真是醉了,一晚上没搞出来libpomelo的TLS

直接用pomelo init新建了wss然后改成了tls,用Libpomelo2的自带测试test-tr_tls:

[2015-01-08 22:04:52][INFO] pc_lib_init - register dummy plugin
[2015-01-08 22:04:52][INFO] pc_lib_init - register tcp plugin
[2015-01-08 22:04:52][INFO] pc_lib_init - register tls plugin
[2015-01-08 22:04:52][INFO] tr_uv_tcp_init - load local storage ok
[2015-01-08 22:04:52][DEBUG] pc_client_init - init ok
[2015-01-08 22:04:52][INFO] pc_client_add_ev_handler - add event handler, handler id: 0
[2015-01-08 22:04:52][INFO] tr_uv_tcp_thread_fn - start uv loop thread
[2015-01-08 22:04:52][DEBUG] tcpcon_async_cb - start conn timeout timer
[2015-01-08 22:04:52][INFO] tcp
conn_done_cb - tcp connected, send handshake
[2015-01-08 22:04:52][INFO] tlsconn_done_cb - send client hello
[2015-01-08 22:04:52][DEBUG] tls
info_callback - handshake start
[2015-01-08 22:04:52][DEBUG] tls__info_callback - tls error in SSLv3 read server hello A

用tr_uv_tls_set_ca_file载入shared/server.crt也一样

标签: libpomelo 开发求助
qklxtlx 在 2015-1-8 22:05发布 分享到 weibo
2 回复
#1 {35} qklxtlx 2015-1-8 22:07 回复

有人跑通这个流程了么?求指导
node v0.10.35, pomelo 1.1.3, libpomelo是最新代码

wangxy 2015-1-9 10:54 回复

当你不配服务端证书的时候,默认是不对服务端证书进行验证的,仅仅用做一个加密通道而已, 从现在报出的错误看,SSLv3 read server hello A, 明显跟证书无关

qklxtlx 2015-1-9 14:10 回复

@wangxy 我配置了,用的是pomelo init里那个shared文件夹下的
之后的日志信息都是常识重连之类的

qklxtlx 2015-1-9 14:14 回复

@wangxy 不配置服务器证书是什么意思?是指客户端不用tr_uv_tls_set_ca_file,直接运行test-tr_tls么? 我试了下也是一样的错误
我用openssl client可以连上

系统环境是osx+xcode, 运行的Mac terminal, 没用系统ssl

wangxy 2015-1-9 14:18 回复

@qklxtlx

这个错误是握手协议出错了,都没有到证书认证那一步, 接受server hello都有问题,你确定服务端协议走的是TLS, 用wireshark/tcpdump分析一下,看看协议问题

wangxy 2015-1-9 14:24 回复

@qklxtlx

就你目前帖出的日志看, 根本没到证书认证那一步

如果客户端没配ca的话,目前的方式是,客户端不对服务端证书进行认证,你也可以hacking出SSL,然后自己定制.

void* data = pomelo_client_trans_data(client)
void** data_ = (void**) data;
SSL* ssl = data_[1];

然后在发起connect之前,你可以对ssl做任何操作

qklxtlx 2015-1-9 14:32 回复

@wangxy 我是根据github上文档设置的

> ssl:{ type:"tls", key:xxx, cert:xxx }

我跟着debug进去,最终是在hybrid connector里tls.createServer建出来的

wangxy 2015-1-9 14:36 回复

@qklxtlx

我给你贴一个完整的日志吧,你看一下,后者你运行一下,libpomelo2中提供的用例,test目录下的game-server实际是由两个connector的,分别对应tls和tcp。

