使用Netty的单向SSL身份验证
[英]One-Way SSL Authentication as using Netty
问题描述
I'm trying to build a one-way authentication socket server using Netty. 
我正在尝试使用Netty构建单向身份验证套接字服务器。
First I used keytool to generate keystore, self signed certificate, truststore for both server and client, and I wrote some code in my server/client, the SSL authentication is working. 首先,我使用keytool为服务器和客户端生成密钥库,自签名证书,信任库,然后在服务器/客户端中编写了一些代码,SSL身份验证正在工作。
Here is my question: 这是我的问题:
Is there any way that I don't need to add truststore to my client, I only add the keystore to my server, and it would still work well? 有什么方法不需要将信任库添加到客户端,仅将密钥库添加到服务器,仍然可以正常工作吗? I thought one-way authentication means that only server holds the certificate? 我认为单向身份验证意味着仅服务器持有证书?
The following is what I wrote in my server/client to add the SslHandler so far: 以下是我到目前为止在服务器/客户端中编写的用于添加SslHandler的内容:
server: 服务器:
private void addSslHandlerOneWay(SocketChannel ch) throws Exception {
SSLContext sslContext = SSLContext.getInstance("TLS");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(new File("svrks.jks")), "kspassword1".toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "kspassword2".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(false);//one-way
sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites());
sslEngine.setEnableSessionCreation(true);
ch.pipeline().addFirst("SSL", new SslHandler(sslEngine));
}
client: 客户:
private void addSslHandlerOneWay(SocketChannel ch) throws Exception {
SSLContext sslContext = SSLContext.getInstance("TLS");
KeyStore ts = KeyStore.getInstance("JKS");
ts.load(getInputStream("clits.jks"), "tspassword2".toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ts, "tspassword1".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(true);//client
sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites());
sslEngine.setEnableSessionCreation(true);
ch.pipeline().addFirst("SSL", new SslHandler(sslEngine));
}
Thanks, guys. 多谢你们。
1 个解决方案
解决方案1
2 2017-10-05 08:16:08
I thought one-way authentication means that only server holds the certificate?
The server needs to authenticate itself with the certificate. 服务器需要使用证书进行身份验证。 For this it needs certificate and matching private key. 为此,它需要证书和匹配的私钥。
The client needs to verify the authentication, ie that the certificate send by the server is actually the expected one. 客户端需要验证身份验证,即服务器发送的证书实际上是预期的证书。 For this it needs to know either the certificate itself or the CA which issued the certificate - which is the same in case of self-signed certificates. 为此,它需要知道证书本身或颁发证书的CA-在自签名证书的情况下是相同的。
What you seem to expect is that the client does not need any previous knowledge of the servers certificate or the issuer CA. 您似乎期望的是,客户端不需要服务器证书或颁发者CA的任何先前知识。 If this would be the case then the client would just accept any certificate, both corrects ones from the server and also fake ones from an attacker. 如果是这种情况,那么客户端将只接受任何证书,既可以纠正来自服务器的证书,也可以纠正来自攻击者的证书。 Without previous knowledge (ie a local trust anchor) what to expect the server cannot distinguish between correct and fake certificates. 如果没有先前的知识(即本地信任锚),则服务器期望什么将无法区分正确证书和伪造证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.