scala – 具有自签名证书的Spray https服务器的配置问题？

发布时间：2020-12-16 18:56:07 所属栏目：安全来源：网络整理

导读：我在Mac 10.9.4上使用Spray 1.3,Akka 2.3和 Scala 2.11来设置HTTP服务器.我跟随Ch. 2 Manning的Akka in Action中的示例(此处提供的示例代码： https://github.com/RayRoestenburg/akka-in-action.git),当我使用http时,它会按预期编译,运行和运行,但我无法将

我在Mac 10.9.4上使用Spray 1.3,Akka 2.3和 Scala 2.11来设置HTTP服务器.我跟随Ch. 2 Manning的Akka in Action中的示例(此处提供的示例代码： https://github.com/RayRoestenburg/akka-in-action.git),当我使用http时,它会按预期编译,运行和运行,但我无法将其配置为与https一起使用.

要使用https运行,我已生成一个自签名证书,如下所示：

keytool -genkey -keyalg RSA -alias selfsigned -keystore myjks.jks -storepass abcdef -validity 360 -keysize 2048

按照这个例子,https://github.com/spray/spray/tree/v1.2-M8/examples/spray-can/simple-http-server/src/main/scala/spray/examples

我添加了一个SSL配置类：

package com.goticks

import java.security.{SecureRandom,KeyStore}
import javax.net.ssl.{KeyManagerFactory,SSLContext,TrustManagerFactory}
import spray.io._

// for SSL support (if enabled in application.conf)
trait MySSLConfig {

  // if there is no SSLContext in scope implicitly the HttpServer uses the default SSLContext,// since we want non-default settings in this example we make a custom SSLContext available here
  implicit def sslContext: SSLContext = { 
    val keyStoreResource = "myjks.jks"
    val password = "abcdef"

    val keyStore = KeyStore.getInstance("jks")
    keyStore.load(getClass.getResourceAsStream(keyStoreResource),password.toCharArray)
    val keyManagerFactory = KeyManagerFactory.getInstance("SunX509")
    keyManagerFactory.init(keyStore,password.toCharArray)
    val trustManagerFactory = TrustManagerFactory.getInstance("SunX509")
    trustManagerFactory.init(keyStore)
    val context = SSLContext.getInstance("TLS")
    context.init(keyManagerFactory.getKeyManagers,trustManagerFactory.getTrustManagers,new SecureRandom)
    context
  }

  // if there is no ServerSSLEngineProvider in scope implicitly the HttpServer uses the default one,// since we want to explicitly enable cipher suites and protocols we make a custom ServerSSLEngineProvider
  // available here
  implicit def sslEngineProvider: ServerSSLEngineProvider = { 
    ServerSSLEngineProvider { engine =>
      engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_256_CBC_SHA"))
      engine.setEnabledProtocols(Array("SSLv3","TLSv1"))
      engine
    }   
  }
}

我已经更新了Main类以使用SSL配置：

package com.goticks

import akka.actor._
import akka.io.IO

import spray.can.Http
import spray.can.server._

import com.typesafe.config.ConfigFactory

object Main extends App with MySSLConfig {
  val config = ConfigFactory.load()
  val host = config.getString("http.host")
  val port = config.getInt("http.port")

  implicit val system = ActorSystem("goticks")

  val api = system.actorOf(Props(new RestInterface()),"httpInterface")
  IO(Http) ! Http.Bind(listener = api,interface = host,port = port)
}

我已经更新了application.conf：

spray {
  can {
    server {
      server-header = "GoTicks.com REST API"
      ssl-encryption = on
    }
  }
}

编译并运行服务器后,当我尝试执行https GET时出现以下错误：

[ERROR] [09/15/2014 10:40:48.056] [goticks-akka.actor.default-dispatcher-4] [akka://goticks/user/IO-HTTP/listener-0/7] Aborting encrypted connection to localhost/0:0:0:0:0:0:0:1%0:59617 due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]

我不确定我的问题是使用生成的密钥还是使用我的配置.顺便说一句,我的最终目标是将此配置与TCP套接字一起使用(请参阅我的其他问题：TCP socket with SSL on Scala with Akka),但我无法找到运行安全TCP的文档,所以我想我会从HTTPS开始.

任何帮助表示赞赏.

解决方法

我终于能够使用 Apache Camel按照 here的建议使其工作.看起来像overkill带来Camel只是为了设置SSLContext,但这是最终的工作.

我的SSLConfig最终看起来像这样：

import javax.net.ssl.SSLContext
import spray.io._
import org.apache.camel.util.jsse._

trait MySSLConfig {
    implicit def sslContext: SSLContext = {
        //val keyStoreFile = "/Users/eschow/repo/services/jks/keystore.jks"
        val keyStoreFile = "/Users/eschow/code/scala/akka-in-action/chapter2/myjks.jks"

        val ksp = new KeyStoreParameters()
        ksp.setResource(keyStoreFile);
        ksp.setPassword("abcdef")

        val kmp = new KeyManagersParameters()
        kmp.setKeyStore(ksp)
        kmp.setKeyPassword("abcdef")

        val scp = new SSLContextParameters()
        scp.setKeyManagers(kmp)

        val context= scp.createSSLContext()

        context
      }

    implicit def sslEngineProvider: ServerSSLEngineProvider = {
        ServerSSLEngineProvider { engine =>
            engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_256_CBC_SHA"))
            engine.setEnabledProtocols(Array("SSLv3","TLSv1"))
            engine
        }
    }
}

顺便说一句,Camel记录的错误更有帮助.做一些愚蠢的事情就像提供一个错误的keystone路径或错误的密码一样,会产生有意义的,人为可读的错误,而不是我之前看到的无声失败.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!