[2015-01-09 14:33:45][INFO] pc_lib_init - register dummy plugin
[2015-01-09 14:33:45][INFO] pc_lib_init - register tcp plugin
[2015-01-09 14:33:45][INFO] pc_lib_init - register tls plugin
[2015-01-09 14:33:45][INFO] tr_uv_tcp_init - load local storage ok
[2015-01-09 14:33:45][INFO] tr_uv_tcp_thread_fn - start uv loop thread
[2015-01-09 14:33:45][DEBUG] pc_client_init - init ok
[2015-01-09 14:33:45][INFO] pc_client_add_ev_handler - add event handler, handler id: 0
[2015-01-09 14:33:45][DEBUG] tcpcon_async_cb - start conn timeout timer
[2015-01-09 14:33:45][INFO] tcp
conn_done_cb - tcp connected, send handshake
[2015-01-09 14:33:45][INFO] tlsconn_done_cb - send client hello
[2015-01-09 14:33:45][DEBUG] tls
info_callback - handshake start
[2015-01-09 14:33:45][DEBUG] tlsinfo_callback - tls error in SSLv3 read server hello A
[2015-01-09 14:33:45][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:45][DEBUG] tlsinfo_callback - tls error in SSLv3 read server hello A
[2015-01-09 14:33:45][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:45][DEBUG] tlsinfo_callback - tls error in SSLv3 read finished A
[2015-01-09 14:33:45][DEBUG] tls
info_callback - tls error in SSLv3 read finished A
[2015-01-09 14:33:45][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:45][DEBUG] tls
info_callback - tls error in SSLv3 read finished A
[2015-01-09 14:33:45][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:45][DEBUG] tls
info_callback - handshake done
[2015-01-09 14:33:45][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:45][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:45][INFO] tcpon_handshake_resp - tcp get handshake resp
[2015-01-09 14:33:45][INFO] tcp
on_handshake_resp - handshake ok
[2015-01-09 14:33:45][INFO] tcpon_handshake_resp - set heartbeat interval: 3
[2015-01-09 14:33:45][INFO] tcp
send_handshake_ack - send handshake ack
[2015-01-09 14:33:45][INFO] tcpon_handshake_resp - start heartbeat interval timer
[2015-01-09 14:33:45][INFO] tcp
on_handshake_resp - handshake completely
[2015-01-09 14:33:45][INFO] tcpon_handshake_resp - client connected
[2015-01-09 14:33:45][INFO] pc
trans_fire_event - fire event: PC_EV_CONNECTED, arg1: , arg2:
test: get event PC_EV_CONNECTED, arg1: , arg2:
[2015-01-09 14:33:45][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:45][DEBUG] tls
write_to_bio - move wi to writing queue or tcp write queue, seq_num: 4294967295, req_id: 4294967295
[2015-01-09 14:33:45][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:45][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:45][WARN] tcpon_heartbeat - tcp is not waiting for heartbeat, ignore
[2015-01-09 14:33:45][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:46][DEBUG] pc_request_with_timeout - use pre alloc request
[2015-01-09 14:33:46][DEBUG] tr_uv_tcp_send - use pre alloc write item, seq_num: 0, req_id: 1
[2015-01-09 14:33:46][DEBUG] tr_uv_tcp_send - put to write wait queue, seq_num: 0, req_id: 1
[2015-01-09 14:33:46][DEBUG] tr_uv_tcp_send - seq num: 0, req_id: 1
[2015-01-09 14:33:46][INFO] pc_request_with_timeout - add request to queue, req id: 1
[2015-01-09 14:33:46][DEBUG] pc_notify_with_timeout - use pre alloc notify
[2015-01-09 14:33:46][DEBUG] tr_uv_tcp_send - use pre alloc write item, seq_num: 1, req_id: 0
[2015-01-09 14:33:46][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:46][DEBUG] tr_uv_tcp_send - put to write wait queue, seq_num: 1, req_id: 0
[2015-01-09 14:33:46][DEBUG] tr_uv_tcp_send - seq num: 1, req_id: 0
[2015-01-09 14:33:46][DEBUG] tls
write_to_bio - move wi to writing queue or tcp write queue, seq_num: 0, req_id: 1
[2015-01-09 14:33:46][INFO] pc_notify_with_timeout - add notify to queue, seq num: 1
[2015-01-09 14:33:46][DEBUG] tlswrite_to_bio - move wi to writing queue or tcp write queue, seq_num: 1, req_id: 0
[2015-01-09 14:33:46][DEBUG] tls
write_to_tcp - move wi from writing queue to resp pending queue, seq_num: 0, req_id: 1
[2015-01-09 14:33:46][INFO] pctrans_sent - fire sent event, seq_num: 1, rc: PC_RC_OK
[2015-01-09 14:33:46][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:46][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:46][INFO] tcp
on_data_recieved - recived data, req_id: 1
[2015-01-09 14:33:46][INFO] pctrans_resp - fire resp event, req_id: 1, rc: PC_RC_OK
test: get resp {"code":200,"msg":"game server is ok."}
[2015-01-09 14:33:46][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:46][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:46][INFO] tcp
on_data_recieved - recived data, req_id: 0
[2015-01-09 14:33:46][INFO] pctrans_fire_event - fire event: PC_EV_USER_DEFINED_PUSH, arg1: onPush, arg2: {"content":"test content","id":42,"topic":"test topic"}
test: get event PC_EV_USER_DEFINED_PUSH, arg1: onPush, arg2: {"content":"test content","id":42,"topic":"test topic"}
[2015-01-09 14:33:46][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:47][DEBUG] tcpwrite_check_timeout_cb - start to check timeout
[2015-01-09 14:33:47][DEBUG] tcp
write_check_timeout_cb - finish to check timeout
[2015-01-09 14:33:48][DEBUG] tcpsendheartbeat - send heartbeat
[2015-01-09 14:33:48][DEBUG] tcpheartbeat_timer_cb - start heartbeat timeout timer
[2015-01-09 14:33:48][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:48][DEBUG] tlswrite_to_bio - move wi to writing queue or tcp write queue, seq_num: 4294967295, req_id: 4294967295
[2015-01-09 14:33:48][DEBUG] tls
write_to_bio - use writing queue
[2015-01-09 14:33:48][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:48][DEBUG] tcp
on_heartbeat - tcp get heartbeat
[2015-01-09 14:33:48][DEBUG] tlswrite_to_bio - use writing queue
[2015-01-09 14:33:50][DEBUG] tcp
write_check_timeout_cb - start to check timeout
[2015-01-09 14:33:50][DEBUG] tcpwrite_check_timeout_cb - finish to check timeout
[2015-01-09 14:33:51][DEBUG] tcp
sendheartbeat - send heartbeat
[2015-01-09 14:33:51][DEBUG] tcp
heartbeat_timer_cb - start heartbeat timeout timer
[2015-01-09 14:33:51][DEBUG] tls__write_to_bio - use writing queue

