有关SSL的原理和介绍在网上已经有不少,对于Java下使用keytool生成证书,配置SSL通信的教程也非常多。但如果我们不能够亲自动手做一个SSL Sever和SSL Client,可能就永远也不能深入地理解Java环境下,SSL的通信是如何实现的。对SSL中的各种概念的认识也可能会仅限于可以使用的程度。本文通过构造一个简单的SSL Server和SSL Client来讲解Java环境下SSL的通信原理。
首先我们先回顾一下常规的Java Socket编程。在Java下写一个Socket服务器和客户端的例子还是比较简单的。以下是服务端的代码:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.IOException;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.ServerSocket;
- import java.net.Socket;
- publicclass Server extends Thread {
- private Socket socket;
- public Server(Socket socket) {
- this.socket = socket;
- }
- publicvoid run() {
- try {
- BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
- PrintWriter writer = new PrintWriter(socket.getOutputStream());
- String data = reader.readLine();
- writer.println(data);
- writer.close();
- socket.close();
- } catch (IOException e) {
- }
- }
- publicstaticvoid main(String[] args) throws Exception {
- while (true) {
- new Server((new ServerSocket(8080)).accept()).start();
- }
- }
- }
package org.bluedash.tryssl; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; import java.io.PrintWriter; import java.net.ServerSocket; import java.net.Socket; public class Server extends Thread { private Socket socket; public Server(Socket socket) { this.socket = socket; } public void run() { try { BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream())); PrintWriter writer = new PrintWriter(socket.getOutputStream()); String data = reader.readLine(); writer.println(data); writer.close(); socket.close(); } catch (IOException e) { } } public static void main(String[] args) throws Exception { while (true) { new Server((new ServerSocket(8080)).accept()).start(); } } }
服务端很简单:侦听8080端口,并把客户端发来的字符串返回去。下面是客户端的代码:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.Socket;
- publicclass Client {
- publicstaticvoid main(String[] args) throws Exception {
- Socket s = new Socket("localhost", 8080);
- PrintWriter writer = new PrintWriter(s.getOutputStream());
- BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream()));
- writer.println("hello");
- writer.flush();
- System.out.println(reader.readLine());
- s.close();
- }
- }
package org.bluedash.tryssl; import java.io.BufferedReader; import java.io.InputStreamReader; import java.io.PrintWriter; import java.net.Socket; public class Client { public static void main(String[] args) throws Exception { Socket s = new Socket("localhost", 8080); PrintWriter writer = new PrintWriter(s.getOutputStream()); BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream())); writer.println("hello"); writer.flush(); System.out.println(reader.readLine()); s.close(); } }
客户端也非常简单:向服务端发起请求,发送一个"hello"字串,然后获得服务端的返回。把服务端运行起来后,执行客户端,我们将得到"hello"的返回。
就是这样一套简单的网络通信的代码,我们来把它改造成使用SSL通信。在SSL通信协议中,我们都知道首先服务端必须有一个数字证书,当客户端连接到服务端时,会得到这个证书,然后客户端会判断这个证书是否是可信的,如果是,则交换信道加密密钥,进行通信。如果不信任这个证书,则连接失败。
因此,我们首先要为服务端生成一个数字证书。Java环境下,数字证书是用keytool生成的,这些证书被存储在store的概念中,就是证书仓库。我们来调用keytool命令为服务端生成数字证书和保存它使用的证书仓库:
- keytool -genkey -v -alias bluedash-ssl-demo-server -keyalg RSA -keystore ./server_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass server -keypass 123123
keytool -genkey -v -alias bluedash-ssl-demo-server -keyalg RSA -keystore ./server_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass server -keypass 123123
这样,我们就将服务端证书bluedash-ssl-demo-server保存在了server_ksy这个store文件当中。有关keytool的用法在本文中就不再多赘述。执行上面的命令得到如下结果:
- Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
- for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- [Storing ./server_ks]
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn [Storing ./server_ks]
然后,改造我们的服务端代码,让服务端使用这个证书,并提供SSL通信:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.FileInputStream;
- import java.io.IOException;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.ServerSocket;
