Simple example of using a certificate with netty SslHandler
3,339 views
Skip to first unread message
iainso
Dec 2, 2015, 9:45:39 AM12/2/15
to Netty discussions
Hi,
I'm trying to add some functionality to my application to send syslog messages to a server using netty, and with ssl. I've generated the ssl key and cert on the syslog server with:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -batch -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -↩
out server.crt
This gave me the certificate server.crt. (example in http://www.logstashbook.com/TheLogstashBook_sample.pdf)
Now in my client netty code, I've done:
Bootstrap bootstrap = null;
Channel channel = null;
group = new NioEventLoopGroup();
bootstrap = new Bootstrap();
bootstrap.group(group);
SSLContext s=SSLContext.getInstance("TLS");
s.init(null, null,null);
String[] suites = s.getSocketFactory().getSupportedCipherSuites();
List<String> ciphers = new ArrayList<String>();
for (int i = 0; i < suites.length; i++) {
ciphers.add(suites[i]);
}
SslContextBuilder ctxBuilder = SslContextBuilder.forClient();
ctxBuilder.ciphers(ciphers);
// get cert
FileInputStream ksfis = new FileInputStream("server.crt");
BufferedInputStream ksbufin = new BufferedInputStream(ksfis);
X509Certificate certificate = (X509Certificate)
CertificateFactory.getInstance("X.509").generateCertificate(ksbufin);
// add cert to keystore
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(null, "password".toCharArray());
keystore.setCertificateEntry("alias", certificate);
System.setProperty("javax.net.ssl.trustStore", "server.crt");
ctxBuilder.trustManager(certificate);
SslContext sslCtx = ctxBuilder.build();
bootstrap.channel(NioSocketChannel.class)
.option(ChannelOption.SO_KEEPALIVE, true)
.handler(new TcpSyslogEventEncoder());
try {
ChannelFuture future = bootstrap.connect(new InetSocketAddress(hostname, 5000));
channel = future.syncUninterruptibly().channel();
channel.pipeline().addLast("ssl", sslCtx.newHandler(channel.alloc(), hostname, 5000));
}
catch (Exception e) {
System.out.println("Unable to connect to host. Cause is " + e.toString());
}
SyslogEvent event = new SyslogEvent("Dec 23 12:11:43 louis postfix/smtpd[31499]: da a tu cuerpo alegria macarena[95.75.93.154]");
channel.writeAndFlush(event);
System.out.println("Got to end");
The problem is, when I try to run it I get this exception:
Nov 25, 2015 12:09:55 PM io.netty.channel.DefaultChannelPipeline$TailContext exceptionCaught
WARNING: An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:391)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:244)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:318)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:304)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
at java.lang.Thread.run(Thread.java:857)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.ab.z(ab.java:156)
at com.ibm.jsse2.nc.b(nc.java:126)
at com.ibm.jsse2.nc.a(nc.java:291)
at com.ibm.jsse2.nc.unwrap(nc.java:458)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:3)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1138)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1028)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:968)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:360)
... 12 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.j.a(j.java:42)
at com.ibm.jsse2.nc.a(nc.java:536)
at com.ibm.jsse2.ab.a(ab.java:351)
at com.ibm.jsse2.ab.a(ab.java:255)
at com.ibm.jsse2.bb.a(bb.java:42)
at com.ibm.jsse2.bb.a(bb.java:614)
at com.ibm.jsse2.ab.s(ab.java:373)
at com.ibm.jsse2.ab$1.a(ab$1.java:4)
at com.ibm.jsse2.ab$1.run(ab$1.java:2)
at java.security.AccessController.doPrivileged(AccessController.java:369)
at com.ibm.jsse2.ab$c_.run(ab$c_.java:15)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1164)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1067)
... 14 more
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.jsse2.util.h.a(h.java:3)
at com.ibm.jsse2.util.h.b(h.java:123)
at com.ibm.jsse2.util.g.a(g.java:13)
at com.ibm.jsse2.yc.a(yc.java:74)
at com.ibm.jsse2.yc.a(yc.java:22)
at com.ibm.jsse2.yc.checkServerTrusted(yc.java:79)
at com.ibm.jsse2.bb.a(bb.java:59)
... 22 more
Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:642)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:356)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:256)
at com.ibm.jsse2.util.h.a(h.java:37)
... 28 more
WARNING: An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:391)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:244)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:318)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:304)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
at java.lang.Thread.run(Thread.java:857)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.ab.z(ab.java:156)
at com.ibm.jsse2.nc.b(nc.java:126)
at com.ibm.jsse2.nc.a(nc.java:291)
at com.ibm.jsse2.nc.unwrap(nc.java:458)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:3)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1138)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1028)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:968)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:360)
... 12 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.j.a(j.java:42)
at com.ibm.jsse2.nc.a(nc.java:536)
at com.ibm.jsse2.ab.a(ab.java:351)
at com.ibm.jsse2.ab.a(ab.java:255)
at com.ibm.jsse2.bb.a(bb.java:42)
at com.ibm.jsse2.bb.a(bb.java:614)
at com.ibm.jsse2.ab.s(ab.java:373)
at com.ibm.jsse2.ab$1.a(ab$1.java:4)
at com.ibm.jsse2.ab$1.run(ab$1.java:2)
at java.security.AccessController.doPrivileged(AccessController.java:369)
at com.ibm.jsse2.ab$c_.run(ab$c_.java:15)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1164)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1067)
... 14 more
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.jsse2.util.h.a(h.java:3)
at com.ibm.jsse2.util.h.b(h.java:123)
at com.ibm.jsse2.util.g.a(g.java:13)
at com.ibm.jsse2.yc.a(yc.java:74)
at com.ibm.jsse2.yc.a(yc.java:22)
at com.ibm.jsse2.yc.checkServerTrusted(yc.java:79)
at com.ibm.jsse2.bb.a(bb.java:59)
... 22 more
Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:642)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:356)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:256)
at com.ibm.jsse2.util.h.a(h.java:37)
... 28 more
I think I need to get the SslContext using the trust store where I added the cert, but frankly I'm lost.
any help would be greatly appreciatesd.
Reply all
Reply to author
Forward
0 new messages