问题:
如何在HIVEMQ中正确使用TLS 1.3密码套件?(获取SSL异常:在接收对等方的close_notify之前关闭入站)
孙和安
更新:我已经指定客户机在SSLConfig中使用.protocols()方法的TLS1.3。我尝试手动将密码套件:TLS_AES_128_GCM_SHA256添加到config.xml文件中,但是这次出现了一个SSL异常错误。更新后的产出和例外情况如下。我怀疑HiveMQ正在过滤掉我试图使用的密码套件。我尝试创建一个SSL引擎作为测试,并使用.getenabledciphersuites()和getsupportedciphersuites(),它指出我的JVM和TLS1.3协议本身支持上面的TLS1.3密码套件。
HiveMQ服务器控制台输出(来自run.sh文件,在logback.xml中启用了调试):
2019-07-06 12:06:42,394 INFO - Starting HiveMQ Community Edition Server
2019-07-06 12:06:42,398 INFO - HiveMQ version: 2019.1
2019-07-06 12:06:42,398 INFO - HiveMQ home directory: /Users/chigozieasikaburu/git/IoT-HiveMqtt-Community-Edition/build/zip/hivemq-ce-2019.1
2019-07-06 12:06:42,508 INFO - Log Configuration was overridden by /Users/someuser/git/IoT-HiveMqtt-Community-Edition/build/zip/hivemq-ce-2019.1/conf/logback.xml
2019-07-06 12:06:42,619 DEBUG - Reading configuration file /Users/someuser/git/IoT-HiveMqtt-Community-Edition/build/zip/hivemq-ce-2019.1/conf/config.xml
2019-07-06 12:06:42,838 DEBUG - Adding TCP Listener with TLS of type TlsTcpListener on bind address 0.0.0.0 and port 8883.
2019-07-06 12:06:42,839 DEBUG - Setting retained messages enabled to true
2019-07-06 12:06:42,839 DEBUG - Setting wildcard subscriptions enabled to true
2019-07-06 12:06:42,839 DEBUG - Setting subscription identifier enabled to true
2019-07-06 12:06:42,839 DEBUG - Setting shared subscriptions enabled to true
2019-07-06 12:06:42,839 DEBUG - Setting maximum qos to EXACTLY_ONCE
2019-07-06 12:06:42,840 DEBUG - Setting topic alias enabled to true
2019-07-06 12:06:42,840 DEBUG - Setting topic alias maximum per client to 5
2019-07-06 12:06:42,840 DEBUG - Setting the number of max queued messages per client to 1000 entries
2019-07-06 12:06:42,841 DEBUG - Setting queued messages strategy for each client to DISCARD
2019-07-06 12:06:42,841 DEBUG - Setting the expiry interval for client sessions to 4294967295 seconds
2019-07-06 12:06:42,841 DEBUG - Setting the expiry interval for publish messages to 4294967296 seconds
2019-07-06 12:06:42,841 DEBUG - Setting the server receive maximum to 10
2019-07-06 12:06:42,841 DEBUG - Setting keep alive maximum to 65535 seconds
2019-07-06 12:06:42,841 DEBUG - Setting keep alive allow zero to true
2019-07-06 12:06:42,842 DEBUG - Setting the maximum packet size for mqtt messages 268435460 bytes
2019-07-06 12:06:42,842 DEBUG - Setting global maximum allowed connections to -1
2019-07-06 12:06:42,842 DEBUG - Setting the maximum client id length to 65535
2019-07-06 12:06:42,842 DEBUG - Setting the timeout for disconnecting idle tcp connections before a connect message was received to 10000 milliseconds
2019-07-06 12:06:42,842 DEBUG - Throttling the global incoming traffic limit 0 bytes/second
2019-07-06 12:06:42,842 DEBUG - Setting the maximum topic length to 65535
2019-07-06 12:06:42,843 DEBUG - Setting allow server assigned client identifier to true
2019-07-06 12:06:42,843 DEBUG - Setting validate UTF-8 to true
2019-07-06 12:06:42,843 DEBUG - Setting payload format validation to false
2019-07-06 12:06:42,843 DEBUG - Setting allow-problem-information to true
2019-07-06 12:06:42,843 DEBUG - Setting anonymous usage statistics enabled to false
2019-07-06 12:06:42,845 INFO - This HiveMQ ID is JAzWT
2019-07-06 12:06:43,237 DEBUG - Using disk-based Publish Payload Persistence
2019-07-06 12:06:43,259 DEBUG - 1024.00 MB allocated for qos 0 inflight messages
2019-07-06 12:06:45,268 DEBUG - Initializing payload reference count and queue sizes for client_queue persistence.
