取消自移动发短信取消业务ssll
点击联系发帖人
时间:2016-07-01 13:30
回龙观文化讨论区_回龙观社区网
This page uses frames, but your browser doesn't support them.回龙观文化讨论区_回龙观社区网
This page uses frames, but your browser doesn't support them.你想要了解但是却羞于发问的有关SSL的一切 - 技术翻译 - 开源中国社区
当前访客身份:游客 [
已有文章 2424 篇
当前位置:
你想要了解但是却羞于发问的有关SSL的一切
英文原文:
0人收藏此文章,
推荐于 11个月前 (共 12 段, 翻译完成于 01-14) ()
参与翻译(5人):
你想要了解但是却羞于发问的有关SSL的一切
或者更准确的说,“我所知的关于的SSL的实事”。本文()将告诉你在一些通用服务(web服务器、浏览器认证、单元和集成测试)的使用场景中,如何使用SSL证书来保证通过HTTPS与远端的连接的安全性。其间介绍了如何配置Apache HTTP服务器的双向SSL,使用Apache’sHttpClient和HttpServer进行单元测试时的SSL认证(java),以及使用运行在嵌入的Tomcat容器里的Spring Boot应用来进行REST API集成测试。
客户端向服务器认证自己有很多种方式,包括basic认证,基于form的认证和OAuth。
为了防止用户认证信息在网络上泄露,客户端与服务端的通信需要建立在HTTPS上,通过验证服务端的SSL证书来确定其身份。服务端并不需要关心客户端是谁,只需要它们有正确的身份。
通过同时在服务端和客户端启用SSL证书来获得更高的安全级别。
&翻译的不错哦!
双向 SSL 认证(也被称为“相互认证”,或“使用客户端证书的 TLS/SSL”)是指双方通过校验彼此提供的数字证书来进行认证,以便双方都可以确认对方的身份。
& & & & 术语
TLS 与 SSL
TLS 的前身是 SSL。其是一个用于在应用程序之间进行通信时保障隐私的协议。除非另有说明,本文中认为 TLS 与 SSL 是等价的。
证书(cert)
包含了提供者信息等一些额外元数据的公钥/私钥对的公钥部分。它可以被自由的提供给任何人。
一个私钥可以验证与其对应的用来对数据进行加密的证书和公钥。其决不公开提供。
证书颁发机构(CA)
一个颁发数字证书的公司。对于 SSL/TLS 证书,也有少数供应商(例如 Symantec/Versign/Thawte、Comodo、GoDaddy)的证书囊括了大多数浏览器和操作系统。它们的目的是成为一个“可信的第三方”。
证书签名请求(CSR)
用私钥生成的一个文件。一个 CSR 可以向一个 CA 发送签名请求。CA 则使用其私钥对 CSR 进行数字签名,并创建一个已签名的证书。然后浏览器可以使用 CA 提供的证书来验证新的证书是否已被 CA 批准。
用于描述证书的格式和用法的一个规范。
&翻译的不错哦!
SSL实际上就是在一个web服务器与浏览器之间建立加密链接的标准安全技术。一般来说,一个浏览器(客户端)建立一个SSL连接到一个安全的web站点,它只检查该服务器证书。该浏览器一方面依靠其本身,或者提供已经被指定为根证书的列表证书以及受信任的CAs的操作系统。
单向SSL认证(服务器-&客户端)
客户端与服务器使用9个握手消息,以及通过优先建立加密通道来进行消息交换。
& 1.客户端发送ClientHello消息来提议SSL选项。
& 2.服务器通过响应ServerHello消息来选择SSL选项。
& 3.服务器发送Certificate消息,其中包括该服务器证书。
& 4.客户端通过ServerHelloDone消息,来判断其部分谈判.
& 5.客户端在其ClientKeyExchange消息之中发送会话密匙信息(加密服务器公匙)
& 6.客户端通过发送ChangeCipherSpec消息来激活所有发送的未来消息的谈判选项。
& 7。客户端通过发送Finished消息,让服务器检查新激活的选项。
& 8.客户端通过发送ChangeCipherSpec消息来激活所有发送未来消息的谈判选项。
& 9.服务器发送Finished消息,让客户端检查新激活的选项。
双向SSL认证(服务器&-&客户端)
&客户端与服务器使用12个握手消息,以及优先建立加密通道来进行消息交换:
& 1.客户端发送ClientHello消息来提议SSL选项。
& 2.服务器通过响应ServerHello消息来选择SSL选项。
& 3.服务器发送Certificate消息,其中包括该服务器证书。
& 4.客户端通过ServerHelloDone消息,来判断其部分谈判.
& 5.客户端在其ClientKeyExchange消息之中发送会话密匙信息(加密服务器公匙)
& 6.客户端通过发送ChangeCipherSpec消息来激活所有发送的未来消息的谈判选项。
& 7。客户端通过发送Finished消息,让服务器检查新激活的选项。
& 8.客户端通过发送ChangeCipherSpec消息来激活所有发送未来消息的谈判选项。
& 9.服务器发送Finished消息,让客户端检查新激活的选项。
&翻译的不错哦!
