# Netty TLS Authentifizierung Fehler



## xTailsPvP (29. Dez 2020)

Hallo,
ich habe mir einen Netty-Server-Client Verbindung programmiert, da ich Multi-Proxy habe und die Proxys miteinander kommunizieren müssen. Ich möchte die Verbindung über TLS machen und dazu noch eine Client Authentifizierung einbauen, damit kein Fremder sich in das System einschleusen kann. Aber ich bekomme aus irgendeinem Grund eine Exception:

[CODE lang="java" title="Netty-Server"]                @Override
                protected void initChannel(SocketChannel channel) throws Exception {
                    SelfSignedCertificate ssc = new SelfSignedCertificate();
                    SslContext context = SslContextBuilder
                            .forServer(ssc.certificate(), ssc.privateKey()).protocols("TLSv1.3")
                            .build();
                    SslHandler sslhandler = context.newHandler(channel.alloc());
                    ChannelPipeline pipeline = channel.pipeline();
                    pipeline.addLast(sslhandler);
                    pipeline.addLast(new StringEncoder(CHARSET),
                            new LineBasedFrameDecoder(MAX_LINE_LENGTH), new StringDecoder(CHARSET),
                            new ServerListener());
                }[/CODE]

[CODE lang="java" title="Netty-Client"]                @Override
                protected void initChannel(SocketChannel channel) throws Exception {
                    KeyStore keyStore = KeyStore.getInstance("JKS");
                    char[] password = "abctest".toCharArray();
                    keyStore.load(null, password);
                    TrustManagerFactory tmf = TrustManagerFactory
                            .getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    tmf.init(keyStore);

                    SslContext context = SslContextBuilder.forClient().protocols("TLSv1.3")
                            .trustManager(tmf).build();
                    SslHandler sslhandler = context.newHandler(channel.alloc(), SERVER_HOST, PORT);

                    ChannelPipeline pipeline = channel.pipeline();
                    pipeline.addLast(sslhandler);
                    pipeline.addLast(new StringEncoder(CHARSET),
                            new LineBasedFrameDecoder(MAX_LINE_LENGTH), new StringDecoder(CHARSET),
                            Client.clientListener);

                }[/CODE]

[CODE lang="java" title="Fehler"]Dez 28, 2020 3:15:30 PM io.netty.channel.DefaultChannelPipeline onUnhandledInboundException
WARNUNG: An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:478)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1772)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:777)
    at javax.net.ssl.SSLEngine.wrap(Unknown Source)
    at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1086)
    at io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:977)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1450)
    at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1294)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1331)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
    ... 17 more
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.validator.PKIXValidator.<init>(Unknown Source)
    at sun.security.validator.Validator.getInstance(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.getValidator(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    at io.netty.handler.ssl.OpenSslTlsv13X509ExtendedTrustManager.checkServerTrusted(OpenSslTlsv13X509ExtendedTrustManager.java:223)
    at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:261)
    at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:698)
    at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:596)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1203)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1325)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1368)
    at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1387)
    ... 21 more
    Suppressed: javax.net.ssl.SSLHandshakeException: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1288)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1249)
        ... 25 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(Unknown Source)
    at java.security.cert.PKIXParameters.<init>(Unknown Source)
    at java.security.cert.PKIXBuilderParameters.<init>(Unknown Source)
    ... 37 more

Dez 28, 2020 3:15:30 PM io.netty.channel.DefaultChannelPipeline onUnhandledInboundException
WARNUNG: An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000438:SSL routines:OPENSSL_internal:TLSV1_ALERT_INTERNAL_ERROR
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:478)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: error:10000438:SSL routines:OPENSSL_internal:TLSV1_ALERT_INTERNAL_ERROR
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1031)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1300)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1249)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1325)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1368)
    at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1387)
    at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1294)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1331)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
    ... 17 more[/CODE]


----------



## kneitzel (29. Dez 2020)

Das ist ein Problem mit den Zertifikaten. Du hast ein signiertes Zertifikat und um es verwenden zu können muss das Root Zertifikat der Zertifizierungsstelle bekannt sein und das Intermediate Zertifikat. Die kann man in der Regel auch herunter laden. Bei mir reichte es bisher (non netty), die im Java key store File mit drin zu haben.

Aber man kann die auch per Parameter setzen habe ich jetzt gesehen:








						[SSL] the trustAnchors parameter must be non-empty · Issue #1165 · oracle/graal
					

I have a dockerized that uses the AWS SDK for Java and needs SSL support, unfortunately, I get the following error: Caused by: io.netty.handler.codec.DecoderException: java.lang.RuntimeException: U...




					github.com
				



Die Parameter dürften auch bei Dir passen wenn es mit dem jks File nicht hinhauen sollte ...

Das ist meine noch immer etwas laienhafte Sicht auf Zertifikate - kann also sein, dass ich es nicht 100% korrekt beschrieben habe und dass meine Probleme in der Vergangenheit prinzipiell anders gelagert waren ...


----------