2019-07-06 12:06:45,690 DEBUG - Diagnostic mode is disabled
2019-07-06 12:06:46,276 DEBUG - Throttling incoming traffic to 0 B/s
2019-07-06 12:06:46,277 DEBUG - Throttling outgoing traffic to 0 B/s
2019-07-06 12:06:46,321 DEBUG - Set extension executor thread pool size to 4
2019-07-06 12:06:46,321 DEBUG - Set extension executor thread pool keep-alive to 30 seconds
2019-07-06 12:06:46,336 DEBUG - Building initial topic tree
2019-07-06 12:06:46,395 DEBUG - Started JMX Metrics Reporting.
2019-07-06 12:06:46,491 INFO - Starting HiveMQ extension system.
2019-07-06 12:06:46,536 DEBUG - Starting extension with id "hivemq-file-rbac-extension" at /Users/someuser/git/IoT-HiveMqtt-Community-Edition/build/zip/hivemq-ce-2019.1/extensions/hivemq-file-rbac-extension
2019-07-06 12:06:46,558 INFO - Starting File RBAC extension.
2019-07-06 12:06:46,795 INFO - Extension "File Role Based Access Control Extension" version 4.0.0 started successfully.
2019-07-06 12:06:46,818 INFO - Enabled protocols for TCP Listener with TLS at address 0.0.0.0 and port 8883: [TLSv1.3]
2019-07-06 12:06:46,819 INFO - Enabled cipher suites for TCP Listener with TLS at address 0.0.0.0 and port 8883: []
2019-07-06 12:06:46,823 WARN - Unknown cipher suites for TCP Listener with TLS at address 0.0.0.0 and port 8883: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384]
2019-07-06 12:06:46,827 INFO - Starting TLS TCP listener on address 0.0.0.0 and port 8883
2019-07-06 12:06:46,881 INFO - Started TCP Listener with TLS on address 0.0.0.0 and on port 8883
2019-07-06 12:06:46,882 INFO - Started HiveMQ in 4500ms
2019-07-06 12:10:32,396 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:10:38,967 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:23:29,721 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:23:35,990 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:24:17,436 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:24:29,160 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Java代码:
Mqtt5BlockingClient subscriber = Mqtt5Client.builder()
.identifier(UUID.randomUUID().toString()) // the unique identifier of the MQTT client. The ID is randomly generated between
.serverHost("localhost") // the host name or IP address of the MQTT server. Kept it localhost for testing. localhost is default if not specified.
.serverPort(8883) // specifies the port of the server
.addConnectedListener(context -> ClientConnectionRetreiver.printConnected("Subscriber1")) // prints a string that the client is connected
.addDisconnectedListener(context -> ClientConnectionRetreiver.printDisconnected("Subscriber1")) // prints a string that the client is disconnected
.sslConfig()
.cipherSuites(Arrays.asList("TLS_AES_128_GCM_SHA256"))
.applySslConfig()
.buildBlocking(); // creates the client builder
subscriber.connectWith() // connects the client
.simpleAuth()
.username("user1")
.password("somepassword".getBytes())
.applySimpleAuth()
.send();
异常(使用Ssl调试工具:-djavax.net.debug=Ssl):
SubThread1 is running.