文件格式证书与密匙
私人安全增强性邮件(PEM)
PEM 就是使用 Base64 编码的区分编码规则(DER)。通常用于密匙与认证。
PKCS12 就是一个能含有多个证书与密匙的密码保护格式。
Java KeyStore (JKS)
PKCS12 的 Java 版本以及密码保护。一个 JKS 文件的条目必须有一个“alias” ,即独一无二。如果一个 alias 不是特定的,“mykey” 默认会被使用。它就像一个密匙与证书数据库。
一个实现&SSL (v2/v3) 与 TLS (v1)协议的开源工具包,以及一个通用地完全版加密库。
管理一个加密鈅匙,&X.509 证书链,以及受信任证书的 Java KeyStore。附带 JDK 的 ships
使用Apache创建本地SSL服务器
配置 Apache
切换到 root:
在终端,启动 Apache:
apachectl&start
在 web 浏览器中,访问&。你应该看到它运行的工作状态。
为 http 配置 Apache:设置一个 80 端口的虚拟主机
在终端,编辑 Apache 配置:
vi&/etc/apache2/httpd.conf
通过取消第 143 行,启用 SSL:
LoadModule&ssl_module&libexec/apache2/mod_ssl.so
在你的编辑器里,通过替换第 212 行来压制服务器被完全地限定域名的消息:
ServerName&localhost
下一步,取消批注 160 行与499 行,支持虚拟主机。
LoadModule&vhost_alias_module&libexec/apache2/mod_vhost_alias.soInclude&/private/etc/apache2/extra/httpd-vhosts.conf
取消批注第 518 行,包括&httpd-ssl.conf(监听 443 端口)
Include&/private/etc/apache2/extra/httpd-ssl.conf
在终端,重启 Apache:
apachectl&restart
&翻译的不错哦!
配置Apache: 建立一个站点
在终端, 建立Sites文件夹, 它将是很多独立Site子文件夹的父文件夹:
mkdir&~/Sites
接下来建立一个在Sites文件夹下建立localhost子文件夹,它将是我们的第一个站点:
mkdir&~/Sites/localhost
最后,在localhost内建立HTML文档:
echo&“&h1&localhost&works&/h1&”&&&~/Sites/localhost/index.html
现在,在浏览器访问,你会看到一个消息,代表localhost已经起作用。
提示: 下面的密码我都用dsnaplogic
从这个链接修改而来:&
在终端内,建立SSL文件夹:
mkdir&/etc/apache2/sslcd&/etc/apache2/sslmkdir&certs&private
建立CA证书
建立一个数据库来跟踪所有签了名的证书:
echo&‘100001’&&&serialtouch&certindex.txt
定义一个openssl的config文件:
#&OpenSSL&configuration&file.
#&Establish&working&directory.
default_ca&=&CA_default
[&CA_default&]
serial&=&$dir/serial
database&=&$dir/certindex.txt
new_certs_dir&=&$dir/certs
certificate&=&$dir/cacert.pem
private_key&=&$dir/private/cakey.pem
default_days&=&365
default_md&=&sha512
preserve&=&no
email_in_dn&=&no
nameopt&=&default_ca
certopt&=&default_ca
policy&=&policy_match
[&policy_match&]
countryName&=&match
stateOrProvinceName&=&match
organizationName&=&match
organizationalUnitName&=&optional
commonName&=&supplied
emailAddress&=&optional
default_bits&=&2048&#&Size&of&keys
default_keyfile&=&key.pem&#&name&of&generated&keys
default_md&=&sha512&#&message&digest&algorithm
string_mask&=&nombstr&#&permitted&characters
distinguished_name&=&req_distinguished_name
req_extensions&=&v3_req
[&req_distinguished_name&]
countryName&=&Country&Name&(2&letter&code)
countryName_default&=&US
countryName_min&=&2
countryName_max&=&2
stateOrProvinceName&=&State&or&Province&Name&(full&name)
stateOrProvinceName_default&=&Colorado
localityName&=&Locality&Name&(eg,&city)
localityName_default&=&Boulder
0.organizationName&=&Organization&Name&(eg,&company)
0.organizationName_default&=&SnapLogic
#&we&can&do&this&but&it&is¬&needed&normally&:-)
#1.organizationName&=&Second&Organization&Name&(eg,&company)
#1.organizationName_default&=&World&Wide&Web&Pty&Ltd
organizationalUnitName&=&Organizational&Unit&Name&(eg,§ion)
organizationalUnitName_default&=&SnapTeam
commonName&=&Common&Name&(eg,&YOUR&name)
commonName_max&=&64
commonName_default&=&localhost&
emailAddress&=&Email&Address
emailAddress_max&=&64
#&SET-ex3&=&SET&extension&number&3
[&req_attributes&]
challengePassword&=&A&challenge&password
challengePassword_min&=&4
challengePassword_max&=&20
unstructuredName&=&An&optional&company&name
[&req_distinguished_name&]
countryName&=&Country&Name&(2&letter&code)
countryName_default&=&US&
countryName_min&=&2
countryName_max&=&2
stateOrProvinceName&=&State&or&Province&Name&(full&name)
stateOrProvinceName_default&=&Colorado
localityName&=&Locality&Name&(eg,&city)
0.organizationName&=&Organization&Name&(eg,&company)
0.organizationName_default&=&SnapLogic
#&we&can&do&this&but&it&is¬&needed&normally&:-)
#1.organizationName&=&Second&Organization&Name&(eg,&company)
#1.organizationName_default&=&World&Wide&Web&Pty&Ltd
organizationalUnitName&=&Organizational&Unit&Name&(eg,§ion)
organizationalUnitName_default&=&SnapTeam
commonName&=&Common&Name&(eg,&YOUR&name)
commonName_max&=&64
commonName_default&=&localhost
emailAddress&=&Email&Address
emailAddress_max&=&64
#&SET-ex3&=&SET&extension&number&3
[&req_attributes&]
challengePassword&=&A&challenge&password
challengePassword_min&=&4
challengePassword_max&=&20
unstructuredName&=&An&optional&company&name
basicConstraints&=&CA:TRUE
subjectKeyIdentifier&=&hash
authorityKeyIdentifier&=&keyid:always,issuer:always
[&v3_req&]
basicConstraints&=&CA:FALSE
subjectKeyIdentifier&=&hash注意,我还将default_md设置为sha512,这样,现在的浏览器就不会报。
&翻译的不错哦!
