Java JSSE SSLEngine cannot resume SSL session

2019-01-28 13:51发布

问题:

I am writing an application that uses SSLEngine with NIO, I writing both the client and the server. The client is able to connect to the server and after he is connected i want him to be able to perform session resumption / renegotiation, but currently without luck..

As the code that uses the SSLEngine is pretty big (SSLEngine usage is SO complex!) i will write a simple pseudo code that demonstrate the situation:

Server:
    global sslcontext initialized once
    await new client
    client.sslEngine = create new server ssl engine using the global sslcontext
    client.handleHandshake and wait for it to be done
    handle client.

Client:
    global sslcontext initialized once
    sslEngine = create new client ssl engine using the global sslcontext
    performHandshake and wait for it to be done
    disconnect (close gracefully the connection)
    sslEngine = create new client ssl engine using the global sslcontext
    configure engine to not allow session creation
    performHandshake and wait for it to be done

** i am more then willing to post any part of the code that can help (even the full code although as i said it is huge..)

when i executing my program the first connection is successful but the second cause an exception:

javax.net.ssl.SSLHandshakeException: No existing session to resume

did i miss some ingredient that is required for ssl session resumption?

回答1:

The SSLEngine will only resume sessions if you create it with SSLContext.createEngine(host, port). Otherwise it has no way of knowing who it's talking to, so no way of knowing what SSLSession to join.



回答2:

SSLContext should be singleton. You can use netty 4.0.44.Final SslContextBuilder. Works resume session by sessionId.

private  SslContext sslContext;
...

if (serverSSLContext == null) {
    serverSSLContext = SslContextBuilder.forServer(new File("cert.crt"), new File("cert.key")).build();
}
channelPipeLine.addLast(serverSSLContext.newHandler(channelPipeLine.channel().alloc()));