Delphi 应用程序的 SSL 证书 - 是否需要启用安全性?
所以我今天刚刚安装了 XAMPP,我注意到 index.php 进行了检查以查看是否通过 HTTPS 访问它。在此之前,我认为为了使用 SSL 安全性,您需要证书,但现在我对此表示怀疑。
此时(请纠正我,这就是这个问题的重点!),我自己的研究使我相信证书仅提供有关您正在访问的位置的信息。如果未找到证书,则由客户端决定他/她是否信任该连接。
XAMPP 索引页包含此检查:
<?php
if (!empty($_SERVER['HTTPS']) && ('on' == $_SERVER['HTTPS'])) {
$uri = 'https://';
} else {
$uri = 'http://';
}
$uri .= $_SERVER['HTTP_HOST'];
header('Location: '.$uri.'/xampp/');
exit;
?>
好吧,所以我通过 https://localhost 访问我的本地主机,Firefox 会显示“你信任这个网站吗?”页面出现(问题是:我可以相信自己吗?;))。
之后,我使用以下代码创建了自己的小 test.php:
<?php
echo "Hi. \n";
if(isset($_POST['firstname']) && isset($_POST['lastname']))
{
echo "Your Firstname is ".$_POST['firstname']." and your Lastname is ".$_POST['lastname'];
echo "\r\n\r\n";
if (!empty($_SERVER['HTTPS']) && ('on' == $_SERVER['HTTPS'])) {
echo "You are using SSL, arentcha? :)";
} else {
echo "Hmm.. No SSL!";
}
}
?>
然后,我创建了一个连接到 http://localhost/test.php 的 Delphi 应用程序,以及 https://localhost/test.php,以及 http://jeffijoe.com/test.php 和 https://jeffijoe.com /test.php 与 TIdHTTP 控件(以及对于 SSL,我将 TIdSSLIOHandlerSocketOpenSSL 连接到 TIdHTTP 的 IOHandler 属性,
以下是代码:
Var
Src : TStringlist;
location: String;
begin
if RadioButton1.Checked then
location := 'localhost' else location := 'jeffijoe.com';
if RadioButton3.Checked then
Protocol := 'http' else Protocol := 'https';
Memo1.Clear;
Src := TStringlist.Create;
try
Src.Add('firstname=Jeff&lastname=Hansen');
Memo1.Text := IdHTTP1.Post(Protocol+'://'+location+'/test.php',Src);
finally
Src.Free;
end;
end;
以下是结果:
http://localhost/test.php - 预期输出
https://localhost/test.php - 预期输出(它知道我正在使用 HTTPS!)
- 预期输出
https://jeffijoe.com/test.php - 404 未找到!
http://jeffijoe.com/test.php 托管在常规共享托管帐户上。
因此,问题是:到 Localhost 的 HTTPS 真的“安全”吗?为什么到 Jeffijoe.com 位置的 HTTPS 连接失败了,而它不在我的 Localhost 上?证书怎么样?它们是必需的吗?是否可以设置安全连接而无需购买价格过高的证书?
So I've just installed XAMPP today, and I noticed that the index.php had a check to see if it was accessed through HTTPS. Before that, I thought that in order to use SSL security, you need a certificate, but I am in doubt now.
At this point (Please do correct me, that is the whole point of this question!), my own research has led me to believe that the Certificate only provides information about the location you are accessing. If no Cert is found, it is up to the client to determine if he/she trusts the connection.
The XAMPP index page contains this check:
<?php
if (!empty($_SERVER['HTTPS']) && ('on' == $_SERVER['HTTPS'])) {
$uri = 'https://';
} else {
$uri = 'http://';
}
$uri .= $_SERVER['HTTP_HOST'];
header('Location: '.$uri.'/xampp/');
exit;
?>
Alright, so I access my Localhost through https://localhost, and the Firefox "Do you trust this website?" page appeared (and the question is: Can I trust myself? ;) ).
After that, I created my own little test.php, with the following code:
<?php
echo "Hi. \n";
if(isset($_POST['firstname']) && isset($_POST['lastname']))
{
echo "Your Firstname is ".$_POST['firstname']." and your Lastname is ".$_POST['lastname'];
echo "\r\n\r\n";
if (!empty($_SERVER['HTTPS']) && ('on' == $_SERVER['HTTPS'])) {
echo "You are using SSL, arentcha? :)";
} else {
echo "Hmm.. No SSL!";
}
}
?>
I then created a Delphi application that connects to http://localhost/test.php, and to https://localhost/test.php, aswell as http://jeffijoe.com/test.php and https://jeffijoe.com/test.php with the TIdHTTP control (and for the SSL, I hooked up a TIdSSLIOHandlerSocketOpenSSL to the TIdHTTP's IOHandler property.
Here is the code for that:
Var
Src : TStringlist;
location: String;
begin
if RadioButton1.Checked then
location := 'localhost' else location := 'jeffijoe.com';
if RadioButton3.Checked then
Protocol := 'http' else Protocol := 'https';
Memo1.Clear;
Src := TStringlist.Create;
try
Src.Add('firstname=Jeff&lastname=Hansen');
Memo1.Text := IdHTTP1.Post(Protocol+'://'+location+'/test.php',Src);
finally
Src.Free;
end;
end;
Here are the results:
http://localhost/test.php - Expected output
https://localhost/test.php - Expected output (It aknowlegdes I am using HTTPS!)
http://jeffijoe.com/test.php - Expected output
https://jeffijoe.com/test.php - Fail! 404 Not Found!
My jeffijoe.com is hosted on a regular shared hosting account.
So - the questions are: Was the HTTPS to Localhost truly "secure"? And how come the HTTPS connection to the Jeffijoe.com location failed, when it didnt on my Localhost? How about the Certificates? Are they required? Is it possible to set up the secured connection without having to purchase an overpriced certificate?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
连接对于嗅探器是安全的,即通过线路传输的内容是加密的。但由于证书是自签名的,无法保证对方确实是他们假装的人,这正是证书的意义所在:第三方保证对方已被验证是他们假装的人。
它在本地 XAMPP 机器上工作的原因是它带有所谓的自签名证书以及用于管理 https 通信的服务器基础设施,而这两者在您的托管站点上可能都缺乏。
最后,这取决于您想要实现的目标:如果通信必须安全且不会被嗅探,那么自签名证书就可以正常工作。如果你需要证明你是你所冒充的人,你需要有专门公司出具的证书。
编辑:为了使这个练习更有趣:证书系统可以双向工作,即服务器向您证明它是真实的,并且借助所谓的客户端证书,您可以向服务器证明您是您假装的人。根据您的用例,探索客户端证书可能非常有用,但请注意,这并不容易。
The connection is safe from sniffers, ie what goes over the wire is encrypted. But as the certificate is self-signed, there is no guarantee that the other side is really who they pretend to be, that's exactly the point of certificates: a third party guarantees that the other side has been verified to be who they pretend to be.
The reason it worked on your local XAMPP box is that it carries a so-called self-signed certificate, and the server infrastructure to manage https communications, both of which are more than probably lacking on your hosted site.
In the end it depends on what you want to achieve: if the communication just has to be safe from sniffing, self signed certificates work just fine. If you need to prove you are who you pretend to be, you need a certificate issued by a specialized company.
EDIT: to make this exercise more interesting: the cert system can work both ways, ie the server proves to you that it is genuine, and thanks to a so-called client certificate you can prove to the server you are who you pretend to be. Depending on your use case exploring cllient-side certifcates could be quite useful, but be warned it's not easy.