wangxy 2015-1-9 14:37 回复

@wangxy info_callback 报 tls_error 是正常的

wangxy 2015-1-9 14:39 回复

@qklxtlx 你没有在客户端配服务端的证书,然后又没有忽略证书认证而已

qklxtlx 2015-1-9 14:48 回复

@wangxy 。。。报错之后然后我挂在了一个ASSERT上

呃,能不能具体讲下如何配证书或者忽略它?默认的test是忽略么

wangxy 2015-1-9 15:45 回复

@qklxtlx

如果crash到一个assert上,那说明有bug,能给出assert错误的地点吗

目前test默认是不验证服务端证书的.

我们开发中,一般的证书都是自签名的,对于你的node客户端,有两个连接选项,ca和
rejectUnauthorized

对于我们的自签名证书,ca配置为我们的服务端证书,rejectUnauthorized配置为true,这样就会自动做签名校验,肯定是能校验通过的。
如果想不校验签名,rejectUnauthorized直接配为false即可,ca可以不配,这样客户端不对服务端的证书做认证。

我只能帮你到这了, :-)

wangxy 2015-1-9 15:46 回复

@qklxtlx

如果你想开启双向认证的话,目前没有提供客户端证书以及私钥的配置接口,你可以hacking出SSL结构,自己配置。更多资料可以参阅openssl以及node相关。

qklxtlx 2015-1-9 16:27 回复

@wangxy 嗯,我今天晚上再试试,麻烦了~周一再说吧-。-

qklxtlx 2015-1-9 16:29 回复

@wangxy 如果客户端和服务器之间没有验证的话,TLS加密主要是避免信道监听么?如果要实现验证服务器还是要自己搞ca吧

wangxy 2015-1-9 19:18 回复

@qklxtlx 是的

wangxy 2015-1-9 19:19 回复

@qklxtlx 一般关键领域还会实现双向认证

qklxtlx 2015-1-10 19:10 回复

@wangxy 错误日志

[2015-01-10 19:08:46][INFO] pc_lib_init - register dummy plugin
[2015-01-10 19:08:46][INFO] pc_lib_init - register tcp plugin
[2015-01-10 19:08:46][INFO] pc_lib_init - register tls plugin
[2015-01-10 19:08:46][INFO] tr_uv_tcp_init - load local storage ok
[2015-01-10 19:08:46][DEBUG] pc_client_init - init ok
[2015-01-10 19:08:46][INFO] pc_client_add_ev_handler - add event handler, handler id: 0
[2015-01-10 19:08:46][INFO] tr_uv_tcp_thread_fn - start uv loop thread
[2015-01-10 19:08:46][DEBUG] tcpcon_async_cb - start conn timeout timer
[2015-01-10 19:08:46][INFO] tcp
conn_done_cb - tcp connected, send handshake
[2015-01-10 19:08:46][INFO] tlsconn_done_cb - send client hello
[2015-01-10 19:08:46][DEBUG] tls
info_callback - handshake start
[2015-01-10 19:08:46][DEBUG] tlsinfo_callback - tls error in SSLv3 read server hello A
[2015-01-10 19:08:46][DEBUG] tls
write_to_bio - use writing queue
[2015-01-10 19:08:46][DEBUG] tlsinfo_callback - tls error in SSLv3 read server hello A
[2015-01-10 19:08:46][ERROR] tcp
on_tcp_read_cb - read from tcp error: end of file,will reconn
[2015-01-10 19:08:46][INFO] pctrans_fire_event - fire event: PC_EV_UNEXPECTED_DISCONNECT, arg1: Read Error Or Close, arg2:
test: get event PC_EV_UNEXPECTED_DISCONNECT, arg1: Read Error Or Close, arg2:
[2015-01-10 19:08:46][DEBUG] tls
reset - reset ssl
[2015-01-10 19:08:46][DEBUG] tlsreset - move should retry wi to writing queue, seq_num: 4294967295, req_id: 4294967295
[2015-01-10 19:08:46][DEBUG] tcp
