从 android 到自定义套接字服务器的 SSL/TLS 连接
[英]SSL/TLS connection from android to a Custom Socket Server
问题描述
Finished coding a simple Chat Server in erlang that uses gen_tcp (simple sockets) and an Android Client app for TESTING.
完成了在 erlang 中使用 gen_tcp(简单套接字)和 Android 客户端应用程序进行测试的简单聊天服务器的编码。
Now i need to implement SSL/TLS.现在我需要实现 SSL/TLS。
I kept connection (Sending and Receiving Data) part in a single module, a few lines of code that i can upgrade easily.我将连接(发送和接收数据)部分保留在一个模块中,几行代码我可以轻松升级。
I have no prior experience of implementing SSL/TLS so i am confused here (like a lot).我之前没有实施 SSL/TLS 的经验,所以我在这里很困惑(就像很多一样)。
Questions - Testing part (localhost):问题 - 测试部分(本地主机):
I can generate self signed certificate by:我可以通过以下方式生成自签名证书:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
which results in two files, key.pem and cert.pem , My understanding is that one is Server certificate and the other is the key file but这导致两个文件, key.pem和cert.pem ,我的理解是一个是服务器证书,另一个是密钥文件,但是
- Where is Certificate Authority file?证书颁发机构文件在哪里? Do i need to generate one?我需要生成一个吗? Do i need one?我需要一个吗?
- Are they enough to test my app, to make it ready for a release?它们是否足以测试我的应用程序,使其为发布做好准备?
- How do i turn my simple android socket into a secure socket?如何将我的简单 android 插座变成安全插座? (kotlin preferred) (首选科特林)
- Can i trust my self signed certificate programmatically (and only that one) or do i need to install it on my device (and any other device like a friend's device)我可以以编程方式信任我的自签名证书(并且只有那个)还是我需要将其安装在我的设备上(以及任何其他设备,如朋友的设备)
Questions - Production part:问题 - 生产部分:
SHOULD i use my self signed certificate on my server?
我应该在我的服务器上使用我的自签名证书吗? Do i need to create a CA?我需要创建 CA 吗? Pros and Cons of using self signed certificate?使用自签名证书的优缺点?Can i use free certificates like from letsencrypt forever?
我可以永远使用像letsencrypt这样的免费证书吗? Pros and Cons?优点和缺点?
Finally:最后:
Do i need a certificate for Client too?
我也需要客户的证书吗? Do i need to provide some sort of key[s] to Android app?我是否需要为 Android 应用程序提供某种密钥?What can i do to protect my app from MITM (or protect my app from revealing what is being sent/received to and from server) for exampleTHIS TYPE OF ATTACK
我能做些什么来保护我的应用程序免受 MITM 攻击(或保护我的应用程序不泄露服务器发送/接收的内容),例如这种类型的攻击
2 个解决方案
解决方案1
1 已采纳 2019-09-24 20:39:00
Since nobody answers, I will try to post my views on this:由于没有人回答,我将尝试发表我对此的看法:
Where is Certificate Authority file?
You don't need to get your certificate signed by CA as long as the only server that your Android (or any other) client is going to use, is your own server.只要您的 Android(或任何其他)客户端将使用的唯一服务器是您自己的服务器,您就不需要让 CA 签署您的证书。 Server-side certificate is used by the server to prove its identity (ie to prove that it is really the one it pretends to be) to the clients, for example web browsers.服务器使用服务器端证书向客户端(例如 web 浏览器)证明其身份(即证明它确实是它假装的身份)。 So as long as your client connects to the same host (certificate of which it possesses beforehand), you don't need any signature (neither by CA nor self-signed)因此,只要您的客户端连接到同一主机(它预先拥有的证书),您就不需要任何签名(既不需要 CA 也不需要自签名)
Are they enough to test my app, to make it ready for a release?
Since you have used the most secure RSA (4096 bits), I can't see any other improvement that could be done to the certificate that you have generated, so yes you may consider it as ready for the release由于您使用了最安全的 RSA(4096 位),我看不出可以对您生成的证书进行任何其他改进,所以是的,您可以认为它已准备好发布
How do i turn my simple android socket into a secure socket?
I never used Kotlin, but in the Java environment, it is as easy as:我从未使用过 Kotlin,但在 Java 环境中,它很简单:
import javax.net.ssl.*;
import java.security.*;
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("host", port);
Can i trust my self signed certificate programmatically (and only that one) or do i need to install it on my device (and any other device like a friend's device)
You may add cert.pem into a keystore file (assuming store type is JKS and password is passw ):您可以将cert.pem添加到密钥库文件中(假设存储类型为 JKS 且密码为passw ):
keytool -importcert -file cert.pem -keystore keystore.jks -storetype JKS -alias "alias" -storepass passw
and then put keystore.jks into raw folder of your app thus making it accessible as R.raw.keystore from within your code:然后将keystore.jks放入您的应用程序的raw文件夹中,从而使其可以在您的代码中作为R.raw.keystore访问:
KeyStore trusted = KeyStore.getInstance("JKS");
InputStream in = context.getResources().openRawResource(R.raw.keystore); //open inputstream for keystore file in "raw" folder
trusted.load(in, "passw".toCharArray()); //load the keystore from file (using password specified when certificate was imported into keystore)
in.close(); //close inputstream
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(trusted, "passw".toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); //configure SSL Context to use TLS v1.2
sslContext.init(kmf.getKeyManagers(),null,null);
SSLSocketFactory factory = sslContext.getSocketFactory();
and then you use factory in the way described above to open secure sockets然后您以上述方式使用factory打开安全 sockets
SHOULD i use my self signed certificate on my server?
