使用客户端身份验证实现 java SSL 和 TLS 服务器套接字
[英]Implementing a java SSL and TLS server socket with client authentication
问题描述
I'm working on a project which consists on developping a TLS and SSL JAVA TCP/IP (Socket) server.
我正在开发一个项目,该项目包括开发 TLS 和 SSL JAVA TCP/IP(套接字)服务器。
The Server must accept TLS and SSL TCP/IP Connections.服务器必须接受 TLS 和 SSL TCP/IP 连接。
Actually i developed a multithreaded Server which can accept and respond to many clients in the same time but i still don't see a solution to make it work with TLS and SSL connections实际上,我开发了一个多线程服务器,它可以同时接受和响应许多客户端,但我仍然没有看到使其与 TLS 和 SSL 连接一起工作的解决方案
I have read about the SSLServerSocket and ServerSocketFactory but I didn't get how can they help me with the certificate:我已阅读有关SSLServerSocket和ServerSocketFactory但我不知道它们如何帮助我获得证书:
I didn't know how to give the socket The CA file path (the private certificate path) (eg: CAfile=D:\\projects\\mytools\\eclipse\\TunRootCA1.pem or rootcert.crt) like in Stunnel我不知道如何给套接字 CA 文件路径(私有证书路径)(例如:CAfile=D:\\projects\\mytools\\eclipse\\TunRootCA1.pem 或 rootcert.crt)就像在 Stunnel 中一样
let me describe the situation more precisely: actually, the project i'm working on, consists on developing a server JAVA application which connects with POS devices working with TLS or SSL certificate.让我更准确地描述这种情况:实际上,我正在开展的项目包括开发服务器 JAVA 应用程序,该应用程序与使用 TLS 或 SSL 证书的 POS 设备连接。 The server has to accept the flow and make some fonctional controles (such as amounts,PAN, ...) then switch it to a third party server.服务器必须接受流并进行一些功能控制(例如金额、PAN、...),然后将其切换到第三方服务器。 The server has to work with a one side certificate verification: the clients use a certificate (.ca) downloaded from a national authority web site and the server uses a certificate signed from the same national authority agency all parts of the server are ready except the TLS and SSL connection thanks服务器必须使用一侧证书验证:客户端使用从国家权威网站下载的证书 (.ca),服务器使用同一国家权威机构签署的证书,服务器的所有部分都已准备就绪,除了TLS 和 SSL 连接谢谢
I'd appreciate if anyone can describe me steps (with code samples) to implement a JAVA SSL and TLS server TCP/IP socket (with the above described behaviour)如果有人可以向我描述实现 JAVA SSL 和 TLS 服务器 TCP/IP 套接字(具有上述行为)的步骤(带有代码示例),我将不胜感激
Thanks a lot非常感谢
1 个解决方案
解决方案1
1 2016-09-26 08:27:01
Unfortunately this is not how TLS/SSL works.不幸的是,这不是 TLS/SSL 的工作方式。
The client initiates a connection and sends a public certificate to my server
The client initiates a connection, receives the server certificate, verifies it, receives a certificate request from the server, and sends its own certificate if it can.客户端发起连接,接收服务器证书,验证它,接收来自服务器的证书请求,如果可以,发送自己的证书。
The server must authentify the certificate received with its private certificate (stocked in some predefined path)
Meaningless.无意义的。 There is no such thing as a private certificate.没有私有证书这样的东西。 The server verifies the certificate (a) by checking its digital signature and (b) by forming a trust chain from its signer to a signer it trusts.服务器 (a) 通过检查其数字签名和 (b) 通过形成从其签名者到其信任的签名者的信任链来验证证书。
The server sends a positive response back to the client.
The server either completes the TLS/SSL handshake or sends a TLS alert or closes the connection.服务器要么完成 TLS/SSL 握手,要么发送 TLS 警报或关闭连接。 There is no positive response to an accepted client certificate.对接受的客户端证书没有肯定的响应。
The client sends its message to the server (clear messages).
The channel is now encrypted in both directions.通道现在双向加密。
The server sends its responding messages to the client (clear message).
The channel is now encrypted in both directions.通道现在双向加密。
Your requirement is both non-TLS-compliant and insecure as stated.如上所述,您的要求既不符合 TLS 标准,又不安全。 Review it.回顾一下。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.