通过建立Root证书方式建立CA证书,这同时也会建立CA的私钥&(private/cakey.pem) 和公钥 (cacert.pem)。使用默认的localhost作为Common Name:
|&root@SL-MBP-RHOWLETT.local:/private/etc/apache2/ssl&
|&=&&openssl&req&-new&-x509&-extensions&v3_ca&-keyout&private/cakey.pem&-out&cacert.pem&-days&365&-config&./f
Generating&a&2048&bit&RSA&private&key
................................+++
.............................+++
writing&new&private&key&to&'private/cakey.pem'
Enter&PEM&pass&phrase:
Verifying&-&Enter&PEM&pass&phrase:
phrase&is&too&short,&needs&to&be&at&least&4&chars
Enter&PEM&pass&phrase:
Verifying&-&Enter&PEM&pass&phrase:
You&are&about&to&be&asked&to&enter&information&that&will&be&incorporated
into&your&certificate&request.
What&you&are&about&to&enter&is&what&is&called&a&Distinguished&Name&or&a&DN.
There&are&quite&a&few&fields&but&you&can&leave&some&blank
For&some&fields&there&will&be&a&default&value,
If&you&enter&'.',&the&field&will&be&left&blank.
Country&Name&(2&letter&code)&[US]:
State&or&Province&Name&(full&name)&[Colorado]:
Locality&Name&(eg,&city)&[Milan]:Boulder
Organization&Name&(eg,&company)&[Organization&default]:SnapLogic
Organizational&Unit&Name&(eg,§ion)&[SnapLogic]:SnapTeam&
Common&Name&(eg,&YOUR&name)&[localhost]:
Email&Address&[]:
建立服务器证书
为服务器建立密钥和签名请求,这将会为服务器建立CSR文件 (server-req.pem) 以及服务器的私钥 (private/server-key.pem)。同样使用默认的localhost作为Common Name:
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&req&-new&-nodes&-out&server-req.pem&-keyout&private/server-key.pem&-days&365&-config&f&
Generating&a&2048&bit&RSA&private&key
..................................+++
writing&new&private&key&to&'private/server-key.pem'
You&are&about&to&be&asked&to&enter&information&that&will&be&incorporated
into&your&certificate&request.
What&you&are&about&to&enter&is&what&is&called&a&Distinguished&Name&or&a&DN.
There&are&quite&a&few&fields&but&you&can&leave&some&blank
For&some&fields&there&will&be&a&default&value,
If&you&enter&'.',&the&field&will&be&left&blank.
Country&Name&(2&letter&code)&[US]:
State&or&Province&Name&(full&name)&[Colorado]:
Locality&Name&(eg,&city)&[Boulder]:
Organization&Name&(eg,&company)&[SnapLogic]:
Organizational&Unit&Name&(eg,§ion)&[SnapTeam]:
Common&Name&(eg,&YOUR&name)&[localhost]:
Email&Address&[]:
获得了CA签名和服务器的CSR之后,下面会生成服务器的共有证书&(server-cert.pem):
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&ca&-out&server-cert.pem&-days&365&-config&f&-infiles&server-req.pem&
Using&configuration&from&f
Enter&pass&phrase&for&./private/cakey.pem:
Check&that&the&request&matches&the&signature
Signature&ok
The&Subject's&Distinguished&Name&is&as&follows
countryName&&&&&&&&&&&:PRINTABLE:'US'
stateOrProvinceName&&&:PRINTABLE:'Colorado'
localityName&&&&&&&&&&:PRINTABLE:'Boulder'
organizationName&&&&&&:PRINTABLE:'SnapLogic'
organizationalUnitName:PRINTABLE:'SnapTeam'
commonName&&&&&&&&&&&&:PRINTABLE:'localhost'
Certificate&is&to&be&certified&until&Oct&&4&16:30:23&2016&GMT&(365&days)
Sign&the&certificate?&[y/n]:y
1&out&of&1&certificate&requests&certified,&commit?&[y/n]y
Write&out&database&with&1&new&entries
Data&Base&Updated
生成客户端证书
每个客户端都会生成一个密钥和签名请求,我们在这里只做一次。你必须使用与服务器不同的Common Name,这里我用client。 下面会生成客户端的CSR (client-req.pem) 和其私钥 (private/client-key.pem):
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&req&-new&-nodes&-out&client-req.pem&-keyout&private/client-key.pem&-days&365&-config&f&
Generating&a&2048&bit&RSA&private&key
....................................................+++
...........+++
writing&new&private&key&to&'private/client-key.pem'
You&are&about&to&be&asked&to&enter&information&that&will&be&incorporated
into&your&certificate&request.
