[GitHub] [incubator-brpc] aericpp opened a new issue #968: https开启双向认证后,SSL Renegotiation功能失效

Thu, 14 Nov 2019 23:08:49 -0800 

aericpp opened a new issue #968: https开启双向认证后,SSL Renegotiation功能失效
URL: https://github.com/apache/incubator-brpc/issues/968
 
 
   **Describe the bug (描述bug)**
   在开启https双向认证后,SSL Renegotiation功能失效,客户端无法复用SSL会话。
   
   使用openssl工具测试服务端:
   #openssl s_client -key nopassword.key  -cert user.pem -connect 
127.0.0.1:8010 -reconnect |grep -i 'new\|reused'
   
   服务端报错:
   E1115 15:05:20.153858 15076 src/brpc/socket.cpp:1800] Fail to 
SSL_do_handshake: error:140D9115:SSL routines:ssl_get_prev_session:session id 
context uninitialized
   W1115 15:05:20.153896 15076 src/brpc/input_messenger.cpp:215] Fail to read 
from Socket{id=129 fd=18 addr=127.0.0.1:39012:8010} (0x34c6200): Invalid 
argument
   
   客户端报错:
   New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   140616624150168:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake 
failure:s3_pkt.c:656:
   New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   
   **To Reproduce (复现方法)**
   http_server.cpp的对应位置做修改,增加双向认证:
   
   DEFINE_string(ca_cert, "caroot.pem", "client ca");
   
   options.mutable_ssl_options()->default_cert.certificate = FLAGS_certificate;
   options.mutable_ssl_options()->default_cert.private_key = FLAGS_private_key;
   options.mutable_ssl_options()->ciphers = FLAGS_ciphers;
   options.mutable_ssl_options()->verify.verify_depth = 1;
   options.mutable_ssl_options()->verify.ca_file_path = FLAGS_ca_cert;
   
   **Expected behavior (期望行为)**
   
   verify return:1
   New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   Reused, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   
   
   **Versions (各种版本)**
   OS: ubuntu 16.04
   Compiler: 4.8.2
   brpc: master
   protobuf: 
   
   **Additional context/screenshots (更多上下文/截图)**
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@brpc.apache.org
For additional commands, e-mail: dev-h...@brpc.apache.org

Reply via email to