SASL_SSL 安全协议如何工作? 客户端是否验证服务器(X.509 证书)?
[英]How does SASL_SSL security protocol work? Does client verify the server (X.509 cert)?
问题描述
How SSL works is well know as it's quite widely used and described well every where. 
SSL 的工作原理是众所周知的,因为它被广泛使用并且在任何地方都得到了很好的描述。 In short - SSL involves总之——SSL涉及
- Verifying server authenticity by client by verifying the servers X.509 certificate.客户端通过验证服务器 X.509 证书来验证服务器的真实性。
- Then arriving at a symmetric key using diffie-hellman key exchange algorithm.然后使用 diffie-hellman 密钥交换算法得到一个对称密钥。
But I am not sure what happens with security.protocol=SASL_SSL .但我不确定security.protocol=SASL_SSL会发生什么。 Clients and Server communication of few technologies like Kafka etc rely on this security protocol as one of the option. Kafka 等少数技术的客户端和服务器通信依赖此安全协议作为选项之一。 Here I am worried about the point 1 above.在这里,我担心上面的第 1 点。 If i get a wrong broker address (as a trick ) from some one, does SASL_SSL verify the server certificate or not is my question .如果我从某人那里得到错误的代理地址(作为一种技巧), SASL_SSL 是否验证服务器证书是我的问题。 If it does, then I can be sure that the received broker is not genuine and my application will not publish or subscribe to messages from this server and my data is safe.如果是这样,那么我可以确定收到的代理不是真实的,并且我的应用程序不会发布或订阅来自该服务器的消息,并且我的数据是安全的。
Edit 1: Following @steffen-ullrich answer and comments And little more dig, i see below.编辑 1:按照@steffen-ullrich 的回答和评论再挖一点,我在下面看到。 Looks like the certificate validation is happening when used through chrome and probably its loaded in the cacerts too.看起来证书验证在通过 chrome 使用时正在发生,并且可能它也加载到了cacerts中。 So the java code is able to authenticate the server.. so seems ok..所以 java 代码能够验证服务器..所以看起来没问题..
Edit 2: Right the certificates DST and ISRG are preloaded in the JDK 11 cacerts, so the client is able to authenticate the server as commented by Stephen.编辑 2:正确的证书 DST 和 ISRG 已预加载在 JDK 11 cacerts 中,因此客户端能够按照斯蒂芬的评论对服务器进行身份验证。
2 个解决方案
解决方案1
1 2021-06-13 02:57:30
What you are asking is related to another configuration please read the following description.您所问的与其他配置有关,请阅读以下说明。
ssl.endpoint.identification.algorithm The endpoint identification algorithm used by clients to validate server host name. ssl.endpoint.identification.algorithm 客户端用来验证服务器主机名的端点识别算法。 The default value is https.默认值为 https。 Clients including client connections created by the broker for inter-broker communication verify that the broker host name matches the host name in the broker's certificate.包括由代理创建的用于代理间通信的客户端连接的客户端验证代理主机名是否与代理证书中的主机名匹配。 Disable server host name verification by setting ssl.endpoint.identification.algorithm to an empty string.通过将 ssl.endpoint.identification.algorithm 设置为空字符串来禁用服务器主机名验证。 Type: string Default: https Importance: medium类型:字符串 默认值:https 重要性:中等
解决方案2
1 已采纳 2021-06-13 05:08:31
SASL is a standard for authentication of the client - see Simple Authentication and Security Layer . SASL 是客户端身份验证的标准 - 请参阅简单身份验证和安全层。 SASL_SSL simply means that the client authentication (SASL) is used over a protected connection (SSL) to prevent interception instead of over a plain connection. SASL_SSL 仅表示客户端身份验证 (SASL) 用于受保护连接 (SSL) 以防止拦截,而不是通过普通连接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.