下面列出了javax.net.ssl.SSLException#getMessage ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* Notify all the handshake futures about the failure during the handshake.
*/
private void setHandshakeFailure(ChannelHandlerContext ctx, Throwable cause) {
// Release all resources such as internal buffers that SSLEngine
// is managing.
engine.closeOutbound();
try {
engine.closeInbound();
} catch (SSLException e) {
// only log in debug mode as it most likely harmless and latest chrome still trigger
// this all the time.
//
// See https://github.com/netty/netty/issues/1340
String msg = e.getMessage();
if (msg == null || !msg.contains("possible truncation attack")) {
logger.debug("{} SSLEngine.closeInbound() raised an exception.", ctx.channel(), e);
}
}
notifyHandshakeFailure(cause);
pendingUnencryptedWrites.removeAndFailAll(cause);
}
/**
* Notify all the handshake futures about the failure during the handshake.在握手过程中通知所有的握手失败。
*/
private void setHandshakeFailure(ChannelHandlerContext ctx, Throwable cause, boolean closeInbound,
boolean notify, boolean alwaysFlushAndClose) {
try {
// Release all resources such as internal buffers that SSLEngine
// is managing.
engine.closeOutbound();
if (closeInbound) {
try {
engine.closeInbound();
} catch (SSLException e) {
if (logger.isDebugEnabled()) {
// only log in debug mode as it most likely harmless and latest chrome still trigger
// this all the time.
//
// See https://github.com/netty/netty/issues/1340
String msg = e.getMessage();
if (msg == null || !msg.contains("possible truncation attack")) {
logger.debug("{} SSLEngine.closeInbound() raised an exception.", ctx.channel(), e);
}
}
}
}
if (handshakePromise.tryFailure(cause) || alwaysFlushAndClose) {
SslUtils.handleHandshakeFailure(ctx, cause, notify);
}
} finally {
// Ensure we remove and fail all pending writes in all cases and so release memory quickly.
releaseAndFailAll(cause);
}
}
/**
* close_notify(0),
* unexpected_message(10),
* bad_record_mac(20),
* decryption_failed_RESERVED(21),
* record_overflow(22),
* decompression_failure(30),
* handshake_failure(40),
* no_certificate_RESERVED(41),
* bad_certificate(42),
* unsupported_certificate(43),
* certificate_revoked(44),
* certificate_expired(45),
* certificate_unknown(46),
* illegal_parameter(47),
* unknown_ca(48),
* access_denied(49),
* decode_error(50),
* decrypt_error(51),
* export_restriction_RESERVED(60),
* protocol_version(70),
* insufficient_security(71),
* internal_error(80),
* user_canceled(90),
* no_renegotiation(100),
* unsupported_extension(110),
*/
@Override
public BackgroundException map(final SSLException failure) {
final StringBuilder buffer = new StringBuilder();
for(Throwable cause : ExceptionUtils.getThrowableList(failure)) {
if(cause instanceof SocketException) {
// Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Broken pipe
return new DefaultSocketExceptionMappingService().map((SocketException) cause);
}
}
final String message = failure.getMessage();
for(Alert alert : Alert.values()) {
if(StringUtils.containsIgnoreCase(message, alert.name())) {
this.append(buffer, alert.getDescription());
break;
}
}
if(failure instanceof SSLHandshakeException) {
if(ExceptionUtils.getRootCause(failure) instanceof CertificateException) {
log.warn(String.format("Ignore certificate failure %s and drop connection", failure.getMessage()));
// Server certificate not accepted
return new ConnectionCanceledException(failure);
}
if(ExceptionUtils.getRootCause(failure) instanceof EOFException) {
// SSL peer shut down incorrectly
return this.wrap(failure, buffer);
}
return new SSLNegotiateException(buffer.toString(), failure);
}
if(ExceptionUtils.getRootCause(failure) instanceof GeneralSecurityException) {
this.append(buffer, ExceptionUtils.getRootCause(failure).getMessage());
return new InteroperabilityException(buffer.toString(), failure);
}
this.append(buffer, message);
return new InteroperabilityException(buffer.toString(), failure);
}
/**
* Makes sure the specified {@link SslContext} is configured properly. If configured as client context or
* key store password is not given to key store when {@link SslContext} was created using
* {@link KeyManagerFactory}, the validation will fail and an {@link IllegalStateException} will be raised.
