如何以及何时在 CFHTTP 标签中使用 ClientCert?
ColdFusion 文档对于如何以及何时使用它的描述很薄弱。它有什么作用?如何使用它?
更新:它似乎已损坏,如 使用 SOAP 在 ColdFusion 中清洗客户端证书 – 第 2 部分。
CFHTTP 处理 SSLv3 会话时出现问题
The ColdFusion documentation is weak on how and when to use it. What does it do? How does one use it?
Update: it seems to be broken, as outlined in Washing Client Certs in ColdFusion with SOAP – Part 2.
problems with CFHTTP handling SSLv3 sessions
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
客户端证书有点麻烦,因为使用它会产生一定的开销。
正如 Jura 所说,您需要一个使用客户端证书作为身份验证机制的目标服务器。该服务器端部分不需要基于 CF。 Web 服务器(例如 IIS)将被设置为需要此功能。这是 SSL/TLS 协议的一部分,不特定于应用程序级别的任何语言。
如果您请求资源的服务器需要客户端证书,则可以使用此选项。该服务器的管理员需要提前向您提供客户端证书和私钥。正如 user349433 所提到的,这通常是 PKCS12(.p12 或 .pfx)文件。
服务器将验证客户端证书是否“可信”,如果是,它将允许 TLS/SSL 握手继续进行,并且 CF 将能够在其之上写入 HTTP 请求。
今天的用例是防止中间人攻击,但由于证书分发、吊销等涉及的开销,这种情况并不常见。
如果您想了解更多信息,请查看 TLS 1.1 规范:
https://www.rfc -editor.org/rfc/rfc4346
https://www.rfc-editor.org/rfc/rfc4346#第7.4.6节
Client certificates are a bit of a pain because of the overhead involved in using it.
As Jura says, you'll need a target server that uses client certificates as a mechanism for authentication. This server side piece does not need to be CF-based. The web server (IIS, for example) would be set up to require this. This is part of the SSL/TLS protocol, not specific to any language at the application level.
You would use this if the server you are requesting a resource from requires client certificates. The administrator of that server would need to give you the client certificate and private key ahead of time. As mentioned by user349433, this is commonly a PKCS12 (.p12 or .pfx) file.
The server will validate that the client certificate is "trusted" and if it is, it will allow the TLS/SSL handshake to proceed, and CF will be able to write the HTTP request on top of it.
The use case today is to prevent man-in-the-middle attacks, but because of the overhead involved with certificate distribution, revokation, etc. it's not terribly common.
If you want to know more about it, check out TLS 1.1 specification:
https://www.rfc-editor.org/rfc/rfc4346
https://www.rfc-editor.org/rfc/rfc4346#section-7.4.6
如果目标服务器使用该机制进行身份验证,则您将使用客户端证书。您需要从服务提供商处获取特定的客户端证书才能连接到该服务。我相信它早在几天前就被用于一些网上银行应用程序。不确定今天的用例是什么,可能是分布式企业网络,您需要以高度安全的方式通过互联网连接到企业服务器?
You are using client certificate in case if the target server uses that mechanism for authentication. You'll need to obtain specific client certificate from the service provider in order to be able to connect to the service. It's been used for some internet banking applications back in days I believe. Not sure what is the use case today for it, may be distributed corporate networks where you need to connect to corporate server over internet in a highly secure manner?