reconn - max reconn delay incr: 5
[2015-01-10 19:08:46][DEBUG] tcpreconn - reconnect, delay: 1
[2015-01-10 19:08:46][DEBUG] tls
write_to_bio - use writing queue
[2015-01-10 19:08:47][DEBUG] pc_request_with_timeout - use pre alloc request
[2015-01-10 19:08:47][DEBUG] tr_uv_tcp_send - use pre alloc write item, seq_num: 0, req_id: 1
[2015-01-10 19:08:47][DEBUG] tr_uv_tcp_send - put to conn pending queue, seq_num: 0, req_id: 1
[2015-01-10 19:08:47][DEBUG] tr_uv_tcp_send - seq num: 0, req_id: 1
[2015-01-10 19:08:47][INFO] pc_request_with_timeout - add request to queue, req id: 1
[2015-01-10 19:08:47][DEBUG] pc_notify_with_timeout - use pre alloc notify
[2015-01-10 19:08:47][DEBUG] tlswrite_to_bio - use writing queue[2015-01-10 19:08:47]
[DEBUG] tr_uv_tcp_send - use pre alloc write item, seq_num: 1, req_id: 0
[2015-01-10 19:08:47][DEBUG] tr_uv_tcp_send - put to conn pending queue, seq_num: 1, req_id: 0
[2015-01-10 19:08:47][DEBUG] tr_uv_tcp_send - seq num: 1, req_id: 0
[2015-01-10 19:08:47][INFO] pc_notify_with_timeout - add notify to queue, seq num: 1
[2015-01-10 19:08:47][DEBUG] tls
write_to_bio - use writing queue
[2015-01-10 19:08:47][DEBUG] tcpcon_async_cb - start conn timeout timer
[2015-01-10 19:08:47][INFO] tcp
conn_done_cb - tcp connected, send handshake
[2015-01-10 19:08:47][INFO] tlsconn_done_cb - send client hello
[2015-01-10 19:08:47][DEBUG] tls
info_callback - handshake start
[2015-01-10 19:08:47][DEBUG] tlsinfo_callback - tls error in SSLv3 read server hello A
[2015-01-10 19:08:47][DEBUG] tls
write_to_bio - use writing queue
[2015-01-10 19:08:47][DEBUG] tlsinfo_callback - tls error in SSLv3 read server hello A
[2015-01-10 19:08:47][ERROR] tcp
on_tcp_read_cb - read from tcp error: end of file,will reconn
[2015-01-10 19:08:47][INFO] pctrans_fire_event - fire event: PC_EV_UNEXPECTED_DISCONNECT, arg1: Read Error Or Close, arg2:
test: get event PC_EV_UNEXPECTED_DISCONNECT, arg1: Read Error Or Close, arg2:
[2015-01-10 19:08:47][DEBUG] tls
reset - reset ssl
[2015-01-10 19:08:47][DEBUG] tlsreset - move should retry wi to writing queue, seq_num: 4294967295, req_id: 4294967295
[2015-01-10 19:08:47][DEBUG] tcp
reset_wi - reset request, req_id: 1
[2015-01-10 19:08:47][INFO] pc__trans_resp - fire resp event, req_id: 1, rc: PC_RC_RESET
Assertion failed in /Users/anthony/SDK/libpomelo2/test/test-tr_tls.c on line 83: rc == PC_RC_OK
Program ended with exit code: 9

