服务器 JDK 1.8u_112
Linux version 3.10.0-1062.9.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) )
服务器有 NGINX,但是仅针对进来的请求,对 80 和 443 端口做了转发,转发到服务所在的 81 端口
——————————————————————————————————————————————————
问题现象:
请求客户服务器 HTTPS 接口出现 connection reset
排查第一步:
先抓包,发现客户服务器在我的服务器 Client Hello 完就 reset 了我(第一次握手
在本地 windows 环境写了个小项目,模拟一模一样的请求代码
复现问题
挨个清理 https 请求的代码,发现去掉重写 hostVerifyName 就可以
然后上网查发现是 JDK8 早期版本的一个 bug
https://bugs.openjdk.java.net/browse/JDK-8159569
按照帖子
https://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html
重写了 SSLSocketFactory
在本地解决了这个 connection reset 的问题
接下来打包代码发到服务器
这里要说明一下,这个项目是一个迭代了六年的项目,没有上 springboot,也没有上 maven
所以每次发布都是更新的 class
更新到服务器上后 tcpdump 抓包发现
Client Hello 的 Extension 里还是没有 server_name(SNI)
这里有怀疑自己代码更新出错,没有把代码更新上去
1.下载 class 与本地进行对比,是一样的
2.将服务器上的 tomcat 和 class 拷贝下来在本地环境( linux -》 win )启动,请求客户服务器抓包是有 SNI
这里已经感到很邪门了,觉得是不是 linux 服务器对出口请求有什么过滤
写了个 springboot 小程序,里面的 https 请求代码是和公司项目里的一样的(有加上 SNI 的代码
抓包,有 SNI
写了个纯 JAVA,只有 main 函数那种
抓包有 SNI
那这就可以排除 linux 服务对出口请求的过滤
不过我也不清楚会不会有单独针对某个程序的过滤???可能性不大
——————————————————————————————————————————————
截至这里我已经很绝望了,感觉像是鬼打墙。
查了 JDK 官方的记录说是 1.8u_152 解决了这个问题
先在本机验证,挂上 152 的 JDK,去掉添加 SNI 的代码,抓包有 SNI
所以连夜给服务器的项目升级了 JDK
这里根据 Catalina 里面记录可以保证 JDK 是用的 152
但是抓包,莫得!还是莫得???
——————————————————————————————————————————————
下面是涉案代码
服务器上的代码
public static JSONObject httpsRequest(String requestUrl, String requestMethod, String contentType, String outputStr) {
JSONObject jsonObject = null;
StringBuffer buffer = new StringBuffer();
HttpsURLConnection httpUrlConn = null;
OutputStream outputStream = null;
InputStream inputStream = null;
InputStreamReader inputStreamReader = null;
BufferedReader bufferedReader = null;
try {
URL url = new URL(requestUrl);
httpUrlConn = (HttpsURLConnection) url.openConnection();
if (contentType != null) {
httpUrlConn.setRequestProperty("Content-Type", contentType);
}
TrustManager[] tm = {new TrustManager()};
SSLContext sslContext = SSLContext.getInstance("SSL", "SunJSSE");
sslContext.getServerSessionContext().setSessionCacheSize(1000);
sslContext.init(null, tm, new SecureRandom());
// SSLSocketFactory ssf = sslContext.getSocketFactory();
httpUrlConn.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
SSLParameters sslParameters = new SSLParameters();
List sniHostNames = new ArrayList(1);
sniHostNames.add(new SNIHostName(url.getHost()));
sslParameters.setServerNames(sniHostNames);
SSLSocketFactoryWrapper ssf = new SSLSocketFactoryWrapper(sslContext.getSocketFactory(), sslParameters);
httpUrlConn.setSSLSocketFactory(ssf);
httpUrlConn.setDoOutput(true);
httpUrlConn.setDoInput(true);
httpUrlConn.setUseCaches(false);
httpUrlConn.setRequestMethod(requestMethod);
httpUrlConn.setConnectTimeout(20000);
httpUrlConn.setReadTimeout(20000);
if ("GET".equalsIgnoreCase(requestMethod)) {
httpUrlConn.connect();
}
if (outputStr != null) {
outputStream = httpUrlConn.getOutputStream();
outputStream.write(outputStr.getBytes("UTF-8"));
}
if ( httpUrlConn.getResponseCode() == HttpURLConnection.HTTP_OK || httpUrlConn.getResponseCode() == HttpURLConnection.HTTP_CREATED || httpUrlConn.getResponseCode() == HttpURLConnection.HTTP_ACCEPTED) {
inputStream = httpUrlConn.getInputStream();
} else {
inputStream = httpUrlConn.getErrorStream();
}
inputStreamReader = new InputStreamReader(inputStream, "UTF-8");
bufferedReader = new BufferedReader(inputStreamReader);
String str = null;
while ((str = bufferedReader.readLine()) != null) {
buffer.append(str);
}
try {
jsonObject = JSONObject.fromObject(buffer.toString());
} catch (Exception e1) {
try {
jsonObject = JSONObject.fromObject("{id:\"" + buffer.toString() + "\"}");
} catch (Exception e2) {
log.error("请求异常:" + requestUrl, e2);
return null;
}
}
} catch (Exception e) {
log.error("请求异常:" + requestUrl, e);
if (e.getMessage().contains("401 for URL")) {
return JSONObject.fromObject("{id:\"401\"}");
}
return null;
} finally {
closeConnection( httpUrlConn, outputStream, inputStream, inputStreamReader, bufferedReader);
}
return jsonObject;
}
可以看出除了 TrustManager 和 SSLSocketFactoryWrapper 其他的都是 JDK 自带的类
TrustManager
public class TrustManager implements X509TrustManager {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
SSLSocketFactoryWrapper
public class SSLSocketFactoryWrapper extends SSLSocketFactory {
private final SSLSocketFactory wrappedFactory;
private final SSLParameters sslParameters;
public SSLSocketFactoryWrapper(SSLSocketFactory factory, SSLParameters sslParameters) {
this.wrappedFactory = factory;
this.sslParameters = sslParameters;
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
SSLSocket socket = (SSLSocket) wrappedFactory.createSocket(host, port);
setParameters(socket);
return socket;
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort)
throws IOException, UnknownHostException {
SSLSocket socket = (SSLSocket) wrappedFactory.createSocket(host, port, localHost, localPort);
setParameters(socket);
return socket;
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
SSLSocket socket = (SSLSocket) wrappedFactory.createSocket(host, port);
setParameters(socket);
return socket;
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
SSLSocket socket = (SSLSocket) wrappedFactory.createSocket(address, port, localAddress, localPort);
setParameters(socket);
return socket;
}
@Override
public Socket createSocket() throws IOException {
SSLSocket socket = (SSLSocket) wrappedFactory.createSocket();
setParameters(socket);
return socket;
}
@Override
public String[] getDefaultCipherSuites() {
return wrappedFactory.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return wrappedFactory.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
SSLSocket socket = (SSLSocket) wrappedFactory.createSocket(s, host, port, autoClose);
setParameters(socket);
return socket;
}
private void setParameters(SSLSocket socket) {
socket.setSSLParameters(sslParameters);
}
}
我照抄的呀!我照着大佬抄的!!!