- import java.net.Socket;
- import java.security.KeyStore;
- import javax.net.ServerSocketFactory;
- import javax.net.ssl.KeyManagerFactory;
- import javax.net.ssl.SSLContext;
- import javax.net.ssl.SSLServerSocket;
- publicclass SSLServer extends Thread {
- private Socket socket;
- public SSLServer(Socket socket) {
- this.socket = socket;
- }
- publicvoid run() {
- try {
- BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
- PrintWriter writer = new PrintWriter(socket.getOutputStream());
- String data = reader.readLine();
- writer.println(data);
- writer.close();
- socket.close();
- } catch (IOException e) {
- }
- }
- privatestatic String SERVER_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/server_ks";
- privatestatic String SERVER_KEY_STORE_PASSWORD = "123123";
- publicstaticvoid main(String[] args) throws Exception {
- System.setProperty("javax.net.ssl.trustStore", SERVER_KEY_STORE);
- SSLContext context = SSLContext.getInstance("TLS");
- KeyStore ks = KeyStore.getInstance("jceks");
- ks.load(new FileInputStream(SERVER_KEY_STORE), null);
- KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509");
- kf.init(ks, SERVER_KEY_STORE_PASSWORD.toCharArray());
- context.init(kf.getKeyManagers(), null, null);
- ServerSocketFactory factory = context.getServerSocketFactory();
- ServerSocket _socket = factory.createServerSocket(8443);
- ((SSLServerSocket) _socket).setNeedClientAuth(false);
- while (true) {
- new SSLServer(_socket.accept()).start();
- }
- }
- }
package org.bluedash.tryssl; import java.io.BufferedReader; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStreamReader; import java.io.PrintWriter; import java.net.ServerSocket; import java.net.Socket; import java.security.KeyStore; import javax.net.ServerSocketFactory; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLServerSocket; public class SSLServer extends Thread { private Socket socket; public SSLServer(Socket socket) { this.socket = socket; } public void run() { try { BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream())); PrintWriter writer = new PrintWriter(socket.getOutputStream()); String data = reader.readLine(); writer.println(data); writer.close(); socket.close(); } catch (IOException e) { } } private static String SERVER_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/server_ks"; private static String SERVER_KEY_STORE_PASSWORD = "123123"; public static void main(String[] args) throws Exception { System.setProperty("javax.net.ssl.trustStore", SERVER_KEY_STORE); SSLContext context = SSLContext.getInstance("TLS"); KeyStore ks = KeyStore.getInstance("jceks"); ks.load(new FileInputStream(SERVER_KEY_STORE), null); KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509"); kf.init(ks, SERVER_KEY_STORE_PASSWORD.toCharArray()); context.init(kf.getKeyManagers(), null, null); ServerSocketFactory factory = context.getServerSocketFactory(); ServerSocket _socket = factory.createServerSocket(8443); ((SSLServerSocket) _socket).setNeedClientAuth(false); while (true) { new SSLServer(_socket.accept()).start(); } } }
可以看到,服务端的Socket准备设置工作大大增加了,增加的代码的作用主要是将证书导入并进行使用。此外,所使用的Socket变成了SSLServerSocket,另外端口改到了8443(这个不是强制的,仅仅是为了遵守习惯)。另外,最重要的一点,服务端证书里面的CN一定和服务端的域名统一,我们的证书服务的域名是localhost,那么我们的客户端在连接服务端时一定也要用localhost来连接,否则根据SSL协议标准,域名与证书的CN不匹配,说明这个证书是不安全的,通信将无法正常运行。
有了服务端,我们原来的客户端就不能使用了,必须要走SSL协议。由于服务端的证书是我们自己生成的,没有任何受信任机构的签名,所以客户端是无法验证服务端证书的有效性的,通信必然会失败。所以我们需要为客户端创建一个保存所有信任证书的仓库,然后把服务端证书导进这个仓库。这样,当客户端连接服务端时,会发现服务端的证书在自己的信任列表中,就可以正常通信了。
因此现在我们要做的是生成一个客户端的证书仓库,因为keytool不能仅生成一个空白仓库,所以和服务端一样,我们还是生成一个证书加一个仓库(客户端证书加仓库):
- keytool -genkey -v -alias bluedash-ssl-demo-client -keyalg RSA -keystore ./client_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass client -keypass 456456