What&you&are&about&to&enter&is&what&is&called&a&Distinguished&Name&or&a&DN.
There&are&quite&a&few&fields&but&you&can&leave&some&blank
For&some&fields&there&will&be&a&default&value,
If&you&enter&'.',&the&field&will&be&left&blank.
Country&Name&(2&letter&code)&[US]:
State&or&Province&Name&(full&name)&[Colorado]:
Locality&Name&(eg,&city)&[Boulder]:
Organization&Name&(eg,&company)&[SnapLogic]:
Organizational&Unit&Name&(eg,§ion)&[SnapTeam]:
Common&Name&(eg,&YOUR&name)&[localhost]:client
Email&Address&[]:
有了CA签名和客户端的CSR,下面会生成客户端的公有证书&(client-cert.pem):
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&ca&-out&client-cert.pem&-days&365&-config&f&-infiles&client-req.pem&
Using&configuration&from&f
Enter&pass&phrase&for&./private/cakey.pem:
Check&that&the&request&matches&the&signature
Signature&ok
The&Subject's&Distinguished&Name&is&as&follows
countryName&&&&&&&&&&&:PRINTABLE:'US'
stateOrProvinceName&&&:PRINTABLE:'Colorado'
localityName&&&&&&&&&&:PRINTABLE:'Boulder'
organizationName&&&&&&:PRINTABLE:'SnapLogic'
organizationalUnitName:PRINTABLE:'SnapTeam'
commonName&&&&&&&&&&&&:PRINTABLE:'client'
Certificate&is&to&be&certified&until&Oct&&4&16:40:01&2016&GMT&(365&days)
Sign&the&certificate?&[y/n]:y
1&out&of&1&certificate&requests&certified,&commit?&[y/n]y
Write&out&database&with&1&new&entries
Data&Base&Updated
最后生成包含客户端私钥、共有证书和CA证书的的PKCS12文件。下面会生成&(以Mac为例) PKCS12文件 (client-cert.p12):
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&pkcs12&-export&-in&client-cert.pem&-inkey&private/client-key.pem&-certfile&cacert.pem&-name&"Client"&-out&client-cert.p12&
Enter&Export&Password:
Verifying&-&Enter&Export&Password:
配置Apache的HTTPS和单向SSL验证
vi&/etc/apache2/extra/httpd-vhosts.conf
添加一个443端口的Virtual Host并且开启SSL:
&VirtualHost&*:80&
&&&&ServerName&localhost
&&&&DocumentRoot&"/Users/rhowlett/Sites/localhost"
&&&&&Directory&"/Users/rhowlett/Sites/localhost"&
&&&&&&&&Options&Indexes&FollowSymLinks
&&&&&&&&AllowOverride&All
&&&&&&&&Order&allow,deny
&&&&&&&&Allow&from&all
&&&&&&&&Require&all&granted
&&&&&/Directory&
&/VirtualHost&
&VirtualHost&*:443&
&&&&ServerName&localhost
&&&&DocumentRoot&"/Users/rhowlett/Sites/localhost"
&&&&SSLCipherSuite&HIGH:MEDIUM:!aNULL:!MD5
&&&&SSLEngine&on
&&&&SSLCertificateFile&/etc/apache2/ssl/server-cert.pem
&&&&SSLCertificateKeyFile&/etc/apache2/ssl/private/server-key.pem
&&&&&Directory&"/Users/rhowlett/Sites/localhost"&
&&&&&&&&Options&Indexes&FollowSymLinks
&&&&&&&&AllowOverride&All
&&&&&&&&Order&allow,deny
&&&&&&&&Allow&from&all
&&&&&&&&Require&all&granted
&&&&&/Directory&
&/VirtualHost&
重启Apache:
apachectl&restart
&(在Mac下) 安装CA证书到Keychain Access
&翻译的不错哦!
