防止Java中的SSL证书验证
[英]Prevent SSL Certificate Verification in Java
问题描述
I've been developing a Client-Server application, that right now, just uses standard Sockets/ServerSockets. 
我一直在开发Client-Server应用程序,现在仅使用标准的Sockets / ServerSockets。 However, I need to send data over a secure connection. 但是,我需要通过安全连接发送数据。 I don't think SSL is an option, because I will be distributing the Client/Server application publicly online, so anyone who wants to host a server can, their for making SSL's certificate verification not relevant, since I would have to bundle the certificate in the distributed server. 我不认为SSL是一种选择,因为我将在网上公开分发客户端/服务器应用程序,因此任何想要托管服务器的人都可以使SSL证书验证不相关,因为我必须捆绑证书在分布式服务器中。
So my question is: what is the correct way to handle something like this? 所以我的问题是:处理这样的事情的正确方法是什么? I've heard that their are ways to disable SSL's verification, but from what I hear, those methods are considered hacky/deprecated to some extent (correct me if I'm wrong). 我听说它们是禁用SSL验证的方法,但据我所知,这些方法在某种程度上被认为是骇客/不推荐使用(如果我错了,请纠正我)。
Another idea is to manually implement encryption/decryption at either end (similar to how SSL works, just without the certificate verification). 另一个想法是在任一端手动实现加密/解密(类似于SSL的工作方式,只是没有证书验证)。
Or, is there their another way/protocol designed for this (or something similar)? 或者,是否有为此设计的另一种方法/协议(或类似方法)?
1 个解决方案
解决方案1
2 已采纳 2016-01-07 22:25:27
You ask for an alternative to SSL, but when it comes to security/encryption it is generally best to stick with the standard methodologies - it is too easy to homebrew a solution that turns out to have significant shortcomings. 您要求使用SSL的替代方法,但是在安全性/加密方面,通常最好坚持使用标准方法-自制解决方案存在很大缺陷,这太容易了。
Having said that, you can pretty easily configure SSL to not do validation of the certificate (essentially by trusting all certificates). 话虽如此,您可以很容易地将SSL配置为不对证书进行验证(基本上是通过信任所有证书)。 This is generally a bad idea. 这通常是一个坏主意。
SSL communication does two things; SSL通信有两件事:
- Encrypts the communication, so no third-party can see what is being sent. 加密通信,因此任何第三方都看不到正在发送的内容。
- Establishes the identity of the owner of the server. 建立服务器所有者的身份。
Not validating the certificate means that you have no idea who is running the server that you just connected to. 不验证证书意味着您不知道谁在运行刚连接的服务器。 Generally speaking, if you are concerned about encrypting the communication with the server, you must be concerned about who is on the other end of the socket. 一般而言,如果您担心加密与服务器的通信,则必须担心谁在套接字的另一端。 If you do not know for sure that the server is run by the person with whom you want to have sensitive communication, you shouldn't send sensitive data because whoever you are trying to hide from might be reading from the other end of then socket. 如果不确定服务器是否由要与之进行敏感通信的人来运行,则不应发送敏感数据,因为任何试图隐藏的人都可能正在从套接字的另一端进行读取。
If it is true that all you want is encrypted communication, then you should use SSL with a self-signed certificate. 如果确实只需要加密通信,则应该将SSL与自签名证书一起使用。 To keep the client happy, tweak the SSLContext in the client to trust such certificates. 为了使客户端满意,请在客户端中调整SSLContext以信任此类证书。
If you go this route, the client application will not be able to tell whether the server it is talking to is the real thing or an imposter set up by the bad guys. 如果走这条路,客户端应用程序将无法判断正在与之通信的服务器是真实的东西还是由坏蛋设置的冒名顶替者。
If you want the full protection of SSL, you should have the operator of every server supply their own certificate to identify themselves and your client should be set up to only talk to trusted servers. 如果要完全保护SSL,则应让每台服务器的操作员提供自己的证书来标识自己,并且应将您的客户端设置为仅与受信任的服务器通信。 It is easiest to configure if this is a certificate issued by a recognized certificate authority (CA). 如果这是由公认的证书颁发机构(CA)颁发的证书,则最容易配置。 However, you can use a self-signed certificate, but each client will need to include the certificate (or the root of the certificate chain) in the cacerts file (or you can tweak the SSLContext to trust the specific self-signed certificate and make this part of the client configuration). 但是,您可以使用自签名证书,但是每个客户端都需要在cacerts文件中包括证书(或证书链的根)(或者您可以调整SSLContext以信任特定的自签名证书并进行设置)客户端配置的这一部分)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.