See answer 1见答案 1
Can i use free certificates like from letsencrypt forever?
It all depends on how big is the risk of a particular CA to get compromised ie sign a fraudulent certificate.这完全取决于特定 CA 受到损害的风险有多大,即签署欺诈性证书。 It is always better to use a trustworthy CA though at a higher cost尽管成本更高,但使用值得信赖的 CA 总是更好
Do i need a certificate for Client too?
Client certificate is just another way of authenticating the end user.客户端证书只是验证最终用户的另一种方式。 If you already use a password for authentication, you don't need to use a client certificate (you may actually add it for additional security but mostly it is not necessary, besides someone may steal it)如果您已经使用密码进行身份验证,则不需要使用客户端证书(您实际上可以添加它以提高安全性,但大多数情况下没有必要,除了有人可能会窃取它)
What can i do to protect my app from MITM (or protect my app from revealing what is being sent/received to and from server) for example THIS TYPE OF ATTACK
Well, it is fine as long as the device belongs to its original owner.好吧,只要设备属于其原始所有者就可以了。 The risk arises in case if it is stolen and the thief is aware of that proxy and may reveal the request/response contents.如果它被盗并且小偷知道该代理并可能泄露请求/响应内容,则会出现风险。 Nothing else comes to my mind other than the user changing his/her password as soon as possible除了用户尽快更改他/她的密码之外,我没有想到其他任何事情
解决方案2
1 2019-09-27 13:40:13
The accepted answer is good but incomplete.接受的答案很好但不完整。
Where is Certificate Authority file?
It is a part of Public Key Infrastructure.它是公钥基础设施的一部分。 The word "public" is of interest here: if your server is not going to be used by anyone but you, then it does not make a whole lot of sense to pay for a third-party CA certificate. “公共”一词在这里很有趣:如果您的服务器不会被除您之外的任何人使用,那么为第三方 CA 证书付费就没有多大意义。 These are meant for domains that are deployed for a vast number of public users, and hence subject to attacks & vulnerabilities.这些适用于为大量公共用户部署的域,因此容易受到攻击和漏洞的影响。
SHOULD i use my self signed certificate on my server?
Now here comes the pickle: if you use a third-party CA certificate, it will cost money, but it can be accessed publicly by mobile devices and browsers out of the box, ie the default SSL socket factory will be able to connect with your domain.现在泡菜来了:如果你使用第三方CA证书,它会花钱,但它可以通过移动设备和开箱即用的浏览器公开访问,即默认的SSL套接字工厂将能够与你的连接领域。
If you opt for a self-signed certificate, a mobile device or browser cannot fulfil the SSL handshake (ie it cannot connect) with your domain without one of the below changes:如果您选择自签名证书,则移动设备或浏览器无法与您的域完成 SSL 握手(即无法连接),除非进行以下更改之一:
- instruct your socket factory to ignore SSL validation .指示您的套接字工厂忽略 SSL 验证。
- create a socket factory that recognizes your certificate创建一个可以识别您的证书的套接字工厂
- add the self-signed certificate you created to the list of known certificates on your client device (mobile/desktop browser).将您创建的自签名证书添加到客户端设备(移动/桌面浏览器)上的已知证书列表中。
- use a technique called SSL pinning to test handshakes & connections.使用称为SSL 固定的技术来测试握手和连接。
Do i need a certificate for Client too?
What you're talking about is referred to as Bidirectional or Two-Way SSL validation .您所说的被称为双向或双向 SSL 验证。 This is good but optional.这很好,但可选。 It is necessary and sufficient to have a publicly known CA certificate on your server.在您的服务器上拥有一个公开的 CA 证书是必要且足够的。
How do i turn my simple android socket into a secure socket?
The default socket IS the secure socket, at least with any sane TCP/HTTP library.默认套接字是安全套接字,至少对于任何健全的 TCP/HTTP 库都是如此。 You have to make code changes to tell the socket factory to ignore SSL validation.您必须更改代码以告诉套接字工厂忽略 SSL 验证。
Are they enough to test my app, to make it ready for a release?
Well, this is a bit unclear.嗯,这有点不清楚。 You should test using SSL pinning or a known CA certificate, not with a self-signed certificate.您应该使用 SSL 固定或已知 CA 证书进行测试,而不是使用自签名证书。 If you want to test just your app functionality, you can disable SSL validation.如果您只想测试您的应用功能,您可以禁用 SSL 验证。 And a release app, as I understand it, will require the default (ie secure) socket factory that automatically manages SSL handshakes with a recognized third-party CA certificate.据我了解,发布应用程序将需要默认(即安全)套接字工厂,该工厂使用公认的第三方 CA 证书自动管理 SSL 握手。
Can i trust my self signed certificate programmatically (and only that one) or do i need to install it on my device (and any other device like a friend's device)
Yes, it can be installed on the client device / browser.是的,它可以安装在客户端设备/浏览器上。 But then your server can only be communicated with from THAT device / browser.但是,您的服务器只能通过该设备/浏览器进行通信。
Last point :最后一点:
If you publish an app on the Play Store with a self-signed certificate, or with SSL validation disabled or ignored, you will soon receive an email warning that your app will be taken down.如果您使用自签名证书在 Play Store 上发布应用程序,或者禁用或忽略 SSL 验证,您很快就会收到 email警告,提示您的应用程序将被删除。 Good luck.祝你好运。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.