Java 客户端上的 SSL 握手
我对 SSL HandShake 有一个非常基本的怀疑。假设我们有一个使用自签名证书的服务器S。我编写了一个连接到 S 的 Java 客户端 C。当 C 连接到 S 时,C 从 S 获取证书并将它们保存到其信任库中,然后继续进行通信的其余部分。一段时间后,我使用同一个 C 连接到 S,因此 S 是否会再次将证书发送给 C,或者 C 将使用已存储在信任库中的证书。我不擅长 SSL 和 Java 中 Truststore 功能的底层实现。
S 是否会在 C 的信任库中是否有证书的情况下将证书发送给 C?我相信,如果我在信任库 C 中有证书,那么当我再次连接时,S 和 C 将不会要求提供证书?我的假设对吗??
自签名证书和 CA 证书的过程相同吗?
提前致谢。
I have a very basic doubt in SSL HandShake. Assume that we have a server S which uses self signed certificates. I write a Java client C which connects to the S. When C connects to S, C gets certificates from S and saves them to its truststore and the remaining part of the communication proceeds. After some time I use the same C to connect to the S, so will S send the certificates again to C, or C will use the certificates already stored in truststore. I am not good in SSL and underlying implementation of Truststore functionality in Java.
Will S send the certificates to C invariable of whether the C has certificates on its truststore?? I believe that if I have certificates in truststore C trusts S and C will not ask for certificates when I connect again?? Is my assumption right??
Is the process same for self-signed certificates and CA certificates??
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这是我对 SSL 的理解,我不是该主题的专家,但在没有其他答案的情况下,希望我至少可以给您一些需要思考的事情。
当您为服务器创建自签名证书时,您需要以某种方式将其添加到客户端,客户端连接后它不会立即安装,否则任何服务器都可以通过将自签名证书发送到尝试的任何服务器来获得信任连接到它。在我的应用程序中,服务器证书在启动时通过指定 javax.net.ssl.truststore("path/to/server/cert"); 加载到客户端的信任库中。
现在,当客户端连接到服务器时,就会发生握手。此时,服务器会将其证书发送给客户端,客户端将通过对照其信任库检查该证书来确认它实际上来自服务器(此时,它是否是自签名并不重要,因为客户端应该检查根证书以及您添加的任何证书)。如果服务器发送的证书检查出来,则通信将继续并且数据将被共享。
存在某种形式的会话行为,允许通信继续进行,而不必每次都交换证书。但我相信这仅限于单个连接,因此一旦您关闭连接并创建一个新连接,就必须重复该过程,即服务器必须再次发送其证书进行验证。
总之:自签名服务器证书必须在 SSL 通信之外安装在客户端上(就像根 CA 证书从一开始就安装在产品中的方式一样)。
客户端和服务器之间建立的每个 SSL 连接都需要服务器将其证书发送给客户端,以便客户端可以根据其信任库对其进行检查。
服务器可能允许恢复会话,在这种情况下,不会重新发送证书(但我不确定在什么条件下可以恢复会话,也许可以在不同的服务器上进行配置)。
希望这至少能给你一些思考的机会。
This is my understanding of SSL, I am not an expert in the subject, but in the absence of other answers hopefully I can at least give you some things to think about.
When you create a self signed certificate for the server you need to add this to the client somehow, it doesn't get installed as soon as the client connects, otherwise any server could just become trusted by sending a self signed certificate to anything that tries to connect to it. In my application the server certificate is loaded into the truststore of the client when it is started up by specifying javax.net.ssl.truststore("path/to/server/cert");
Now, when the client connects to the server the handshake takes place. At this point the server will send it's certificate to the client and the client will confirm that it has in fact come from the server by checking it against its truststore (at this point it doesn't matter if it is self-signed or not, because the client should check the root certificates as well as any you have added). If the certificate sent by the server checks out the communication continues and data is shared.
There is some form of session behvaiour that takes place that allows the communication to proceed without having to exchange certificates every time. But I believe this is limited to the single connection, so as soon as you close the connection and create a new one the process has to be repeated, i.e. the server has to send its certificate for validation again.
So in summary: the self-signed server certificate has to be installed on the client outwith the SSL communication (like how root CA certificates are installed in a product from the start).
Every SSL connection made between client and server will require the server to send its certificate to the client so that it can check it against its truststore.
It is possible that the server will allow for sessions to be resumed, in which case the certificate will not be resent (but I am not sure under what conditions a session can be resumed, perhaps that is configurable on different servers).
Hope this at least gives you something to think about.