javax.net.ssl|DEBUG|0F|nioEventLoopGroup-2-1|2019-07-05 15:29:47.379 EDT|SSLCipher.java:463|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|ALL|0F|nioEventLoopGroup-2-1|2019-07-05 15:29:47.761 EDT|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|ALL|0F|nioEventLoopGroup-2-1|2019-07-05 15:29:47.762 EDT|SSLEngineImpl.java:724|Closing inbound of SSLEngine
javax.net.ssl|ERROR|0F|nioEventLoopGroup-2-1|2019-07-05 15:29:47.765 EDT|TransportContext.java:312|Fatal (INTERNAL_ERROR): closing inbound before receiving peer's close_notify (
"throwable" : {
javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:254)
at
java.base/sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:733)
at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1565)
at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1049)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1429)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(De
faultChannelPipeline.java:947)
at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:826)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
at io.nett
y.channel.nio.NioEventLoop.run(NioEventLoop.java:474)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:835)}
)
Subscriber1 disconnected.
Exception in thread "SubThread1" com.hivemq.client.mqtt.exceptions.ConnectionClosedException: Server closed connection without DISCONNECT.
at com.hivemq.client.internal.mqtt.MqttBlockingClient.connect(MqttBlockingClient.java:91)
at
com.hivemq.client.internal.mqtt.message.connect.MqttConnectBuilder$Send.send(MqttConnectBuilder.java:196)
at com.main.SubThread.run(SubThread.java:90)
at java.base/java.lang.Thread.run(Thread.java:835)
共有1个答案
甘骞尧
看起来您必须在服务器和客户机中都将协议设置为“TLSV1.3”。
客户:
java prettyprint-override"> ...
.sslConfig()
.cipherSuites(Arrays.asList("TLS_AES_128_GCM_SHA256"))
.protocols(Arrays.asList("TLSv1.3"))
.applySslConfig()
...
HiveMQ:
<tls-tcp-listener>
<tls>
...
<protocols>
<protocol>TLSv1.3</protocol>
</protocols>
<cipher-suites>
<cipher-suite>TLS_AES_128_GCM_SHA256</cipher-suite>
</cipher-suites>
...
</tls>
</tls-tcp-listener>
类似资料:
-
在从Jetty服务器下载文件的客户端Ant任务中,我偶尔会收到 我在谷歌上搜索了一段时间,但到目前为止,我还没有一个结论性的答案来解释为什么会发生这种情况。 谁能解释一下这个例外的根本原因是什么? 我的Jetty日志似乎没有这个异常的等效痕迹。然而,Jetty服务器似乎确实正在终止安全连接。 作为一个背景——当蚂蚁任务产生的两个客户端使用相同的证书从码头服务器下载预定的文件时,我看到了这个异常。我
-
我将HiveMQ服务器配置为识别TLS,并创建了一个TLS通信。我想打印出正在使用的密码套件。我使用了getSslConfig(),但最后得到的输出是:
-
我有以下代码: 当我运行代码时,我得到以下异常消息:期间与远程主机的连接失败。 我不知道为什么我会收到这条信息。
-
我使用来管理服务器端的套接字连接。如果服务器(tomcat)关闭,我如何确保任何活动的套接字连接被正确终止? 有好心的听众吗?或任何可以防止服务器关闭的拦截器,例如,如果在关闭期间有任何打开的套接字,则最多60秒;但同时关闭套接字,在关机期间不接受任何连接?
-
问题内容: 从Python标准库的组件中获取异常消息的最佳方法是什么? 我注意到在某些情况下,您可以通过如下字段获取它: 但在某些情况下(例如在套接字错误的情况下),您必须执行以下操作: 我想知道是否有标准方法可以涵盖大多数情况? 问题答案: 如果查看内置错误的文档,则会看到大多数类将其第一个参数分配为属性。并非所有人都这样做。 值得注意的是,(与子类和)具有的第一自变量,第二的。没有…大致类似于
-
问题内容: 我在端口443上创建了一个套接字,如下行: 然后,我想在此套接字中查看启用的密码套件,我使用了: 然后,我只选择一个我希望我的应用程序在与远程服务器建立握手时使用的密码套件。我做了以下事情: 然后我进行了握手,并检查了会话密码套件: 但是我发现握手后在上一个打印输出语句中打印的密码的名称(据我了解,这是会话中实际使用的密码)不是我之前使用的密码 为什么我仍然看不到我选择的密码套件是二手