在&Finder 中打开 /etc/apache2/ssl
开发 CA 证书(cacert.pem)通过双击它来安装 Keychain Access:
标记为可信任的:在你的浏览器中打开& 地址,你就可以看到一个成功的安全连接:
为双向 SSL 认证配置 Apache
vi&/etc/apache2/extra/httpd-vhosts.conf
增加 SSLVerifyClient,&SSLCertificateFile,以及 SSLCACertificateFile 选项:
&VirtualHost&*:80&
&&&&ServerName&localhost
&&&&DocumentRoot&"/Users/rhowlett/Sites/localhost"
&&&&&Directory&"/Users/rhowlett/Sites/localhost"&
&&&&&&&&Options&Indexes&FollowSymLinks
&&&&&&&&AllowOverride&All
&&&&&&&&Order&allow,deny
&&&&&&&&Allow&from&all
&&&&&&&&Require&all&granted
&&&&&/Directory&
&/VirtualHost&
&VirtualHost&*:443&
&&&&ServerName&localhost
&&&&DocumentRoot&"/Users/rhowlett/Sites/localhost"
&&&&SSLCipherSuite&HIGH:MEDIUM:!aNULL:!MD5
&&&&SSLEngine&on
&&&&SSLCertificateFile&/etc/apache2/ssl/server-cert.pem
&&&&SSLCertificateKeyFile&/etc/apache2/ssl/private/server-key.pem
&&&&SSLVerifyClient&require
&&&&SSLVerifyDepth&10
&&&&SSLCACertificateFile&/etc/apache2/ssl/cacert.pem
&&&&&Directory&"/Users/rhowlett/Sites/localhost"&
&&&&&&&&Options&Indexes&FollowSymLinks
&&&&&&&&AllowOverride&All
&&&&&&&&Order&allow,deny
&&&&&&&&Allow&from&all
&&&&&&&&Require&all&granted
&&&&&/Directory&
&/VirtualHost&
重启 Apache:
apachectl&restart
现在,OpenSSL 能确认双向 SSL 信号交换能成功地完成:
|&rhowlett@SL-MBP-RHOWLETT.local:~/Downloads&
|&=&&openssl&s_client&-connect&localhost:443&-tls1&-cert&/etc/apache2/ssl/client-cert.pem&-key&/etc/apache2/ssl/private/client-key.pem
CONNECTED()
depth=1&/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
verify&error:num=19:self&signed&certificate&in&certificate&chain
verify&return:0
Certificate&chain
&0&s:/C=US/ST=Colorado/O=SnapLogic/OU=SnapTeam/CN=localhost
&&&i:/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
&1&s:/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
&&&i:/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
Server&certificate
-----BEGIN&CERTIFICATE-----
MIIDPjCCAiYCAxAAATANBgkqhkiG9w0BAQ0FADBtMQswCQYDVQQGEwJVUzERMA8G
A1UECBMIQ29sb3JhZG8xEDAOBgNVBAcTB0JvdWxkZXIxEjAQBgNVBAoTCVNuYXBM
b2dpYzERMA8GA1UECxMIU25hcFRlYW0xEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0x
NTEwMDYxOTE1MTNaFw0xNjEwMDUxOTE1MTNaMFsxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhDb2xvcmFkbzESMBAGA1UEChMJU25hcExvZ2ljMREwDwYDVQQLEwhTbmFw
VGVhbTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAyvia0x0Nd4tYyvoXEYtI3s/eLIQ3wFsOJIibNy70PLhp35gScQ69
MiIrVDYqIydVbInzyY5kuhttrUIrHCIiDwa5OqEiExJ+ollY9icnrMLrEXJqvv5C
/fduS5byC6StNg7xHQkYlYLUYMw8QQyCZFQVGXlxZeG6i086ffMYduFimkBAkNj5
/LkIwrOELpGnNcrOJxQEnLi8vmRI3oiCrgVc0ugrFBnoj3Tf6y3lx23fYgLbqf9c
bRCS6V3eppa/x9sezv9KQ+pDYly0bwKIcvJ9xLp7qPiO+smGGvS97Ec4NAif8y6v
pU92cPH32cv1p0AIDF0+GMOgVyAYZgSKQwIDAQABMA0GCSqGSIb3DQEBDQUAA4IB
AQBedsAvkB1yNLE2GCJWWQ19qEKOIBYCRQc2z29PgF/LAz5GVOIw/ZiN37C2vTob
jk1NnqfOx5aipQ5Pe5D2yfbarDl0kaqRn9MhBySi+oi3AgUZ5yL0x/nGF9O8jszJ
OM1FUC6qXKic5pR0qTrdXigONlKb0Au+l3z5dFMiqnNmDrNlI8kW1OXrwy/jvyPv
H1bHWAKYFTvHi2v7A0B96V1VvFBLbuQztckPQ3VpFDOwWhWLr2D90vxFd1Ea0SCi
3bysz4ax9XP0bmXJY+968nV31qQJMkk5/3rE5PWVZibsniccfdujgSQYl+yNA3sB
F5h6mCR6pAONZFo6+U3zARSb
-----END&CERTIFICATE-----
subject=/C=US/ST=Colorado/O=SnapLogic/OU=SnapTeam/CN=localhost
issuer=/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
Acceptable&client&certificate&CA&names
/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
SSL&handshake&has&read&4004&bytes&and&written&1539&bytes
New,&TLSv1/SSLv3,&Cipher&is&DHE-RSA-AES256-SHA
Server&public&key&is&2048&bit
Secure&Renegotiation&IS&supported
Compression:&NONE
Expansion:&NONE
SSL-Session:
&&&&Protocol&&:&TLSv1
&&&&Cipher&&&&:&DHE-RSA-AES256-SHA
&&&&Session-ID:&A1D9CE5273963BCF14ECE2B628CEE59CEACEEA8E281
&&&&Session-ID-ctx:&
&&&&Master-Key:&0920CEEB2DF9D49DA990A178C0AC980DD5AF359B7E1CDD4B2DBAE186BC06E7BB0
&&&&Key-Arg&&&:&None
&&&&TLS&session&ticket:
&&&&0000&-&5c&8f&01&d5&5d&c1&62&d5-65&d7&8f&05&5f&47&d2&82&&&\...].b.e..._G..