下面是 Springboot 和那个单类测试项目,都放到公司服务器上测试了,有 SNI
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
tryConnect();
}
public static void tryConnect() {
String requestUrl = "https://xhoa.xinhuamed.com.cn:443/seeyon/rest/token/wechat";
String contentType = null;
String requestMethod = "GET";
String outputStr = null;
StringBuffer buffer = new StringBuffer();
HttpsURLConnection httpUrlConn = null;
OutputStream outputStream = null;
InputStream inputStream = null;
InputStreamReader inputStreamReader = null;
BufferedReader bufferedReader = null;
try {
URL url = new URL(requestUrl);
httpUrlConn = (HttpsURLConnection) url.openConnection();
if (contentType != null) {
httpUrlConn.setRequestProperty("Content-Type", contentType);
}
TrustManager[] tm = {new TrustManager()};
SSLContext sslContext = SSLContext.getInstance("SSL", "SunJSSE");
sslContext.getServerSessionContext().setSessionCacheSize(1000);
sslContext.init(null, tm, new SecureRandom());
// SSLSocketFactory ssf = sslContext.getSocketFactory();
SSLParameters sslParameters = new SSLParameters();
List sniHostNames = new ArrayList(1);
sniHostNames.add(new SNIHostName(url.getHost()));
sslParameters.setServerNames(sniHostNames);
SSLSocketFactoryWrapper ssf = new SSLSocketFactoryWrapper(sslContext.getSocketFactory(), sslParameters);
httpUrlConn.setSSLSocketFactory(ssf);
httpUrlConn.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
httpUrlConn.setDoOutput(true);
httpUrlConn.setDoInput(true);
httpUrlConn.setUseCaches(false);
httpUrlConn.setRequestMethod(requestMethod);
httpUrlConn.setConnectTimeout(20000);
httpUrlConn.setReadTimeout(20000);
if ("GET".equalsIgnoreCase(requestMethod)) {
httpUrlConn.connect();
}
if (outputStr != null) {
outputStream = httpUrlConn.getOutputStream();
outputStream.write(outputStr.getBytes("UTF-8"));
}
if ( httpUrlConn.getResponseCode() == HttpURLConnection.HTTP_OK || httpUrlConn.getResponseCode() == HttpURLConnection.HTTP_CREATED || httpUrlConn.getResponseCode() == HttpURLConnection.HTTP_ACCEPTED) {
inputStream = httpUrlConn.getInputStream();
} else {
inputStream = httpUrlConn.getErrorStream();
}
inputStreamReader = new InputStreamReader(inputStream, "UTF-8");
bufferedReader = new BufferedReader(inputStreamReader);
String str = null;
while ((str = bufferedReader.readLine()) != null) {
buffer.append(str);
}
try {
System.out.println(buffer.toString());
} catch (Exception e1) {
System.out.println(e1);
}
} catch (Exception e) {
System.out.println(e);
} finally {
closeConnection( httpUrlConn, outputStream, inputStream, inputStreamReader, bufferedReader);
}
}
private static void closeConnection(HttpURLConnection httpUrlConn, OutputStream outputStream, InputStream inputStream, InputStreamReader inputStreamReader, BufferedReader bufferedReader) {
if (outputStream != null) {
try {
outputStream.close();
outputStream = null;
} catch (IOException e2) {
}
}
if (bufferedReader != null) {
try {
bufferedReader.close();
bufferedReader = null;
} catch (IOException e1) {
}
}
if (inputStreamReader != null) {
try {
inputStreamReader.close();
inputStreamReader = null;
} catch (IOException e1) {
}
}
if (inputStream != null) {
try {
inputStream.close();
inputStream = null;
} catch (IOException e) {
}
}
if ( httpUrlConn != null) {
httpUrlConn.disconnect();
httpUrlConn = null;
}
}
}
——————————————————————————————————————————————————
拜托大家发散一下思路,想想还有什么方式能测试一下,以及还有哪里有可能限制
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.