java https://localhost (SSL) - 可能无需在客户端安装证书?
[英]java https://localhost (SSL) - possible without installing certs on client?
问题描述
After reading the following, I'm still stuck on making the barest-minimum https ://localhost stand-alone install-free webserver java app.
阅读以下内容后,我仍然坚持制作最低限度的https ://localhost 独立安装免安装网络服务器 java 应用程序。 It needs to be library-free, use Java 8, and accept connections from the browser without first installing any special client certs.它需要无库,使用 Java 8,并接受来自浏览器的连接,而无需先安装任何特殊的客户端证书。 I'm unclear if this is at all possible with self-signed certs because it only has to work for "localhost".我不清楚这是否可以使用自签名证书,因为它只需要为“本地主机”工作。
- How make SSL server socket support both http & https in java? java中如何让SSL服务器socket同时支持http和https?
- My simple java HTTPS server only works for localhost 我的简单 java HTTPS 服务器仅适用于本地主机
- Simple Java HTTPS server 简单的 Java HTTPS 服务器
So far I've generated some key files using到目前为止,我已经使用生成了一些关键文件
openssl genrsa -aes128 -out privkey.pem 2048 # makes privkey.pem
openssl req -new -x509 -key privkey.pem # makes cert.crt
and I've cobbled together the bare minimum Kotlin setup function我拼凑了最低限度的 Kotlin 设置功能
private fun ssl():SSLServerSocketFactory {
val password = "MYPASSWORD".toCharArray()
val kmf = KeyManagerFactory.getInstance("SunX509")
val tmf = TrustManagerFactory.getInstance("SunX509")
val sslContext = SSLContext.getInstance("TLS")
// initialise the keystore
KeyStore.getInstance("JKS").let { ks->
FileInputStream("lig.keystore").use {
ks.load(it, password)
}
kmf.init(ks, password)
tmf.init(ks)
}
// setup the HTTPS context and parameters
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null)
return sslContext.serverSocketFactory
}
ssl().createServerSocket().use { serverSocket ->
serverSocket.reuseAddress = true
serverSocket.bind(InetSocketAddress(port))
logger.info { "WebServer ready and listening on ${serverSocket.localPort}" }
But I'm having trouble how to finish it off: Do I need to make a lig.keystore file?但是我在如何完成它时遇到了麻烦:我需要制作一个lig.keystore文件吗? Can this even be done without installing certs on the client's browser?这甚至可以在客户端浏览器上不安装证书的情况下完成吗?
2 个解决方案
解决方案1
4 2017-12-13 02:29:42
There are two common approaches to getting a secure connection between a client (browser) and server via HTTPS:有两种常见的方法可以通过 HTTPS 在客户端(浏览器)和服务器之间建立安全连接:
You can obtain SSL certificate for the server that is signed by a Root Certification Authority (CA) that is trusted by the user's web browser by default.
默认情况下,您可以为由用户 Web 浏览器信任的根证书颁发机构 (CA) 签署的服务器获取 SSL 证书。You can generate a self-signed SSL certificate, and have the user import it into their web browser as a trusted cert.
您可以生成自签名 SSL 证书,并让用户将其作为受信任的证书导入他们的 Web 浏览器。
What you have done so far seems to be to generate a server-side keystore with a self-signed cert in it and (more or less) configured the Kotlin server to use it.到目前为止,您所做的似乎是生成一个带有自签名证书的服务器端密钥库,并且(或多或少)配置了 Kotlin 服务器以使用它。 The problem is the client (browser).问题是客户端(浏览器)。 There is no safe way to get the browser to trust the self-signed cert without the involvement of the user or the user's sysadmin.在没有用户或用户系统管理员参与的情况下,没有安全的方法让浏览器信任自签名证书。 (Safe ... as in safe for the user!) (安全......对用户来说是安全的!)
And no legitimate CA should ever issue an SSL cert for "localhost";任何合法的 CA 都不应该为“localhost”颁发 SSL 证书; eg https://www.ssl2buy.com/wiki/how-to-get-ssl-certificate-for-web-applications-that-runs-on-localhost例如https://www.ssl2buy.com/wiki/how-to-get-ssl-certificate-for-web-applications-that-runs-on-localhost
Impasse.僵局。
OK, so lets step back.好的,让我们退后一步。 The purpose of using HTTPS / SSL is to ensure that:使用 HTTPS / SSL 的目的是确保:
The user's web browser is talking to the correct server, and not some other server that is impersonating it.
用户的 Web 浏览器正在与正确的服务器通信,而不是其他一些冒充它的服务器。The connection between the browser and the server is encrypted so that no third party can snoop on the traffic.
浏览器和服务器之间的连接是加密的,因此没有第三方可以窥探流量。
But you are trying to do this for a localhost connection.但是您正在尝试为localhost连接执行此操作。 The localhost IP address is a loopback address. localhost IP 地址是一个环回地址。 Unless the OS kernel is compromised, you are guaranteed that network packets sent via a loopback connection will not leave the host.除非操作系统内核受到损害,否则您可以保证通过环回连接发送的网络数据包不会离开主机。
You can dismiss the "impersonation" problem.
您可以忽略“模拟”问题。 Assuming that the user's machine has not been compromised, nobody else can launch a "fake" server on the user's machine.假设用户的机器没有受到损害,其他人就无法在用户的机器上启动“假”服务器。You can dismiss the "snooping" problem.
您可以忽略“窥探”问题。 Assuming that the user's machine has not been compromised:假设用户的机器没有被入侵:- The packets won't go off-host, so they can't be snooped on any "external" networks.数据包不会脱离主机,因此无法在任何“外部”网络上窥探它们。
- The only person who can "snoop" the packets on the loopback network is the user him / herself.唯一可以“窥探”环回网络上的数据包的人是用户他/她自己。
- The packets won't go off-host, so they can't be snooped on any "external" networks.
So, the solution is simple.所以,解决方法很简单。 Use "http" for your "localhost" connection.对“localhost”连接使用“http”。 It should be secure ... assuming that the user's machine has not been compromised.它应该是安全的......假设用户的机器没有受到损害。
Note: if the user's machine has been compromised , then the bad guys have other ways to intercept the traffic that SSL won't protect against.注意:如果用户的机器已被入侵,那么坏人有其他方法来拦截 SSL 无法防御的流量。
解决方案2
0
Another specific case:另一个具体案例:
I'm facing a web app from https that would load local data at http://localhost我正面临一个来自 https 的网络应用程序,它将在 http://localhost 加载本地数据
Safari web browser blocks because of unsecure communication (http) in a secure flow (https). Safari Web 浏览器由于安全流 (https) 中的不安全通信 (http) 而被阻止。
This behavour could be discussed, but in that case self signed certificate for localhost would help., even with a warning from Safari browser.可以讨论这种行为,但在那种情况下,本地主机的自签名证书会有所帮助。即使 Safari 浏览器发出警告。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.