mTLS/TLS Redis 6问题 Java

huangapple go评论85阅读模式
英文:

mTLS/TLS Redis 6 Issues Java

问题

目前我正在运行带有ACL和mTLS的Redis 6,使用C#客户端没有问题。我正在尝试更新我们的Java端,也使用ACL和mTLS,但是一直遇到问题。我目前主要关注mTLS,但一直没有取得任何进展。这可能是因为我在尝试做这个之前已经有5-6年没有使用Java了,所以请给予建议。对于这个错误,我不确定如何真正地从中取得进展,我已经进行了谷歌搜索,但没有真正的成功。非常感谢任何帮助,再次强调我很久没有使用Java了,所以可能是问题所在。

追踪:

Caused by: io.lettuce.core.RedisConnectionException: 无法连接到localhost:6379
        at io.lettuce.core.RedisConnectionException.create(RedisConnectionException.java:78)
        at io.lettuce.core.RedisConnectionException.create(RedisConnectionException.java:56)
        at io.lettuce.core.AbstractRedisClient.getConnection(AbstractRedisClient.java:295)
        at io.lettuce.core.RedisClient.connect(RedisClient.java:214)
        at io.lettuce.core.RedisClient.connect(RedisClient.java:199)
        ... 以及其他的代码行
Caused by: javax.net.ssl.SSLException: SSLEngine已经关闭
        at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:834)
        at io.netty.handler.ssl.SslHandler.wrapAndFlush(SslHandler.java:797)
        at io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1254)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1230)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1271)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505)
        ... 以及其他的代码行

Redis服务器调试日志:

1:M 30 Jul 2020 15:23:10.837 - 接受来自10.0.2.2:62023的连接
1:M 30 Jul 2020 15:23:11.024 # 接受客户端连接时出错:(null)

Java代码:

final RedisClient client = RedisClient.create(RedisURI.Builder.redis(hostConfig,portConfig)
                                      .withSsl(true).withVerifyPeer(false).build().toURI().toString());
if (redisTruststorePath != null && !redisTruststorePath.isEmpty()) {
            SslOptions sslOptions;
            if (redisKeystorePath != null && !redisKeystorePath.isEmpty()) {
                sslOptions = SslOptions.builder()
                        .jdkSslProvider()
                        .keystore(new File(redisKeystorePath), redisKeystorePass)
                        .truststore(new File(redisTruststorePath), redisTruststorePass)
                        .build();
            }
            else {
                sslOptions = SslOptions.builder()
                        .jdkSslProvider()
                        .truststore(new File(redisTruststorePath), redisTruststorePass)
                        .build();
            }
            client.setOptions(ClientOptions.builder().sslOptions(sslOptions).build());
        }
client.connect();

版本:

  • Lettuce版本:6.0.0.M1(在本地运行的Windows上)
  • Redis版本:6.0.5(在本地运行的Linux VM上)

备注:

  • C#客户端正常工作,所以怀疑是Redis服务器问题。
  • Redis URI(在设置之前在我的真实代码中打印出来):rediss://localhost:6379
英文:

Currently I am running Redis 6 with ACL and mTLS with a C# client just fine. I am trying to update our Java side to also use ACL and mTLS but have been running into issues. I am primarily focused on mTLS at the moment and have not been getting anywhere with it. This could be user fault in these that I have not used Java for 5-6 years before attempting to do this, so please advise. Not sure what or how to really progress from this error and I have done google searches with not success really. Any help greatly appreciated, again I have not done Java in a long time so that most likely might be the issue.