wangxy 2015-1-10 20:36 回复

@qklxtlx

连接被服务端断掉了,服务端有问题,请你参考一下test/ 目录下的ssl使用

qklxtlx 2015-1-10 20:37 回复

@wangxy 我用的是pomelo init出来的……

wangxy 2015-1-10 20:39 回复

@qklxtlx

我不知道pomelo init出来是啥样的,很明显你这个是服务端有问题,有可能是没有配证书

qklxtlx 2015-1-10 20:42 回复

@wangxy 这个呢

app.configure('all', "hybridsslconnector", function(){
app.set('connectorConfig', {
connector: pomelo.connectors.hybridconnector,
heartbeat: 30,
useDict: true,
useProtobuf: true,
useCrypto: false,
ssl: {
type: 'tls',
key: fs.readFileSync('./config/server1.key'),
cert: fs.readFileSync('./config/server1.pem'),
strictSSL: false,
rejectUnauthorized: false
}
});
});

wangxy 2015-1-10 20:45 回复

@qklxtlx

我刚看了下,应该是那个type,pomelo init写的是wss,应该是有问题的.

你换成tls吧

qklxtlx 2015-1-10 20:46 回复

@wangxy 那个wss和sioconnector都改掉了

wangxy 2015-1-10 20:46 回复

@qklxtlx

参考libpomelo2/test 目录下的例子吧,那个是能跑的

qklxtlx 2015-1-10 20:47 回复

@wangxy 我就是用的那个例子,一行代码都没改……

wangxy 2015-1-10 20:49 回复

@qklxtlx

那里面有服务端代码的,直接跑就好

qklxtlx 2015-1-10 20:51 回复

@wangxy 恩,我试了下libpomelo2/test/game-server,也不行……一样的问题。。。

qklxtlx 2015-1-10 20:55 回复

@wangxy enter link description here

当前git是update gitignore这个(无修改),然后运行的是test/game-server, 运行挂

wangxy 2015-1-10 20:56 回复

@qklxtlx

换node的0.10.26 试一下, 0.10.35可能有什么修改吧,我测试的时候用的是10.26,没问题的

而且从你贴的日志看明显是服务端主动断开连接的

查看一下防火墙配置,以及抓包分析下

qklxtlx 2015-1-10 21:00 回复

@wangxy 关闭系统防火墙之后表现一样

太折腾了,我放弃了。。。我自己在协议层写算了

wangxy 2015-1-11 08:36 回复

@qklxtlx

[2015-01-10 19:08:46][DEBUG] tlsinfo_callback - tls error in SSLv3 read server hello A
[2015-01-10 19:08:46][ERROR] tcpon_tcp_read_cb - read from tcp error: end of file,will reconn
[2015-01-10 19:08:46][INFO] pctrans_fire_event - fire event: PC_EV_UNEXPECTED_DISCONNECT, arg1: Read Error Or Close, arg2:
test: get event PC_EV_UNEXPECTED_DISCONNECT, arg1: Read Error Or Close, arg2:

这段日志,很明显, 客户端发了client hello后,在接收server hello的时候,底层tcp连接被服务端关闭了,具体原因不明,需要你抓包分析,只能帮你到这了,兄弟 ^^

qklxtlx 2015-1-11 20:27 回复

@wangxy 嗯我理解这个log意思,不过我后来想了想还是直接在应用层自己加密了,方便快捷

wangxy 2015-2-2 19:19 回复

@qklxtlx

今天已经把这个问题修好了

主要原因是,当时libpomelo2默认使用的是ssl3. 由于ssl3爆出了一个安全漏洞,在nodejs 0.10.33这个版本中,nodejs默认把ssl3 disable掉了,所以就出现这个问题了。

现在已经修正,libpomelo2中,现在已经使用TLS 1.2了,测试是ok的了

qklxtlx 2015-2-20 17:59 回复

@wangxy 辛苦~目前我是在应用层加密,回头我再看看

#2 wangxy 2015-1-9 11:01 回复

有更多日志吗?

回到顶部