我使用的是nifi,我開始爲https配置它以啓用用戶。 Nifi不工作,碼頭Web服務器失敗,說沒有密碼。不知道如何調試這個,任何提示? 已在我的計算機上測試過相同的證書,並且它們正常工作。 任何幫助表示讚賞Nifi安全連接無密碼
更新
嗯...我啓用了SSL記錄。 最大的區別是關於Java環境,在生產服務器上是java-1.8.0-openjdk
,在我的本地機器上是java-8-oracle
。 日誌之間仍然存在一些重要差異。
由於ssl協商參考請參閱此POST有關協議如何工作和涉及的會話。
最顯着的區別是
生產主機上沒有*** ECDH ServerKeyExchange
會議。
日誌從客戶問候開始就是兩臺機器之間沒有太大的不同:
地方(我截斷太長線和報道只有很少的日誌會話)
*** ClientHello, TLSv1.2
RandomCookie: GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie: RandomCookie: GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID: {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14,
Session ID: {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT: fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
....
在生產的東西型動物:
(我截斷了太長的行,並且只報告了很少的日誌會話)
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, [email protected], java.security.s
***
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating: [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18
Session ID: {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
***
Cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
:
.
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
更新2
我要求安裝Java 8,現在keyexchange的作品,在這一點上我的問題會去消失。
感謝您的答案安迪,明天我會嘗試更改bootstrap.conf以記錄ssl。瞭解發生了什麼將是非常有用的。 – ozw1z5rd