aericpp opened a new issue #968: https开启双向认证后,SSL Renegotiation功能失效 URL: https://github.com/apache/incubator-brpc/issues/968 **Describe the bug (描述bug)** 在开启https双向认证后,SSL Renegotiation功能失效,客户端无法复用SSL会话。 使用openssl工具测试服务端: #openssl s_client -key nopassword.key -cert user.pem -connect 127.0.0.1:8010 -reconnect |grep -i 'new\|reused' 服务端报错: E1115 15:05:20.153858 15076 src/brpc/socket.cpp:1800] Fail to SSL_do_handshake: error:140D9115:SSL routines:ssl_get_prev_session:session id context uninitialized W1115 15:05:20.153896 15076 src/brpc/input_messenger.cpp:215] Fail to read from Socket{id=129 fd=18 addr=127.0.0.1:39012:8010} (0x34c6200): Invalid argument 客户端报错: New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 140616624150168:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656: New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 **To Reproduce (复现方法)** http_server.cpp的对应位置做修改,增加双向认证: DEFINE_string(ca_cert, "caroot.pem", "client ca"); options.mutable_ssl_options()->default_cert.certificate = FLAGS_certificate; options.mutable_ssl_options()->default_cert.private_key = FLAGS_private_key; options.mutable_ssl_options()->ciphers = FLAGS_ciphers; options.mutable_ssl_options()->verify.verify_depth = 1; options.mutable_ssl_options()->verify.ca_file_path = FLAGS_ca_cert; **Expected behavior (期望行为)** verify return:1 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 **Versions (各种版本)** OS: ubuntu 16.04 Compiler: 4.8.2 brpc: master protobuf: **Additional context/screenshots (更多上下文/截图)**
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@brpc.apache.org For additional commands, e-mail: dev-h...@brpc.apache.org