唐瀚林 2024-09-10 15:39 采纳率: 0%
浏览 7
已结题

HttpClient使用双向认证时连接复用失效!

HttpClient使用双向认证时连接复用失效,正常的HTTP或是HTTPS请求连接复用都是生效的只有在Mutual SSL时失效,但是将服务端双向认证关闭后,连接复用又能正常生效,开起了双向认证后,每一次的请求都会去进行tcp重新握手。

这是什么情况呢,对TCP的加密通信不太了解。


```java
 public static void main(String[] args) throws Exception {
        System.setProperty("javax.net.debug", "ssl:handshake:verbose");
        CloseableHttpClient client = createMutualSSLClient(100, 20);
        System.setProperty("javax.net.debug", "ssl:handshake");
        HttpGet httpPost = new HttpGet("https://192.168.66.151:7891/test1");
        httpPost.setHeader("Connection","keep-alive");
        CloseableHttpResponse execute = client.execute(httpPost);
        System.out.println(EntityUtils.toString(execute.getEntity()));
        httpPost = new HttpGet("https://192.168.66.151:7891/test1");
        httpPost.setHeader("Connection","keep-alive");
        execute = client.execute(httpPost);
        System.out.println(EntityUtils.toString(execute.getEntity()));
        httpPost = new HttpGet("https://192.168.66.151:7891/test1");
        httpPost.setHeader("Connection","keep-alive");
        execute = client.execute(httpPost);
        System.out.println(EntityUtils.toString(execute.getEntity()));

    }

    private static KeyStore getKeyStore(String keyStorePath, String password, String type) throws Exception {
        FileInputStream inputStream = new FileInputStream(keyStorePath);
        KeyStore keyStore = KeyStore.getInstance(type);
        keyStore.load(inputStream, password.toCharArray());
        inputStream.close();
        return keyStore;
    }


    public static CloseableHttpClient createMutualSSLClient(Integer maxConn, Integer maxPerRoute) throws KeyException {
        Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create().register("HTTPS", getSSLConnectionSocketFactory()).build();
        PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(registry);
        cm.setMaxTotal(maxConn);
        cm.setDefaultMaxPerRoute(maxPerRoute);
        return HttpClients.custom().setSSLSocketFactory(getSSLConnectionSocketFactory()).setConnectionManager(cm).setConnectionManagerShared(true).build();
    }


    public static SSLConnectionSocketFactory getSSLConnectionSocketFactory() throws KeyException {
        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
            KeyStore keyStore = getKeyStore("/Users/xxx/Desktop/ssl/client.p12", "123456", "PKCS12");
            keyManagerFactory.init(keyStore, "123456".toCharArray());
            KeyStore trustKeyStore = getKeyStore("/Users/xxx/Desktop/ssl/root.jks", "123456", "JKS");
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustKeyStore);
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
            return new SSLConnectionSocketFactory(sslContext, new String[]{"TLSv1", "TLSv1.2", "TLSv1.1"}, null, new NoopHostnameVerifier());
        } catch (Exception e) {
            throw new KeyException("创建双向认证客户端失败" + e.getMessage(), e);
        }
    }

```

  • 写回答

1条回答 默认 最新

  • 唐瀚林 2024-09-10 15:57
    关注

    这是tcp握手的报文

    javax.net.ssl|FINE|0C|Thread-1|2024-09-10 15:55:15.976 CST|ClientHello.java:556|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "09 9D AA AD CF BA 9F A2 61 E7 68 DB F5 19 89 F8 1C 88 EA E2 50 B4 03 44 87 06 70 98 55 84 31 AC",
  "session id"          : "3F 71 B6 C0 E0 65 35 20 08 87 A6 7C 38 1D 59 88 57 3D A9 59 B7 D3 1E 47 97 A6 DC CC ED F1 59 37",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    }
  ]
}
)
javax.net.ssl|FINE|0C|Thread-1|2024-09-10 15:55:16.002 CST|ServerHello.java:862|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "BE E5 98 84 AE C2 7A 7C D2 AE C3 28 AA 1B 36 55 D0 DE 68 B5 A0 FF 1D 39 68 CA 27 AB 85 3C C2 D6",
  "session id"          : "3F 71 B6 C0 E0 65 35 20 08 87 A6 7C 38 1D 59 88 57 3D A9 59 B7 D3 1E 47 97 A6 DC CC ED F1 59 37",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
  "compression methods" : "00",
  "extensions"          : [
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
    评论

报告相同问题?

问题事件

  • 系统已结题 9月18日
  • 创建了问题 9月10日

悬赏问题

  • ¥15 如何在vue.config.js中读取到public文件夹下window.APP_CONFIG.API_BASE_URL的值
  • ¥50 浦育平台scratch图形化编程
  • ¥20 求这个的原理图 只要原理图
  • ¥15 vue2项目中,如何配置环境,可以在打完包之后修改请求的服务器地址
  • ¥20 微信的店铺小程序如何修改背景图
  • ¥15 UE5.1局部变量对蓝图不可见
  • ¥15 一共有五道问题关于整数幂的运算还有房间号码 还有网络密码的解答?(语言-python)
  • ¥20 sentry如何捕获上传Android ndk 崩溃
  • ¥15 在做logistic回归模型限制性立方条图时候,不能出完整图的困难
  • ¥15 G0系列单片机HAL库中景园gc9307液晶驱动芯片无法使用硬件SPI+DMA驱动,如何解决?