Mule：javax.net.ssl.SSLPeerUnverifiedException：對方未經過身份驗證

Question

我有一個mule項目，它使用自簽名證書通過HTTPS（TLS）向本地tomcat服務器出站連接。當我執行的流程，我得到以下異常

騾子HTTP連接器

<http:request-config name="SP2" host="my_fqdn" port="38443" doc:name="SP Request Configuration" protocol="HTTPS" > 
    <tls:context> 
     <tls:trust-store path="/temp/temp1.keystore.jks" password="changeit" type="jks"/> 
    </tls:context> 
</http:request-config> 

錯誤從騾子流量

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) ~[?:1.7.0_67] 
at org.mule.module.http.internal.domain.request.ClientConnection.getClientCertificate(ClientConnection.java:67) ~[mule-module-http-3.7.2.jar:3.7.2] 
at org.mule.module.http.internal.listener.HttpRequestToMuleEvent.transform(HttpRequestToMuleEvent.java:63) ~[mule-module-http-3.7.2.jar:3.7.2] 
at org.mule.module.http.internal.listener.DefaultHttpListener.createEvent(DefaultHttpListener.java:165) ~[mule-module-http-3.7.2.jar:3.7.2] 
at org.mule.module.http.internal.listener.DefaultHttpListener.access$000(DefaultHttpListener.java:39) ~[mule-module-http-3.7.2.jar:3.7.2] 
at org.mule.module.http.internal.listener.DefaultHttpListener$1.handleRequest(DefaultHttpListener.java:124) ~[mule-module-http-3.7.2.jar:3.7.2] 
at org.mule.module.http.internal.listener.grizzly.GrizzlyRequestDispatcherFilter.handleRead(GrizzlyRequestDispatcherFilter.java:83) ~[mule-module-http-3.7.2.jar:3.7.2] 
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) ~[grizzly-framework-2.3.21.jar:2.3.21] 
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283) ~[grizzly-framework-2.3.21.jar:2.3.21] 
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200) ~[grizzly-framework-2.3.21.jar:2.3.21] 
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132) ~[grizzly-framework-2.3.21.jar:2.3.21] 
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111) ~[grizzly-framework-2.3.21.jar:2.3.21] 
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) ~[grizzly-framework-2.3.21.jar:2.3.21] 
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:536) ~[grizzly-framework-2.3.21.jar:2.3.21] 
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) ~[grizzly-framework-2.3.21.jar:2.3.21] 
at org.mule.module.http.internal.listener.grizzly.ExecutorPerServerAddressIOStrategy.run0(ExecutorPerServerAddressIOStrategy.java:102) ~[mule-module-http-3.7.2.jar:3.7.2] 
at org.mule.module.http.internal.listener.grizzly.ExecutorPerServerAddressIOStrategy.access$100(ExecutorPerServerAddressIOStrategy.java:30) ~[mule-module-http-3.7.2.jar:3.7.2] 
at org.mule.module.http.internal.listener.grizzly.ExecutorPerServerAddressIOStrategy$WorkerThreadRunnable.run(ExecutorPerServerAddressIOStrategy.java:125) ~[mule-module-http-3.7.2.jar:3.7.2] 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [?:1.7.0_67] 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [?:1.7.0_67] 
at java.lang.Thread.run(Thread.java:745) [?:1.7.0_67] 

通常，這意味着我的信任庫設置不正確。就我而言，我在Mule的TLS上下文中設置了信任存儲。由於我仍然遇到錯誤，我認爲Mule在某種程度上不尊重我的TLS上下文設置。

此外，我在與執行我的Mule流程的相同項目中的Anypoint Studio內部設置了一個測試程序。

System.setProperty("javax.net.ssl.trustStore","/temp/temp1.keystore.jks"); 
System.setProperty("javax.net.ssl.trustStoreType", KeyStore.getDefaultType()); 
System.setProperty("javax.net.ssl.trustStorePassword","changeit"); 

SocketFactory sslContext = (SSLSocketFactory) SSLSocketFactory.getDefault(); 
SSLSocket sslSocket = (SSLSocket) sslContext.createSocket("my_fqdn",38443); 
SSLSession sslSession = sslSocket.getSession(); 
sslSession.getPeerCertificates(); 

在上面提到的Java代碼，如果我沒有設置信任存儲得當，我得到的「同行不認證」的錯誤。但是，當我如上所述設置信任存儲時，程序執行時沒有任何錯誤。最後，我嘗試通過信任存儲作爲JVM參數，但也沒有工作。

所以，我對於騾子爲什麼這樣行事毫無頭緒。有誰知道如何解決這個問題？

Answer 1

Mule 3.7.2默認使用SSLV2Hello。當它收到SSLV2Hello時，Tomcat連接器正在關閉連接。我通過修改tomcat連接器解決了這個問題，主要圍繞sslEnabledProtocols列表。

<Connector port="38443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" 
keystoreFile="/tmp/temp1.keystore.jks" 
keystorePass="changeit" 
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"/>