未签名的小程序可以与 CA 认证的 SSL 服务器通信吗?
我们有一个未签名的小程序,它与流媒体服务器通信(不是 HTTPS,只是套接字,但这并不重要)。使用普通 TCP/IP 一切都很好,但是当我尝试按通常方式使用 SSL 时:
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(host, port);
// initiate the handshake (blocks)
sslsocket.getSession();
在握手期间出现异常。为了便于开发和测试,我作为应用程序运行,但仍然出现异常。
将证书添加到密钥库可以解决此问题,但我们希望部署到数千个客户端,而无需手动干预。
在网上搜索了好几天 - 每次提及都以“将证书添加到密钥库”结束,但通常与自签名证书有关。在本例中,我们已经获得了 pukka 证书(试用版,但位于 Java 的 CA 列表中 - 具体来说是 digicert)。
简而言之,小程序是否可以与具有 CA 签名证书的服务器进行 SSL 通信,而无需将该证书添加到密钥库中?
我想到的一个想法是在包含小程序的 JAR 中添加证书或密钥库。未签名的小程序可以读取并安装这样的证书/密钥库吗?
谢谢,
We have an unsigned applet that talks to a streaming server (not HTTPS, just socket-socket, but that is not important). All is fine using plain TCP/IP, but when I try to use SSL by the usual:
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(host, port);
// initiate the handshake (blocks)
sslsocket.getSession();
I get an exception during the handshaking. For ease of development and testing, am running as an application, but still get the exception.
Adding the certificate to the keystore fixes this, but we wish to deploy to thousands of clients, without manual intervention.
Have searched the web for days - every mention ends up with "add the certificate to the keystore" but is usually relating to a self-signed certificate. In this case, we've got a pukka certificate (a trial, but is in Java's CA list - digicert to be specific).
In short, can an applet talk SSL to a server that has a CA signed certificate, without having to add that certificate to the keystore?
One idea that comes to mind is adding the certificates or keystore within the JAR that contains the applet. Can an unsigned applet read and install such a certificate/keystore?
thanks,
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
将 SSL 与证书结合使用的想法是,我(在本例中是小程序)可以确定我在与谁交谈 - 并且没有中间人试图拦截我。为此,我必须拥有我信任的人的一些证书,而该人又证明服务器的身份。
该证书可以位于 Java 插件的密钥库(或 JRE 或用户密钥库)中,或者您可以向 SSL 引擎提供带有受信任密钥的自己的密钥库,如下所示(来自 我的项目,因此带有德语注释):
这样,SSL 客户端可以将发送的证书与给定密钥库中的证书进行比较,并且如果某些匹配,则接受连接。 (我们在这里提供了我们的私有 CA 的自签名证书,它还对服务器密钥进行了签名。)
当然,这只会改变基本问题:现在您必须确保您的小程序(即 jar 中的密钥库)是在执行之前不会被中间人修改,而不是确保每个人都已经安装了正确的证书。因此,您应该仅使用 HTTPS(并且从 HTTPS 页面)交付您的小程序,以获得最大的安全性。
The idea of using SSL with certificates is that I (in this case the applet) can be certain to who I talk - and no man-in-the-middle is trying to intercept me. For this, it is necessary I already have some certificate of someone I trust, who is in turn certificating the server its identity.
This certificate can either be in the keystore of the Java Plugin (or JRE or user keystore), or you can provide your own keystore with trusted keys to the SSL-engine, like this (copy of source from my project, thus with german comments):
This way, the SSL client can compare the sent certificates with the certificates in the given keystore, and if some is matching, the connection is accepted. (We ship here a self-signed certificate of our private CA, which also signs the server-keys.)
Of course, this only shifts the basic problem: now you have to make sure your applet (i.e. the keystore in the jar) is not modified by some man-in-the-middle before execution, instead of making sure everyone has the right certificate already installed. So you should deliver your applet only with HTTPS (and from a HTTPS page) for maximum security.
我没有遇到过部署“与具有 CA 签名证书的服务器对话 SSL 的小程序”的情况,但我遇到过部署需要签名的 Java Webstart 应用程序的类似情况,以便允许在沙箱(在客户端计算机上写入和读取文件);我们必须将其部署给数十个客户。
如果我没记错的话,过程并不困难(你可以google一下)。您可以创建自己的证书,但有些人会对有关“未知来源”签名的证书的警告感到恼火。
最好使用知名的 CA 机构,例如 VeriSign 或 Thawte。尽管 CA 提供相同的东西:证书,但它们的价格差异很大。
威瑞信是所有 CA 中最知名的,也是最昂贵的。如果您联系他们,他们将帮助您并指导您完成整个过程,并提供出色的技术支持。例如,他们提供有关适当的加密强度、如何安装在您的小程序、服务器等中的信息。另外,您可以将他们的徽标放在您的网站上,他们会向您发送 T 恤、漂亮的日历和其他好东西每年 :)
其他提供商,例如 Thawte,比 Verisign 便宜得多(有时是一半或更少)。我没有和他们合作过,所以我无法判断他们的服务质量如何。
顺便说一句:域名和子域名与证书匹配非常重要。如果您请求域 www.mydomain.com 的证书,并且尝试从 www2.mydomain.com 加载小程序,则它将无法工作。威瑞信和其他公司为多个或无限的子域提供特殊价格。
我希望这有帮助。保重,
路易斯
I haven't been in the situation of deploying "an applet talk SSL to a server that has a CA signed certificate", but I have been in a similar situation of deploying a Java Webstart application requiring signing in order to allow operations out of the sandbox (write and read files on the client machine); we had to deploy it to dozens of customers.
If I remember correctly, the procedure is not difficult (you can google around). You can create your own certificate, but some people will get annoyed with warnings about a certificate signed by "unknown sources."
It is better to use a well know CA authority, for example, VeriSign or Thawte. The CA vary a lot in prices, even though they provide the same thing: certificates.
Verisign is the best known of all CA, and the most expensive. If you contact them, they will help you and guide you through the process, and provide excellent tech support. For example, they provide info about the appropriate strength of the encryption, how install in your applet, server, etc. Plus, you can put their logo on your site, and they send you a t-shirts, nice calendars, and other goodies every year :)
Other providers, such as Thawte, are much cheaper (sometimes half or less) than Verisign. I haven't worked with them, so I can't tell what is the quality of their service.
By the way: it's very important, that the domain and subdomain matches the certificate. If you requested a certificate for domain www.mydomain.com and you try to load the applet from www2.mydomain.com, it will not work. Verisign and other companies provides especial prices for multiple, or unlimited, subdomains.
I hope this helps. Take care,
Luis