当前位置: 文江博客话题详情

Java:TCP 加密、SSL 和 Netty

发布于 2025-01-01 10:49:27 字数 1735 浏览 0 评论 0原文

好的,我有一个对等(一台主机上的客户端/服务器)设置(通过本地 LAN),这是使用 Netty,一个 Java 网络框架。我使用原始 TCP/IP(例如,没有 HTTP)进行通信和传输。

目前,所有数据都以“纯文本”传输,我正在开始保护此类传输数据的过程。

我已经很好地阅读了加密/实践等类型(但可能只触及了表面,它已经融化了我的大脑)

Netty 包含一个 SSL 实现,这里有一些链接,希望能更好地解释我自己:

http://docs.jboss.org/netty/3.2/xref/org/jboss/netty/example/securechat/package-summary.html

在“SecureChatTrustManagerFactory”内部有两种方法:

          public void checkClientTrusted(
                  X509Certificate[] chain, String authType) throws CertificateException {
              // Always trust - it is an example.
              // You should do something in the real world.
              // You will reach here only if you enabled client certificate auth,
              // as described in SecureChatSslContextFactory.
              System.err.println(
                      "UNKNOWN CLIENT CERTIFICATE: " + chain[0].getSubjectDN());
          }

          public void checkServerTrusted(
                 X509Certificate[] chain, String authType) throws CertificateException {
             // Always trust - it is an example.
              // You should do something in the real world.
              System.err.println(
                      "UNKNOWN SERVER CERTIFICATE: " + chain[0].getSubjectDN());
          }

据我所知,“SecureChatKeyStore”包含一个硬编码证书。

所以我的问题是:

  • 我需要生成证书吗?
  • 如果是这样,每次运行应用程序时?
  • 如果是这样,每个客户?
  • 如果是的话,这个认证是在客户端和服务器之间传递的吗?
  • 如果是这样,如何安全地完成?

我不完全确定从哪里开始。 据我所知,Netty 实现是在说“这是创建安全连接的基础,但我们遗漏了真正使它们安全/经过身份验证的部分”。

我还应该了解其他任何指示/提示吗?

先感谢您。

原文

Ok so I have a peer to peer (client/server on one host) setup (over a local LAN), this is using Netty, a Java networking framework. I use raw TCP/IP (as in, no HTTP) for communication and transfers.

Currently all data is transferred in "plain-text" and i'm starting the process of securing such transmitted data.

I've had a good read of types of encryption/practices etc (but probably only touched the surface and its melting my brain already)

Netty includes a SSL implemntation, heres some links to hopefully better explain myself:

http://docs.jboss.org/netty/3.2/xref/org/jboss/netty/example/securechat/package-summary.html

Inside "SecureChatTrustManagerFactory" there are 2 methods:

          public void checkClientTrusted(
                  X509Certificate[] chain, String authType) throws CertificateException {
              // Always trust - it is an example.
              // You should do something in the real world.
              // You will reach here only if you enabled client certificate auth,
              // as described in SecureChatSslContextFactory.
              System.err.println(
                      "UNKNOWN CLIENT CERTIFICATE: " + chain[0].getSubjectDN());
          }

          public void checkServerTrusted(
                 X509Certificate[] chain, String authType) throws CertificateException {
             // Always trust - it is an example.
              // You should do something in the real world.
              System.err.println(
                      "UNKNOWN SERVER CERTIFICATE: " + chain[0].getSubjectDN());
          }

"SecureChatKeyStore" contains a hard coded certificate from what I can see.

So my questions are:

  • Do I need to generate a certificate?
  • if so, each time the application is run?
  • if so, per client?
  • if so, is this certification passed between client and server?
  • if so, how is it done securely?

I'm not entirely sure where to start.
From what I can see the Netty implementation is saying "Here's the basis of creating secure connections, but we have left out the part that actually makes them secure/authenticated".

Any other pointers/tips I should know about?

Thank you in advance.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

我一直都在从未离去 2025-01-08 10:49:27

正如其他人指出的那样,应用程序安全性和传输链路安全性之间存在差异。我认为您的目标是最后一个,因为您主要提到加密。加密可防止窃听者的机密性。此外,由于 SSL 还包含消息身份验证代码,因此它还将提供对第三方在传输过程中更改数据包的保护。一旦收到消息,它就不提供任何保护。

正如您可能已经在互联网上注意到的 HTTPS 连接,您至少需要一个服务器证书。该证书可以保持静态,但它应该包含一个到期日期,到时您应该更换该证书。服务器证书应该受到客户端的信任(例如,通过将其嵌入为资源)。您还可以使用 SSL 进行客户端身份验证,但这意味着您需要有足够的安全措施来保证客户端上私钥的安全。

最好只从“自签名”服务器证书开始。这就是您需要在 checkServerTrusted 方法中信任的方法。基本上,该链就是一个证书。

As others have pointed out, there is a difference between application security and transport link security. I think you are aiming for the last one as you mainly mention encryption. Encryption offers confidentiallity from eavesdroppers. Furhermore, as SSL also incorporates message authentication code, it will also offer protection of a third party altering packets during transit. It does not provide any protection of messages once received.

As you may have noticed on the internet for HTTPS connections, you will need at least a server certificate. This certificate can remain static, although it should contain an expiry date at which time you should replace the certificate. The server certificate should be trusted by the client (e.g. by embedding it as a resource). You can also use SSL with client authentication, but that means you need to have ample security measures to keep the private key on the client safe.

It's probably best to start off with a "self-signed" server certificate only. Thats the one you need to trust in the checkServerTrusted method. Basically, the chain is simply that one certificate.

回复 原文
~没有更多了~

关于作者

So尛奶瓶

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

卷耳

文章 0 评论 0

佚名

文章 0 评论 0

℉服软

文章 0 评论 0

qq_2gSKZM

文章 0 评论 0

凉宸

文章 0 评论 0

gyhjy

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文