keytool -genkey -v -alias bluedash-ssl-demo-client -keyalg RSA -keystore ./client_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass client -keypass 456456
结果如下:
- Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
- for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- [Storing ./client_ks]
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn [Storing ./client_ks]
接下来,我们要把服务端的证书导出来,并导入到客户端的仓库。第一步是导出服务端的证书:
- keytool -export -alias bluedash-ssl-demo-server -keystore ./server_ks -file server_key.cer
keytool -export -alias bluedash-ssl-demo-server -keystore ./server_ks -file server_key.cer
执行结果如下:
- Enter keystore password: server
- Certificate stored in file <server_key.cer>
Enter keystore password: server Certificate stored in file <server_key.cer>
然后是把导出的证书导入到客户端证书仓库:
- keytool -import -trustcacerts -alias bluedash-ssl-demo-server -file ./server_key.cer -keystore ./client_ks
keytool -import -trustcacerts -alias bluedash-ssl-demo-server -file ./server_key.cer -keystore ./client_ks
结果如下:
- Enter keystore password: client
- Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- Serial number: 4c57c7de
- Valid from: Tue Aug 0315:40:14 CST 2010 until: Mon Nov 0115:40:14 CST 2010
- Certificate fingerprints:
- MD5: FC:D4:8B:36:3F:1B:30:EA:6D:63:55:4F:C7:68:3B:0C
- SHA1: E1:54:2F:7C:1A:50:F5:74:AA:63:1E:F9:CC:B1:1C:73:AA:34:8A:C4
- Signature algorithm name: SHA1withRSA
- Version: 3
- Trust this certificate? [no]: yes
- Certificate was added to keystore
Enter keystore password: client Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn Serial number: 4c57c7de Valid from: Tue Aug 03 15:40:14 CST 2010 until: Mon Nov 01 15:40:14 CST 2010 Certificate fingerprints: MD5: FC:D4:8B:36:3F:1B:30:EA:6D:63:55:4F:C7:68:3B:0C SHA1: E1:54:2F:7C:1A:50:F5:74:AA:63:1E:F9:CC:B1:1C:73:AA:34:8A:C4 Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore
好,准备工作做完了,我们来撰写客户端的代码:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.Socket;
- import javax.net.SocketFactory;
- import javax.net.ssl.SSLSocketFactory;
- publicclass SSLClient {
- privatestatic String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks";
- publicstaticvoid main(String[] args) throws Exception {
- // Set the key store to use for validating the server cert.
- System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE);
- System.setProperty("javax.net.debug", "ssl,handshake");
- SSLClient client = new SSLClient();
- Socket s = client.clientWithoutCert();
- PrintWriter writer = new PrintWriter(s.getOutputStream());
- BufferedReader reader = new BufferedReader(new InputStreamReader(s
- .getInputStream()));
- writer.println("hello");
- writer.flush();
- System.out.println(reader.readLine());
- s.close();
- }
- private Socket clientWithoutCert() throws Exception {
- SocketFactory sf = SSLSocketFactory.getDefault();
- Socket s = sf.createSocket("localhost", 8443);
- return s;
- }
- }
package org.bluedash.tryssl; import java.io.BufferedReader; import java.io.InputStreamReader; import java.io.PrintWriter; import java.net.Socket; import javax.net.SocketFactory; import javax.net.ssl.SSLSocketFactory; public class SSLClient { private static String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks"; public static void main(String[] args) throws Exception { // Set the key store to use for validating the server cert. System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE); System.setProperty("javax.net.debug", "ssl,handshake"); SSLClient client = new SSLClient(); Socket s = client.clientWithoutCert(); PrintWriter writer = new PrintWriter(s.getOutputStream()); BufferedReader reader = new BufferedReader(new InputStreamReader(s .getInputStream())); writer.println("hello"); writer.flush(); System.out.println(reader.readLine()); s.close(); } private Socket clientWithoutCert() throws Exception { SocketFactory sf = SSLSocketFactory.getDefault(); Socket s = sf.createSocket("localhost", 8443); return s; } }
