.h.c.h.i.a.InternalHttpAsyncClient : ex-0000000001 acquired endpoint ep-0000000001
2024-07-05T14:08:47.339+02:00 DEBUG 38589 --- [io-10666-exec-1] o.a.h.c.h.i.a.InternalHttpAsyncClient : ep-0000000001 connecting endpoint (null)
2024-07-05T14:08:47.340+02:00 DEBUG 38589 --- [io-10666-exec-1] .i.n.PoolingAsyncClientConnectionManager : ep-0000000001 connecting endpoint to https://localhost:16270 (3 MINUTES)
2024-07-05T14:08:47.341+02:00 DEBUG 38589 --- [io-10666-exec-1] .a.h.c.h.i.n.MultihomeIOSessionRequester : localhost resolving remote address
2024-07-05T14:08:47.341+02:00 DEBUG 38589 --- [io-10666-exec-1] .a.h.c.h.i.n.MultihomeIOSessionRequester : localhost resolved to [localhost/127.0.0.1]
2024-07-05T14:08:47.342+02:00 DEBUG 38589 --- [io-10666-exec-1] .a.h.c.h.i.n.MultihomeIOSessionRequester : localhost:16270 connecting null->localhost/127.0.0.1:16270 (3 MINUTES)
2024-07-05T14:08:47.353+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.r.IOSessionImpl : c-0000000000[ACTIVE][rc:c] protocol upgrade class org.apache.hc.core5.http2.impl.nio.HttpProtocolNegotiator
2024-07-05T14:08:47.354+02:00 DEBUG 38589 --- [ient-dispatch-1] .a.h.c.h.i.n.MultihomeIOSessionRequester : localhost:16270 connected null->localhost/127.0.0.1:16270 as c-0000000000
2024-07-05T14:08:47.358+02:00 DEBUG 38589 --- [ient-dispatch-1] .i.n.DefaultManagedAsyncClientConnection : c-0000000000 start TLS
2024-07-05T14:08:47.402+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.h.s.AbstractClientTlsStrategy : Enabled protocols: [TLSv1.3, TLSv1.2]
2024-07-05T14:08:47.403+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.h.s.AbstractClientTlsStrategy : Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2024-07-05T14:08:47.403+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.h.s.AbstractClientTlsStrategy : Starting handshake (3 MINUTES)
2024-07-05T14:08:47.449+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.r.s.SSLIOSession : c-0000000000[ACTIVE][rw:c][ACTIVE][r][NEED_UNWRAP][0][0][482] Event cleared [c]
2024-07-05T14:08:47.630+02:00 DEBUG 38589 --- [ient-dispatch-1] j.e.security : X509Certificate: Alg:SHA256withRSA, Serial:10... Valid from:5/13/24, 3:54 PM, Valid until:5/13/24, 3:54 PM
2024-07-05T14:08:47.651+02:00 DEBUG 38589 --- [ient-dispatch-1] .c.h.i.a.InternalAbstractHttpAsyncClient : ex-0000000001 request failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
2024-07-05T14:08:47.652+02:00 DEBUG 38589 --- [ient-dispatch-1] .i.n.PoolingAsyncClientConnectionManager : ep-0000000001 close IMMEDIATE
2024-07-05T14:08:47.652+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.h.i.a.InternalHttpAsyncClient : ep-0000000001 endpoint closed
2024-07-05T14:08:47.652+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.h.i.a.InternalHttpAsyncClient : ep-0000000001 discarding endpoint
2024-07-05T14:08:47.652+02:00 DEBUG 38589 --- [ient-dispatch-1] .i.n.PoolingAsyncClientConnectionManager : ep-0000000001 releasing endpoint
2024-07-05T14:08:47.652+02:00 DEBUG 38589 --- [ient-dispatch-1] .i.n.PoolingAsyncClientConnectionManager : ep-0000000001 connection released [route: {s}->https://localhost:16270][total available: 0; route allocated: 0 of 5; total allocated: 0 of 25]
2024-07-05T14:08:47.652+02:00 DEBUG 38589 --- [io-10666-exec-1] .a.h.c.h.i.a.AbstractHttpAsyncClientBase : Shutdown GRACEFUL
2024-07-05T14:08:47.654+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.r.s.SSLIOSession : c-0000000000[CLOSED][][CLOSED][r][NEED_WRAP][inbound done][][0][0][0] Close IMMEDIATE
2024-07-05T14:08:47.654+02:00 DEBUG 38589 --- [ient-dispatch-1] o.a.h.c.r.s.SSLIOSession : c-0000000000[CLOSED][][CLOSED][r][NEED_WRAP][inbound done][][0][0][0] Close GRACEFUL
2024-07-05T14:08:47.655+02:00 DEBUG 38589 --- [io-10666-exec-1] .i.n.PoolingAsyncClientConnectionManager : Shutdown connection pool GRACEFUL
2024-07-05T14:08:47.655+02:00 DEBUG 38589 --- [io-10666-exec-1] .i.n.PoolingAsyncClientConnectionManager : Connection pool shut down
我认为这些是@Robert 所指的:
2024-07-05T14:08:47.651+02:00 DEBUG 38589 --- [ient-dispatch-1] .c.h.i.a.InternalAbstractHttpAsyncClient : ex-0000000001 request failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
2024-07-05T14:08:47.652+02:00 DEBUG 38589 --- [ient-dispatch-1] .i.n.PoolingAsyncClientConnectionManager : ep-0000000001 close IMMEDIATE
请在本地尝试此更改集,并告诉我是否可以解决您的问题
不能保证这会迫使 JSSE 生成致命警报,但至少 HttpClient 会尝试优雅地关闭 TLS 会话。
您需要从源代码构建 HttpCore 并让 HttpClient 使用该快照来测试修复。