我正在尝试使用Spring连接到启用了SSL的Cassandra。我已收到密钥库和信任库文件及其各自的密码。使用开发人员中心工具,我能够使用这些文件和凭据连接到远程数据库。 但是,当我尝试使用 java 连接时,我不断收到以下异常:
客户端身份验证似乎未正确传递。
忽略不受支持的密码套件:TLS v1.1 的TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 忽略不受支持的密码套件:TLS v1.1 的TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 %% 无缓存客户端会话 客户端你好, TLSv1.2 随机饼干: 格林威治标准时间: 1500600803 字节 = { 210, 125, 166, 7, 213, 206, 126, 108, 110, 254, 207, 58, 13, 147, 17, 116, 100, 203, 214, 85, 221, 233, 167, 43, 110, 114, 95, 111 } 会话 ID:{}密码套件:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256、TLS_RSA_WITH_AES_128_CBC_SHA256、TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256、TLS_DHE_RSA_WITH_AES_128_CBC_SHA256、TLS_DHE_DSS_WITH_AES_128_CBC_SHA256、 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA、TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDH_RSA_WITH_AES_128_CBC_SHA、TLS_DHE_RSA_WITH_AES_128_CBC_SHA、TLS_DHE_DSS_WITH_AES_128_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256、TLS_RSA_WITH_AES_128_GCM_SHA256、TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256、TLS_DHE_RSA_WITH_AES_128_GCM_SHA256、TLS_DHE_DSS_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA、TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA、 SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]压缩方法: { 0 } 扩展elliptic_curves,曲线名称:{secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 扩展ec_point_formats,格式:[未压缩] 扩展signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA *** cluster1-nio-worker-0,写入:TLSv1.2 握手,长度 = 193 cluster1-nio-worker-0,称为closeOutbound() cluster1-nio-worker-0, closeOutboundInternal() cluster1-nio-worker-0,发送 TLSv1.2 警报:警告,描述 = close_notify cluster1-nio-worker-0,写入:TLSv1.2 警报,长度 = 2 cluster1-nio-worker-0,称为closeInbound()cluster1-nio-worker-0,致命错误:80:入站在接收对等方close_notify之前关闭:可能的截断攻击? javax.net.ssl.SSLException:在接收对等方close_notify之前关闭入站:可能的截断攻击? cluster1-nio-worker-0,发送 TLSv1.2 警报:致命,描述 = internal_error cluster1-nio-worker-0,异常发送警报:java.io.IOException:编写器端已经关闭。 线程"main"中的异常 com.datastax.driver.core.exceptions.NoHostAvailableException: 所有尝试查询的主机都失败(已尝试:/172.18.34.226:9042 (com.datastax.driver.core.exceptions.TransportException: [/172.18.34.226:9042] 通道已关闭)) at com.datastax.driver.core.ControlConnection.reconnectInternal(ControlConnection.java:233) at com.datastax.driver.core.ControlConnection.connect(ControlConnection.java:79) at com.datastax.driver.core.Cluster$Manager.init(Cluster.java:1483) at com.datastax.driver.core.Cluster.init(Cluster.java:159)at com.datastax.driver.core.SessionManager.initAsync(SessionManager.java:78) at com.datastax.driver.core.SessionManager.executeAsync(SessionManager.java:139) at com.datastax.driver.core.AbstractSession.execute(AbstractSession.java:68) at com.datastax.driver.core.AbstractSession.execute(AbstractSession.java:43) at ClientToNode.execute(ClientToNode.java:49) at ClientToNode.main(ClientToNode.java:27) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)
使用以下代码:
private Cluster getCluster(final String trustStoreLocation, final String trustStorePassword, final String keyStoreLoc, final String keyStorePass,final String host) throws UnrecoverableKeyException {
final Cluster cluster;
SSLContext sslcontext = null;
try {
final InputStream trustStoreStream = ClientToNode.class.getResourceAsStream(trustStoreLocation);
final KeyStore keystore = KeyStore.getInstance("jks");
final char[] trustChars = trustStorePassword.toCharArray();
keystore.load(trustStoreStream, trustChars);
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keystore);
final TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
final InputStream keyStoreStream = ClientToNode.class.getResourceAsStream(keyStoreLoc);
final KeyStore keyStore = KeyStore.getInstance("jks");
final char[] pwdKeyStore = keyStorePass.toCharArray();
keyStore.load(keyStoreStream, pwdKeyStore);
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyStorePass.toCharArray());
final KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
sslcontext = SSLContext.getInstance("TLS");
sslcontext.init(keyManagers, trustManagers, new SecureRandom());
} catch (Exception e) {
e.printStackTrace();
}
//String[] ciphers = {"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"};
JdkSSLOptions sslOptions = JdkSSLOptions.builder()
.withSSLContext(sslcontext)
//.withCipherSuites(ciphers)
.build();
cluster = Cluster.builder()
.addContactPoint(host)
.withSSL(sslOptions)
.build();
return cluster;
}进行了以下更改以解决此问题:
- 连接到启用SSL的Cassandra的先决条件是安装Java加密扩展(JCE),将UnlimitedJCEPolicy cont解压缩到JRE。有关详细信息,请访问将开发人员中心连接到启用了 SSL 的 Cassandra。
IMP:要将 DevCenter 连接到启用了 SSL 的 Cassandra,我们需要替换 JRE 下存在的 JCE 文件,地址为C:\Program Files\Java\jre1.8.0_91\lib\security。
要使用Java代码连接到支持SSL的Cassandra,我们需要将JCE文件放在JDK下的JRE,即C:\Program Files\Java\jdk1.8.0_91\jre\lib\security
-
构建集群时未添加凭据:
cluster = Cluster.builder() .addContactPoint(host) .withSSL(sslOptions) .withCredentials("dbuser", "password") .build();