我要使用哪种SSL实施?
[英]What kind of SSL implementation do I go for?
问题描述
I am currently testing the waters of SSL, and am new to the SSL stuff. 
我目前正在测试SSL,并且是SSL知识的新手。 As a part of my research, I came across two different implementations of SSL in the java space. 作为研究的一部分,我在java空间中遇到了两种不同的SSL实现。
First, let me state my requirement, which is very simple, I just need a process to post data to a URL using https. 首先,让我说一下我的要求,这很简单,我只需要一个使用https将数据发布到URL的过程。
Among the two solutions, the first one is a pure Java implementation (using only the core Java classes) and the other one uses the Apache HTTPClient to do it's http. 在这两种解决方案中,第一种是纯Java实现(仅使用核心Java类),而另一种则使用Apache HTTPClient来执行它的http。
Initially, as a part of my testing, I would get the infamous "unable to find valid certification path to requested target " exception, and this I figured happens when the certificate (received from the server) is not part of the Java key store. 最初,作为测试的一部分,我将得到臭名昭著的“无法找到到请求目标的有效证书路径”异常,并且我认为这是在证书(从服务器接收到的)不属于Java密钥库的情况下发生的。 Once I add the certificate to the Java Key store, the application works fine in both cases. 将证书添加到Java密钥存储区后,在两种情况下应用程序都可以正常运行。 However, in my use of HTTPClient, I noticed the use of SSLSocketFactory. 但是,在使用HTTPClient时,我注意到使用了SSLSocketFactory。
When I tested HttpClient with the following code, 当我使用以下代码测试HttpClient时,
HttpClient httpClient = new HttpClient();
PostMethod postMethod = new PostMethod(target);
postMethod.setQueryString("someQueryString");
try {
httpClient.executeMethod(postMethod);
System.out.println("Response code: " + postMethod.getStatusLine());
BufferedReader in = new BufferedReader (new InputStreamReader(postMethod.getResponseBodyAsStream()));
String temp;
while ((temp = in.readLine()) != null){
response += temp + "\n";
}
temp = null;
in.close ();
System.out.println("Server response:\n'" + response + "'");
} catch (HttpException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}finally{
postMethod.releaseConnection();
}
it worked fine, so I am not sure what is the use of SSLSocketFactory implementations? 它工作正常,所以我不确定SSLSocketFactory实现的用途是什么? I initially thought this is useful, when we want to automate the addition of the certificate to the key store. 最初,当我们想自动将证书添加到密钥存储区时,我认为这很有用。 Am I right in that analysis? 我的分析正确吗?
If my analysis is true, which implementation is better? 如果我的分析是正确的,哪个实施更好?
- Is it better to just manually install the certificate? 手动安装证书是否更好? What are the cons of this approach? 这种方法有什么弊端? and will the certificate expire? 证书会过期吗? If it does, would I have to install a new certificate again? 如果可以,我是否必须再次安装新证书?
- Or should I automate the whole key store addition functionality using SSLSocketFactory? 还是应该使用SSLSocketFactory自动执行整个密钥库添加功能?
Your inputs would be greatly appreciated. 非常感谢您的投入。 Thank you. 谢谢。
2 个解决方案
解决方案1
2 2011-08-22 23:40:54
You should do neither. 您都不应该这样做。 There are existing solutions to this. 有对此的现有解决方案。
From the docs : 从文档 :
There are several custom socket factories available in our contribution package.
EasySSLProtocolSocketFactory can be used to create SSL connections that allow the target server to authenticate with a self-signed certificate.
StrictSSLProtocolSocketFactory can be used to create SSL connections that can optionally perform host name verification in order to help preventing man-in-the-middle type of attacks.
AuthSSLProtocolSocketFactory can be used to optionally enforce mutual client/server authentication.
解决方案2
1 2011-08-23 00:36:58
I came across two different implementations of SSL in the java space.
No you didn't. 不,你没有。 You came across the built-in JSSE and some stuff that Apache has built around it. 您遇到了内置的JSSE和Apache 围绕它构建的一些东西。 The message 'unable to find valid certification path to requested target' for example comes from JSSE, indeed from JCE. 消息“无法找到到所请求目标的有效认证路径”例如来自JSSE,实际上来自JCE。
The only other implementation of JSSE itself that I am aware of is in the IBM JVM. 我知道的JSSE本身的唯一其他实现是在IBM JVM中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.