我有一个基于 Jetty 的 ProxyServlet 的代理 servlet,当尝试将请求代理到远程服务器时,由于代理的 HttpClient 中的 SSL 重新协商失败,它会看到间歇性的 502 响应。Wireshark 跟踪显示 SSL 握手已完成,但随后 HttpClient 通过发送另一个客户端 Hello 数据包重新开始协商。远程服务器(在这种情况下为 F5)配置为不允许 SSL 重新协商,因此它关闭连接,导致代理请求失败。
我在配置代理的 HttpClient 时尝试调用 SslContextFactory.setRenegotiationAllowed(false),但这只会导致请求在代理内部失败。调试级别日志记录产生如下所示的输出。请注意“Renegotiation Denied”消息,该消息会导致流关闭,从而在随后尝试将代理请求写入输出流时导致 Connection Closed 异常。
那么是什么导致 HttpClient 认为它需要执行 SSL 重新协商,我可以做些什么来解决这个问题呢?更改 F5 的配置以允许 SSL 重新协商不是一种选择。问题是间歇性的,并且可重复性是可变的,这表明可能存在时间组件。
我在 Java 1.8.0_66 上使用 Jetty 9.2.13.v20150730。
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=-1/-1,di=-1} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] fill enter
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | ChannelEndPoint | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | filled 1006 SelectChannelEndPoint@57eceb70{mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443<->51386,Open,in,out,-,-,15/30000,SslConnection}{io=0,kio=0,kro=1}
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=1006/-1,di=0} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] filled 1006 encrypted bytes
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=0/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] unwrap Status = OK HandshakeStatus = NEED_WRAP
bytesConsumed = 1006 bytesProduced = 977
2015-10-26 15:23:04,988 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=0/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] renegotiation denied
2015-10-26 15:23:04,988 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=-1/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] fill exit