可以看到,除了把一些类变成SSL通信类以外,客户端也多出了使用信任证书仓库的代码。以上,我们便完成了SSL单向握手通信。即:客户端验证服务端的证书,服务端不认证客户端的证书。
以上便是Java环境下SSL单向握手的全过程。因为我们在客户端设置了日志输出级别为DEBUG:
- System.setProperty("javax.net.debug", "ssl,handshake");
System.setProperty("javax.net.debug", "ssl,handshake");
因此我们可以看到SSL通信的全过程,这些日志可以帮助我们更具体地了解通过SSL协议建立网络连接时的全过程。
结合日志,我们来看一下SSL双向认证的全过程:
第一步: 客户端发送ClientHello消息,发起SSL连接请求,告诉服务器自己支持的SSL选项(加密方式等)。
- *** ClientHello, TLSv1
*** ClientHello, TLSv1
第二步: 服务器响应请求,回复ServerHello消息,和客户端确认SSL加密方式:
- *** ServerHello, TLSv1
*** ServerHello, TLSv1
第三步: 服务端向客户端发布自己的公钥。
第四步: 客户端与服务端的协通沟通完毕,服务端发送ServerHelloDone消息:
- *** ServerHelloDone
*** ServerHelloDone
第五步: 客户端使用服务端给予的公钥,创建会话用密钥(SSL证书认证完成后,为了提高性能,所有的信息交互就可能会使用对称加密算法),并通过ClientKeyExchange消息发给服务器:
- *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
第六步: 客户端通知服务器改变加密算法,通过ChangeCipherSpec消息发给服务端:
- main, WRITE: TLSv1 Change Cipher Spec, length = 1
main, WRITE: TLSv1 Change Cipher Spec, length = 1
第七步: 客户端发送Finished消息,告知服务器请检查加密算法的变更请求:
- *** Finished
*** Finished
第八步:服务端确认算法变更,返回ChangeCipherSpec消息
- main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Change Cipher Spec, length = 1
第九步:服务端发送Finished消息,加密算法生效:
- *** Finished
*** Finished
那么如何让服务端也认证客户端的身份,即双向握手呢?其实很简单,在服务端代码中,把这一行:
- ((SSLServerSocket) _socket).setNeedClientAuth(false);
((SSLServerSocket) _socket).setNeedClientAuth(false);
改成:
- ((SSLServerSocket) _socket).setNeedClientAuth(true);
((SSLServerSocket) _socket).setNeedClientAuth(true);
就可以了。但是,同样的道理,现在服务端并没有信任客户端的证书,因为客户端的证书也是自己生成的。所以,对于服务端,需要做同样的工作:把客户端的证书导出来,并导入到服务端的证书仓库:
- keytool -export -alias bluedash-ssl-demo-client -keystore ./client_ks -file client_key.cer
- Enter keystore password: client
- Certificate stored in file <client_key.cer>
keytool -export -alias bluedash-ssl-demo-client -keystore ./client_ks -file client_key.cer Enter keystore password: client Certificate stored in file <client_key.cer>
- keytool -import -trustcacerts -alias bluedash-ssl-demo-client -file ./client_key.cer -keystore ./server_ks
- Enter keystore password: server
- Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- Serial number: 4c57c80b
- Valid from: Tue Aug 0315:40:59 CST 2010 until: Mon Nov 0115:40:59 CST 2010
- Certificate fingerprints:
- MD5: DB:91:F4:1E:65:D1:81:F2:1E:A6:A3:55:3F:E8:12:79
- SHA1: BF:77:56:61:04:DD:95:FC:E5:84:48:5C:BE:60:AF:02:96:A2:E1:E2
- Signature algorithm name: SHA1withRSA
- Version: 3
- Trust this certificate? [no]: yes
- Certificate was added to keystore
keytool -import -trustcacerts -alias bluedash-ssl-demo-client -file ./client_key.cer -keystore ./server_ks Enter keystore password: server Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn Serial number: 4c57c80b Valid from: Tue Aug 03 15:40:59 CST 2010 until: Mon Nov 01 15:40:59 CST 2010 Certificate fingerprints: MD5: DB:91:F4:1E:65:D1:81:F2:1E:A6:A3:55:3F:E8:12:79 SHA1: BF:77:56:61:04:DD:95:FC:E5:84:48:5C:BE:60:AF:02:96:A2:E1:E2 Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore
完成了证书的导入,还要在客户端需要加入一段代码,用于在连接时,客户端向服务端出示自己的证书:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.FileInputStream;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.Socket;
- import java.security.KeyStore;
- import javax.net.SocketFactory;
- import javax.net.ssl.KeyManagerFactory;
- import javax.net.ssl.SSLContext;
- import javax.net.ssl.SSLSocketFactory;
- publicclass SSLClient {
- privatestatic String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks";
- privatestatic String CLIENT_KEY_STORE_PASSWORD = "456456";
- publicstaticvoid main(String[] args) throws Exception {
- // Set the key store to use for validating the server cert.