&&&&0010&-&f0&fd&2c&88&be&58&25&6c-9e&9a&1e&78&6a&b4&66&c4&&&..,..X%l...xj.f.
&&&&0020&-&0d&3d&31&04&97&a2&5f&e7-6f&3c&9f&c9&b1&44&6a&ab&&&.=1..._.o&...Dj.
&&&&0030&-&84&89&76&e4&63&9b&81&b7-c3&28&e0&95&c6&c3&f5&89&&&..v.c....(......
&&&&0040&-&d5&f9&7f&da&df&fb&12&f7-de&2a&ec&e8&c2&01&59&07&&&.........*....Y.
&&&&0050&-&9e&ad&91&56&91&34&88&73-66&d1&ea&c1&72&dc&56&ee&&&...V.4.sf...r.V.
&&&&0060&-&ee&61&fe&5e&38&f0&aa&d6-3a&7d&ad&ef&e6&be&2a&15&&&.a.^8...:}....*.
&&&&0070&-&dc&cc&9f&04&5e&e8&f9&2b-07&21&6b&0f&da&9f&08&2e&&&....^..+.!k.....
&&&&0080&-&88&af&96&41&98&f3&ff&8a-01&66&1a&1d&61&47&1b&e5&&&...A.....f..aG..
&&&&0090&-&ec&ab&b7&af&79&aa&7d&25-ca&e0&fa&f4&2b&2e&9a&dd&&&....y.}%....+...
&&&&00a0&-&95&0c&4b&35&d8&96&8b&f0-1e&20&c1&c3&47&fc&65&ed&&&..K5.....&..G.e.
&&&&00b0&-&21&e4&50&59&1e&33&6a&5c-c6&27&f1&65&be&5b&0f&35&&&!.PY.3j\.'.e.[.5
&&&&00c0&-&1d&ba&ac&bf&f5&9c&d9&b7-32&87&11&ae&b7&87&9b&52&&&........2......R
&&&&00d0&-&bb&00&6b&66&af&e2&94&45-e3&8f&fb&e0&b4&c6&d7&5a&&&..kf...E.......Z
&&&&00e0&-&f8&1d&7a&af&e3&ee&bb&6b-93&ff&46&af&ed&86&bc&f8&&&..z....k..F.....
&&&&00f0&-&6d&e2&c9&60&eb&61&8e&b9-7e&bd&4d&bb&1e&01&95&d2&&&m..`.a..~.M.....
&&&&0100&-&f5&d5&ee&82&10&4a&1d&23-9e&94&d7&0b&46&e4&d4&32&&&.....J.#....F..2
&&&&0110&-&11&92&76&4a&94&9e&a3&61-21&9b&4c&49&6c&df&7b&18&&&..vJ...a!.LIl.{.
&&&&0120&-&b7&49&66&bd&48&0d&eb&9a-ad&e9&32&c7&b9&6d&70&1a&&&.If.H.....2..mp.
&&&&0130&-&c7&a1&25&21&b4&f1&03&5b-80&83&e9&da&8d&56&f1&d9&&&..%!...[.....V..
&&&&0140&-&8b&c5&32&b7&3a&67&5b&9c-51&84&a0&09&04&4f&48&60&&&..2.:g[.Q....OH`
&&&&0150&-&27&c0&fe&1c&45&7a&3b&b2-22&8d&ed&65&72&23&8a&bf&&&'...Ez;."..er#..
&&&&0160&-&e3&09&eb&78&98&ec&08&06-9d&37&02&1a&4b&ae&cd&3a&&&...x.....7..K..:
&&&&0170&-&9c&a4&bd&5d&47&5e&d3&d7-7b&89&7b&97&78&a6&4c&10&&&...]G^..{.{.x.L.
&&&&0180&-&bf&3e&ed&1f&f4&fe&e5&97-90&ee&31&58&5f&ff&c6&c2&&&.&........1X_...
&&&&0190&-&61&b7&df&0a&f5&27&c6&a8-ac&61&a3&d0&1e&3a&6a&42&&&a....'...a...:jB
&&&&01a0&-&a9&18&b4&fb&4b&25&87&62-97&26&48&35&d0&16&d1&06&&&....K%.b.&H5....
&&&&01b0&-&9d&82&b5&e2&7b&f2&24&c5-83&a1&4b&fe&8d&38&ae&30&&&....{.$...K..8.0
&&&&01c0&-&8e&eb&e1&ac&8b&48&fa&27-b0&e1&ce&b3&17&62&69&f0&&&.....H.'.....bi.
&&&&01d0&-&30&17&ae&31&9d&bf&77&64-66&5b&13&8e&a2&63&2e&58&&&0..1..wdf[...c.X
&&&&01e0&-&02&10&26&e1&3b&0d&55&fc-3d&0f&d5&08&2d&1e&28&0a&&&..&.;.U.=...-.(.
&&&&01f0&-&c2&fd&a2&f3&2a&40&25&ed-2b&06&2c&92&c3&78&a3&b3&&&....*@%.+.,..x..
&&&&0200&-&35&bc&d9&6c&57&97&ca&93-0f&f3&b8&e4&60&d8&99&b4&&&5..lW.......`...
