Java ssl握手,无需下载证书
[英]java ssl handshake without downloading the certificate
问题描述
During an SSL handshake, the step 3, which is downloading the certificate from the server, is optional. 
在SSL握手过程中,从服务器下载证书的步骤3是可选的。
So if I have distributed the certificate with my client, how can I skip the downloading to improve the performance? 因此,如果我已经与客户端一起分发了证书,如何跳过下载以提高性能?
Note that I know how to load a local certificate and how to trust it. 请注意,我知道如何加载本地证书以及如何信任它。 But I don't know how to skip the downloading process and I haven't found anything useful in the java document. 但是我不知道如何跳过下载过程,并且在Java文档中找不到任何有用的东西。
Thanks in advance. 提前致谢。
EDIT 编辑
My question is NOT about using a cipher suite which does not require a certificate. 我的问题不是关于使用不需要证书的密码套件。 I still have a certificate and wish to use its public key for symmetric key exchange. 我仍然有证书,并希望使用其公钥进行对称密钥交换。
2 个解决方案
解决方案1
2 已采纳 2016-11-13 22:07:51
My question is NOT about using a cipher suite which does not require a certificate.
I think you are missing the role of a certificate in TLS. 我认为您在TLS中缺少证书的作用。 The main task is to provide authentication so that the connection is protected against man in the middle attacks (ie man in the middle claiming to be the server). 主要任务是提供身份验证,以便保护连接免受中间人攻击(即中间人声称是服务器)。
Payload encryption is not done by the certificate at all. 有效负载加密完全不是由证书完成的。 At most it is used to exchange the encryption key in RSA based key exchange. 至多它用于在基于RSA的密钥交换中交换加密密钥。 But for currently recommended key exchanges (ECDHE and maybe DHE) the certificate is not needed at all. 但是对于当前推荐的密钥交换(ECDHE和DHE),根本不需要证书。
Which means that using a certificate only for key exchange but not for authentication makes no sense and for this reason there is no cipher which supports this. 这意味着仅将证书用于密钥交换而不将其用于身份验证是没有意义的,因此,没有支持此方法的密码。
解决方案2
1 2016-11-14 01:13:04
During an SSL handshake, the step 3, which is downloading the certificate from the server, is optional.
I don't know where you get your step numbers from, but sending the server certificate is mandatory unless the client states in the ClientHello message that it will accept a non-authenticating cipher suite, and this is specifically described in RFC 2246 as insecure. 我不知道您从哪里获得步骤号,但是必须发送服务器证书,除非客户端在ClientHello消息中声明它将接受非身份验证密码套件,并且在RFC 2246中将其具体描述为不安全。
So if I have distributed the certificate with my client, how can I skip the downloading to improve the performance?
You can't. 你不能
Note that I know how to load a local certificate and how to trust it.
Of course you haven't found it. 当然您还没有找到它。 It isn't there. 它不在那里。 There isn't anything about it at all in the Java documentation, or RFC 2246 either. Java文档或RFC 2246中都没有任何相关内容。 You've invented this requirement. 您已经发明了此要求。 That doesn't mean that either Java JSSE or SSL itself supports it. 这并不意味着Java JSSE或SSL本身都支持它。 It doesn't. 没有。
My question is NOT about using a cipher suite which does not require a certificate.
SSL does not perform symmetric key exchange. SSL不执行对称密钥交换。 Once again you are talking about something that doesn't exist. 再一次,您谈论的是不存在的东西。 If you want to understand SSL, read RFC 2246. If you want to invent your own, feel free, but don't call it SSL, and don't kid yourself that it will be either as performant or as secure as SSL, which has had nearly 25 years of development. 如果您想了解SSL,请阅读RFC2246。如果您想发明自己的SSL,请放心,但不要将其称为SSL,也不要自欺欺人,它的性能或安全性都与SSL相同,已经有近25年的发展。 It won't. 不会的
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.