- System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE);
- System.setProperty("javax.net.debug", "ssl,handshake");
- SSLClient client = new SSLClient();
- Socket s = client.clientWithCert();
- PrintWriter writer = new PrintWriter(s.getOutputStream());
- BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream()));
- writer.println("hello");
- writer.flush();
- System.out.println(reader.readLine());
- s.close();
- }
- private Socket clientWithoutCert() throws Exception {
- SocketFactory sf = SSLSocketFactory.getDefault();
- Socket s = sf.createSocket("localhost", 8443);
- return s;
- }
- private Socket clientWithCert() throws Exception {
- SSLContext context = SSLContext.getInstance("TLS");
- KeyStore ks = KeyStore.getInstance("jceks");
- ks.load(new FileInputStream(CLIENT_KEY_STORE), null);
- KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509");
- kf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());
- context.init(kf.getKeyManagers(), null, null);
- SocketFactory factory = context.getSocketFactory();
- Socket s = factory.createSocket("localhost", 8443);
- return s;
- }
- }
package org.bluedash.tryssl; import java.io.BufferedReader; import java.io.FileInputStream; import java.io.InputStreamReader; import java.io.PrintWriter; import java.net.Socket; import java.security.KeyStore; import javax.net.SocketFactory; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; public class SSLClient { private static String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks"; private static String CLIENT_KEY_STORE_PASSWORD = "456456"; public static void main(String[] args) throws Exception { // Set the key store to use for validating the server cert. System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE); System.setProperty("javax.net.debug", "ssl,handshake"); SSLClient client = new SSLClient(); Socket s = client.clientWithCert(); PrintWriter writer = new PrintWriter(s.getOutputStream()); BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream())); writer.println("hello"); writer.flush(); System.out.println(reader.readLine()); s.close(); } private Socket clientWithoutCert() throws Exception { SocketFactory sf = SSLSocketFactory.getDefault(); Socket s = sf.createSocket("localhost", 8443); return s; } private Socket clientWithCert() throws Exception { SSLContext context = SSLContext.getInstance("TLS"); KeyStore ks = KeyStore.getInstance("jceks"); ks.load(new FileInputStream(CLIENT_KEY_STORE), null); KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509"); kf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray()); context.init(kf.getKeyManagers(), null, null); SocketFactory factory = context.getSocketFactory(); Socket s = factory.createSocket("localhost", 8443); return s; } }
通过比对单向认证的日志输出,我们可以发现双向认证时,多出了服务端认证客户端证书的步骤:
- *** CertificateRequest
- Cert Types: RSA, DSS
- Cert Authorities:
- <CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn>
- <CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn>
- *** ServerHelloDone
*** CertificateRequest Cert Types: RSA, DSS Cert Authorities: <CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn> <CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn> *** ServerHelloDone
- *** CertificateVerify
- main, WRITE: TLSv1 Handshake, length = 134
- main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** CertificateVerify main, WRITE: TLSv1 Handshake, length = 134 main, WRITE: TLSv1 Change Cipher Spec, length = 1
在 @*** ServerHelloDone@ 之前,服务端向客户端发起了需要证书的请求 @*** CertificateRequest@ 。
在客户端向服务端发出 @Change Cipher Spec@ 请求之前,多了一步客户端证书认证的过程 @*** CertificateVerify@ 。
客户端与服务端互相认证证书的情景,可参考下图:
参考资料:
fn1. Tomcat双向SSL认证的配置 - http://www.javaeedev.com/blog/article.jspx?articleId=ff808081198fb524011993a9bb7a029a
fn2. Understanding SSL - http://developerspoint.wordpress.com/2008/06/21/understanding-ssl/
fn3. Change Cipher Spec Protocol - http://www.pierobon.org/ssl/ch2/ccs.htm
fn4. SSL & TLS Essentials: Securing the Web - http://www.amazon.com/SSL-TLS-Essentials-Securing-Web/dp/0471383546/ref=sr_1_1?ie=UTF8&s=books&qid=1280891641&sr=8-1
相关推荐
这是我学习apache mina框架中研究ssl过滤器u做的一个测试的例子。希望对于刚刚学习mina框架的朋友有所帮助。如果有什么疑问可以发送到我的emai:pengli.bj@163.com与我联系
默认开启了SSL解密(但是超级卡),如果只是开启socks5动态转发就不卡 .版本 2 .子程序 __ssl_server_object_decrypt_data, 逻辑型 .参数 ssl_object, 整数型 .参数 ssl_data, 字节集 ...此源码仅用于学习与研究!
这是作者用了一周时间研究出来的,里面包含了Apache的安装程序,tomcat免安装版以及文档说明,只要按照文档说宁一步步就做,就能轻松实现。在网上找个很多关于这方面的文章,但天下文章一大抄,基本都是雷同的,很...
