我们在客户端TLS上面临一个问题。如下图所示,握手已正确完成,但SG客户端不再发送数据,因此连接关闭。
为了测试,我使用此链接https://caplonsgprd-x.integration.ibmcloud.com:xxxx/PATH/发起请求,该请求到达配置为TLS的客户端,然后我在日志中看到以下内容:
[Wed Sep 30 14:22:13 2015] [debug] ssl_engine_kernel.c(1907): OpenSSL: Handshake: done
[Wed Sep 30 14:22:13 2015] [info] Connection: Client IP: xx.xx.xx.xx, Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Wed Sep 30 14:22:13 2015] [debug] mod_monitoring.c(213): monitor: Update counters for event 'tls:handshake:done'
[Wed Sep 30 14:22:13 2015] [debug] MonitoringCounter.c(375): monitor: MonitoringCounter_updateCounter (null) TLS_HandshakeSucceed 1
[Wed Sep 30 14:22:13 2015] [debug] mod_monitoring.c(213): monitor: Update counters for event 'tls:handshake:exit'
[Wed Sep 30 14:22:13 2015] [debug] ssl_engine_io.c(1952): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f5eb00011e0 [mem: 7f5ef0751de3] -> Here we expected the client to send the applicative data which is the HTTPS request with the PATH.
[Wed Sep 30 14:22:13 2015] [info] [client xx.xx.xx.xx] (70014)End of file found: SSL input filter read failed.
我已经在Bluemix US中创建了一个TCP目的地到mongodb,启用了客户端TLS和自签名证书。
如果上传了证书,看起来客户端需要重新启动才能获得证书并使用它。一旦客户端重新启动,证书应该被识别,并且我能够连接到启用SSL的mongodb。
编辑:安全网关目前不支持上传多个客户端TLS CA文件,因此如果链由多个CA证书组成,客户端将无法连接。