Trace:

Caused by: io.lettuce.core.RedisConnectionException: Unable to connect to localhost:6379
        at io.lettuce.core.RedisConnectionException.create(RedisConnectionException.java:78)
        at io.lettuce.core.RedisConnectionException.create(RedisConnectionException.java:56)
        at io.lettuce.core.AbstractRedisClient.getConnection(AbstractRedisClient.java:295)
        at io.lettuce.core.RedisClient.connect(RedisClient.java:214)
        at io.lettuce.core.RedisClient.connect(RedisClient.java:199)
        at blah blah blah my code....
        ... 48 more
Caused by: javax.net.ssl.SSLException: SSLEngine closed already
        at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:834)
        at io.netty.handler.ssl.SslHandler.wrapAndFlush(SslHandler.java:797)
        at io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1254)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1230)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1271)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:444)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1422)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:931)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:700)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:635)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:552)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:514)
        at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1044)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        ... 2 more

Redis Server Debug logs:

1:M 30 Jul 2020 15:23:10.837 - Accepted 10.0.2.2:62023
1:M 30 Jul 2020 15:23:11.024 # Error accepting a client connection: (null)

Java code:

final RedisClient client = RedisClient.create(RedisURI.Builder.redis(hostConfig,portConfig)
                                      .withSsl(true).withVerifyPeer(false).build().toURI().toString());
if (redisTruststorePath != null && !redisTruststorePath.isEmpty()) {
            SslOptions sslOptions;
            if (redisKeystorePath != null && !redisKeystorePath.isEmpty()) {
                sslOptions = SslOptions.builder()
                        .jdkSslProvider()
                        .keystore(new File(redisKeystorePath), redisKeystorePass)
                        .truststore(new File(redisTruststorePath), redisTruststorePass)
                        .build();
            }
            else {
                sslOptions = SslOptions.builder()
                        .jdkSslProvider()
                        .truststore(new File(redisTruststorePath), redisTruststorePass)
                        .build();
            }
            client.setOptions(ClientOptions.builder().sslOptions(sslOptions).build());
        }
client.connect();

Versions:

  • Lettuce version(s): 6.0.0.M1 (Running on windows locally)
  • Redis version: 6.0.5 (Running on linux VM locally)

Notes:

  • C# client is working fine so doubt its a Redis Server issue.
  • Redis URI (printed in my real code before set): rediss://localhost:6379

答案1

得分: 2

请检查您的客户端日志。

16797:M 03 Aug 2020 09:11:11.246 # Error accepting a client connection: (null)

上述消息发生在Redis无法继续连接阶段时。在SSL配置中,当SSL握手未成功完成时会出现这样的消息,例如由于证书验证失败。

从上面的代码来看,客户端是这样创建的:

RedisClient.create(RedisURI.Builder.redis(hostConfig,portConfig)                                      .withSsl(true).withVerifyPeer(false).build().toURI().toString());

RedisURI对象被转换为字符串,这导致了verifyPeer标志的丢失。

请将您的代码更改为:

RedisClient.create(RedisURI.Builder.redis(hostConfig,portConfig)                                      .withSsl(true).withVerifyPeer(false).build());

移除.toURI().toString()部分。

英文:

Please check your client-side logs.

16797:M 03 Aug 2020 09:11:11.246 # Error accepting a client connection: (null)

This message above happens when Redis wasn't able to continue with the connection phase. Such a message occurs in SSL arrangements when the SSL handshake wasn't completed successfully, e.g. caused by a failed certificate validation.

Looking at the code above, the client gets created with:

RedisClient.create(RedisURI.Builder.redis(hostConfig,portConfig)                                      .withSsl(true).withVerifyPeer(false).build().toURI().toString());

The RedisURI object gets converted into a string which causes a loss of the verifyPeer flag.

Please change your code to:

RedisClient.create(RedisURI.Builder.redis(hostConfig,portConfig)                                      .withSsl(true).withVerifyPeer(false).build());

by removing .toURI().toString().

答案2

得分: 0

正如 @mp911de 所提到的,我删除了 .toURI().toString();同时,我更新到了 lettuce-core 6.0.0.RC,并开始使用 RESP2(正如 这里 建议的)。这解决了我的问题。我认为这里的主要解决方案是切换到 RESP2,再次感谢 @mp911de 的帮助!!

英文:

As @mp911de mentioned I removed .toURI().toString(); as well as, updated to lettuce-core 6.0.0.RC and started using RESP2 (as suggested here). This resolved my problem. I think the main solution here was switching to RESP2, which again was a suggestion from @mp911de. Thank you for the assistance @mp911de!!

huangapple
  • 本文由 发表于 2020年7月31日 00:33:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/63177538.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定