&&&&0210&-&b8&ba&ae&b7&47&4a&59&84-5b&f9&5e&b2&11&44&42&bd&&&....GJY.[.^..DB.
&&&&0220&-&e8&46&3d&1d&09&70&72&f6-23&df&89&f8&f7&b7&84&d2&&&.F=..pr.#.......
&&&&0230&-&7d&42&0e&5d&d7&76&c2&da-0b&61&f9&48&3c&c9&5f&ba&&&}B.].v...a.H&._.
&&&&0240&-&ab&be&5f&82&2b&03&07&f1-83&12&69&ee&56&b5&7e&06&&&.._.+.....i.V.~.
&&&&0250&-&03&d7&8e&b3&70&7c&93&75-3d&cd&e0&a1&1b&8a&14&ef&&&....p|.u=.......
&&&&0260&-&91&c6&74&14&1e&16&4c&46-07&c5&62&04&70&a7&fd&5d&&&..t...LF..b.p..]
&&&&0270&-&e5&67&d8&bf&43&bb&5e&f3-7c&37&db&1a&66&cb&ad&7d&&&.g..C.^.|7..f..}
&&&&0280&-&cc&30&e4&9b&35&30&b5&6c-d0&4b&ba&b2&8b&01&71&0e&&&.0..50.l.K....q.
&&&&0290&-&0a&af&ec&4e&6a&1a&f8&6f-b7&5e&2b&b9&e9&ec&b6&b6&&&...Nj..o.^+.....
&&&&02a0&-&38&1c&70&5c&86&bf&ae&a4-e6&41&9d&c9&9f&40&e4&a0&&&8.p\.....A...@..
&&&&02b0&-&4b&0d&3d&ab&01&90&da&55-cb&b8&c8&e6&94&8d&76&35&&&K.=....U......v5
&&&&02c0&-&94&b5&e2&1a&7c&69&5c&b3-ee&08&8b&bd&3f&97&c4&31&&&....|i\.....?..1
&&&&02d0&-&72&8a&30&a8&c6&3e&74&74-dc&47&c1&d0&ce&bd&0b&19&&&r.0..&tt.G......
&&&&02e0&-&f4&93&55&8c&1f&02&b3&6e-f3&4d&44&f1&cc&f0&ef&2d&&&..U....n.MD....-
&&&&02f0&-&4d&16&92&a3&15&fe&69&db-cc&b1&b5&6b&d0&4a&49&fc&&&M.....i....k.JI.
&&&&0300&-&67&9e&0c&47&96&08&0e&f2-b2&5c&06&24&45&f3&6a&7d&&&g..G.....\.$E.j}
&&&&0310&-&6e&1b&2b&9a&68&23&11&3a-43&79&8c&77&9e&98&be&38&&&n.+.h#.:Cy.w...8
&&&&0320&-&9a&0e&e1&a5&17&bd&0f&7b-e0&ac&ca&94&ac&48&68&5c&&&.......{.....Hh\
&&&&0330&-&f1&2b&98&b5&8d&36&b6&4f-aa&6f&e7&d4&4d&a3&f0&4c&&&.+...6.O.o..M..L
&&&&0340&-&cb&09&92&91&01&b9&c2&f1-49&24&64&d3&14&2f&a3&5f&&&........I$d../._
&&&&0350&-&74&6f&c0&54&16&73&c8&40-33&bc&7e&e9&3b&d8&d5&7c&&&to.T.s.@3.~.;..|
&&&&0360&-&78&49&5c&80&83&88&4e&4b-46&f2&7a&6b&62&c4&ca&42&&&xI\...NKF.zkb..B
&&&&0370&-&18&b6&22&40&77&fc&26&0e-28&50&89&7a&14&49&ba&b0&&&.."@w.&.(P.z.I..
&&&&0380&-&2c&d7&26&7a&30&f9&9b&90-ba&9a&1f&3b&80&1b&0b&25&&&,.&z0......;...%
&&&&0390&-&f0&e7&83&83&55&1f&1e&f0-71&5b&64&a4&1e&76&91&bb&&&....U...q[d..v..
&&&&03a0&-&d9&19&f5&2d&2e&54&d7&3a-93&95&29&ae&44&09&e6&cd&&&...-.T.:..).D...
&&&&03b0&-&ec&79&8d&b6&3c&09&d5&05-8d&fc&2b&79&88&37&25&92&&&.y..&.....+y.7%.
&&&&03c0&-&73&ae&e6&8a&d6&0c&1a&eb-7b&b9&08&44&4e&81&67&36&&&s.......{..DN.g6
&&&&03d0&-&a6&3a&57&43&d0&ed&dc&3e-bb&0f&87&02&f5&fe&80&bb&&&.:WC...&........
&&&&03e0&-&28&17&6e&7e&ad&c4&d9&4c-0a&53&fa&41&d2&d2&7c&76&&&(.n~...L.S.A..|v
&&&&03f0&-&a4&95&10&26&1d&5b&7d&19-23&dd&28&a0&48&c1&96&d9&&&...&.[}.#.(.H...