「大数据」基于深度学习的SSL证书验证程序的自动化测试 - 安全人才 安全研究 网站安全 数据库安全 防火墙 安全意识
为了便于评估和公平比较,我们正在尝试建立一个半监督医学图像分割基准,以促进医学影像计算社区中的半监督学习研究。如果您有兴趣,可以随时将实现或想法推送到此存储库。 该项目最初是为我们以前的工作开发的,...
该项目仅发布供学术研究使用。 开始使用 克隆仓库: git clone https://github.com/chanyn/3Dpose_ssl.git 或直接从中下载(包括cuda-8.0下的数据集和经过良好编译的caffe) 我们的代码组织如下: caffe-3dssl/: ...
STAC是一种简单而有效的SSL框架,用于视觉对象检测以及数据增强策略。 STAC可以从未标记的图像中部署高度自信的本地化对象伪标签,并通过强增强来增强一致性,从而更新模型。 此代码仅用于研究。这不是Google的官方...
半监督学习(SSL)提供了一种通过利用大量未标记数据来缓解此问题的解决方案。 在本文中,我们提出了一种使用师生模型进行人声旋律提取的SSL方法。 教师模型经过预先标记的数据训练,并指导学生模型在自训练设置中...
为了解决这些问题,自监督学习 (SSL) 通过精心设计的借口任务提取信息知识,而不依赖于手动标签,已成为图数据的一种有前途和趋势的学习范式。与计算机视觉和自然语言处理等其他领域中的 SSL 不同,图上的 SSL 具有...
这款小程序源码是驾考辅助学习的,默认里面包含了几万道驾考题目,不懂的可以直接拍照识别出解答,还支持模拟等等,支持付费和流量主两种模式,总体功能不错,这个是三月新版,有需要的可以下载学习研究!...
该项目的目的是促进半监督学习在像素视觉任务上的研究和应用。 PixelSSL提供两个主要功能: 用于实现新的半监督算法的接口 用于封装各种计算机视觉任务的模板 结果,PixelSSL中集成的SSL算法与从给定模板继承的...
数据:text/JDMilk.arff[tf-idf] 测试标准:准确率(Accuracy) 环境配置:python2.7 scikit,numpy,scipy docker 监督学习(SL)的分类器选择: 选择标准:能够输出后验...半监督学习(SSL):1.Self-Training 2.Co-Training
通过深入研究网络类别不平衡的原因,选择SMOTE(synthetic minority over-sampling technique)过抽样方法对数据集进行预处理,并充分利用特征匹配高准确性的优点识别和分拣出SSL 加密流,进而利用基于互信息最大化...
SELD是指对有时间重叠的多种不同类型事件进行检测和分类(SED),并估计声音场景中某些感兴趣的声音事件的源位置或到达方向(SSL)。如何更准确地进行SELD越来越成为一项重点研究课题,每年一度的DCASE挑战赛自2019...
微信H5纸牌源码开放给开发程序员研究学习参考。 基于Tinkphp框架+MySQL,程序完全开源,可供程序员参考研究。 环境要求: Linux/Windows均可 PHP 5.6以上,建议使用PHP 7 MYSQL 5.5.x Php环境要求ssl,需要一个证书...
提出了一种采用拓扑学习神经网络进行度量学习和嵌入的框架。... 在一个实验中,所提出的度量学习与支持向量机结合使用来解决半监督学习(SSL)问题。 结果表明,我们提出的方法提高了SSL实验中的分类精度。
使用深度生成模型重现我们的 NIPS 2014 论文关于半监督学习 (SSL) 的一些关键结果的代码。 DP Kingma、DJ Rezende、S. Mohamed、M. Welling 具有深度生成模型的半监督学习神经信息处理系统的进展 27 ( NIPS 2014 )...
主要功能类型:基本 URL 组件、域名信息、含量分析、路径和查询参数、SSL证书详细信息、主机声誉、网络功能、机器学习派生的功能、行为特征。 研究人员和数据科学家可以利用此数据集来开发和基准测试 URL 检测模型,...
3、SSL通讯,这类源码在论坛上不少了,2010年之前东灿大神就发过,他的源码也是我开始学习openssl第一部教程,不过可惜的是论坛上几乎所有openssl通讯源码都或多或少有点问题,基本上没法用于生产环境,所以这次改写...