*/
private static SslContext validateSslContext(SslContext sslContext) {
if (!sslContext.isServer()) {
throw new IllegalArgumentException("sslContext: " + sslContext + " (expected: server context)");
}
SSLEngine serverEngine = null;
SSLEngine clientEngine = null;
try {
serverEngine = sslContext.newEngine(ByteBufAllocator.DEFAULT);
serverEngine.setUseClientMode(false);
serverEngine.setNeedClientAuth(false);
final SslContext sslContextClient =
buildSslContext(SslContextBuilder::forClient, ImmutableList.of());
clientEngine = sslContextClient.newEngine(ByteBufAllocator.DEFAULT);
clientEngine.setUseClientMode(true);
final ByteBuffer appBuf = ByteBuffer.allocate(clientEngine.getSession().getApplicationBufferSize());
final ByteBuffer packetBuf = ByteBuffer.allocate(clientEngine.getSession().getPacketBufferSize());
clientEngine.wrap(appBuf, packetBuf);
appBuf.clear();
packetBuf.flip();
serverEngine.unwrap(packetBuf, appBuf);
} catch (SSLException e) {
throw new IllegalStateException("failed to validate SSL/TLS configuration: " + e.getMessage(), e);
} finally {
ReferenceCountUtil.release(serverEngine);
ReferenceCountUtil.release(clientEngine);
}
return sslContext;
}
/**
* Test for <code>SSLException(Throwable)</code> constructor
* Assertion: constructs SSLException when <code>cause</code> is not
* null
*/
public void testSSLException04() {
SSLException sE = new SSLException(tCause);
if (sE.getMessage() != null) {
String toS = tCause.toString();
String getM = sE.getMessage();
assertTrue("getMessage() should contain ".concat(toS), (getM
.indexOf(toS) != -1));
}
assertNotNull("getCause() must not return null", sE.getCause());
assertEquals("getCause() must return ".concat(tCause.toString()), sE.getCause(), tCause);
}
/**
* Test for <code>SSLException(String, Throwable)</code> constructor
* Assertion: constructs SSLException when <code>cause</code> is not
* null <code>msg</code> is null
*/
public void testSSLException07() {
SSLException sE = new SSLException(null, tCause);
if (sE.getMessage() != null) {
String toS = tCause.toString();
String getM = sE.getMessage();
assertTrue("getMessage() must should ".concat(toS), (getM
.indexOf(toS) != -1));
}
assertNotNull("getCause() must not return null", sE.getCause());
assertEquals("getCause() must return ".concat(tCause.toString()), sE
.getCause(), tCause);
}
@Test(expected = SocketException.class)
public void testHttpsWithAuthAndBadClientCert() throws Exception {
Properties props = new Properties();
String uri = "https://localhost:8080";
props.put(RestConfig.LISTENERS_CONFIG, uri);
configServerKeystore(props);
configServerTruststore(props);
enableSslClientAuth(props);
TestRestConfig config = new TestRestConfig(props);
SslTestApplication app = new SslTestApplication(config);
try {
app.start();
// create a new client cert that isn't in the server's trust store.
File untrustedClient = File.createTempFile("SslTest-client-keystore", ".jks");
Map<String, X509Certificate> certs = new HashMap<>();
createKeystoreWithCert(untrustedClient, "client", certs);
try {
makeGetRequest(uri + "/test",
untrustedClient.getAbsolutePath(), SSL_PASSWORD, SSL_PASSWORD);
} catch (SSLException she) { // handle a transient failure.
throw new SocketException(she.getMessage());
}
} finally {
app.stop();
}
}