&&&&Start&Time:&
&&&&Timeout&&&:&7200&(sec)
&&&&Verify&return&code:&0&(ok)
(Mac)在&Keychain Access 中安装客户端 PKCS12 文件
在&Finder 中打开 /etc/apache2/ssl,通过双击客户端 PKCS12 文件(client-cert.p12)来安装Keychain Access:
在你的浏览器中打开& 地址,当提示时,选择客户端证书:
那时,你应该再一次看到一个安全的连接:
也将运行:
|&=&&curl&-v&--cert&/etc/apache2/ssl/client-cert.p12:snaplogic&https://localhost
*&Rebuilt&URL&to:&https://localhost/
*&&&Trying&::1...
*&Connected&to&localhost&(::1)&port&443&(#0)
*&WARNING:&SSL:&Certificate&type¬&set,&assuming&PKCS#12&format.
*&Client&certificate:&client
|&=&&curl&-v&--cert&/etc/apache2/ssl/client-cert.p12:snaplogic&https://localhost
*&Rebuilt&URL&to:&https://localhost/
*&&&Trying&::1...
*&Connected&to&localhost&(::1)&port&443&(#0)
*&WARNING:&SSL:&Certificate&type¬&set,&assuming&PKCS#12&format.
*&Client&certificate:&client
*&TLS&1.0&connection&using&TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*&Server&certificate:&localhost
*&Server&certificate:&localhost
&&GET&/&HTTP/1.1
&&Host:&localhost
&&User-Agent:&curl/7.43.0
&&Accept:&*/*
&&HTTP/1.1&200&OK
&&Date:&Tue,&05&Jan&:29&GMT
&&Server:&Apache/2.4.16&(Unix)&PHP/5.5.29&OpenSSL/0.9.8zg
&&Last-Modified:&Fri,&02&Oct&:41&GMT
&&ETag:&"19-521236aaf5240"
&&Accept-Ranges:&bytes
&&Content-Length:&25
&&Content-Type:&text/html
&h1&localhost&works&/h1&
*&Connection�&to&host&localhost&left&intact
&翻译的不错哦!
使用&Apache 的 HttpClient 和 HttpServer 进行单元测试 SSL 认证
Apache 的& 提供 ,“一个有效的,最新的,以及实现最近的客户端 http 标准与建议的丰富多样的包”
它也提供 ,其中包括一个嵌入式的 HttpServer,可用于单元测试。
通过本地测试 HttpServer 实例来创建以上的:从公众的&server-cert.pem,私人的 server-key.pem,以及 CA 证书 cacert.pem 来生成 PKCS12 (.p12) 文件:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&openssl&pkcs12&-export&-in&/etc/apache2/ssl/server-cert.pem&-inkey&/etc/apache2/ssl/private/server-key.pem&-certfile&/etc/apache2/ssl/cacert.pem&-name&"Server"&-out&server-cert.p12
Enter&Export&Password:
Verifying&-&Enter&Export&Password:
如果你看到 unable to write 'random state',运行 sudo rm ~/.rnd,再试一次
Java&KeyStores(JKS)
Java 有它自己所谓的 Java KeyStore (JKS)PKCS12 版本。也就是密码保护。在 JKS 条目文件中,必须有一个“alias” ,意即独一无二。如果
一个 alias 不是被指定,那么“mykey”会被默认使用。它就像一个数据库组与钥匙。
对于在 REST SSL 账号设置中的两个“KeyStore”与“TrustStore”&字段,我们将使用&JKS 文件。它们之间的差异原因是因为术语。KeyStores 提供凭证,TrustStores 验证凭证。
客户端使用存贮在&TrustStores 之中的证书来验证服务器身份。他们将呈现存储在&KeyStores 之中的证书,以此让服务器来请求他们。
使用所谓一个 Keytool 工具的 JDK ships。它管理一个 JKS 的加密密匙,X.509 证书链接,以及可信任的证书。
&翻译的不错哦!
使用 Keytool 创建 KeyStores 和 TrustStores
从&PKCS12 文件中创建服务器的 KeyStore:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-importkeystore&-deststorepass&snaplogic&-destkeypass&snaplogic&-destkeystore&server_keystore.jks&-srckeystore&server-cert.p12&-srcstoretype&PKCS12&-srcstorepass&snaplogic&-alias&server
查看服务器 keystore 以确认它现在包含了服务器证书:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-list&-v&-keystore&server_keystore.jks&
Enter&keystore&password:&&
Keystore&type:&JKS
Keystore&provider:&SUN
Your&keystore&contains&1&entry
Alias&name:&server
Creation&date:&Jan&4,&2016
Entry&type:&PrivateKeyEntry
Certificate&chain&length:&2
Certificate[1]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100001
Valid&from:&Tue&Oct&06&13:15:13&MDT&2015&until:&Wed&Oct&05&13:15:13&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&62:83:6B:84:1B:CB:DE:26:CA:E0:9D:E8:04:84:B6:C1
&&&&&SHA1:&AD:D4:27:FF:9A:68:77:25:95:C3:A2:BE:F6:22:AD:82:5C:2B:AF:EB
&&&&&SHA256:&8D:8D:EA:E5:7C:7A:E9:42:C9:9E:71:2A:76:C7:BE:BE:34:CC:4A:CC:83:ED:FE:C8:8E:C6:06:D2:D8:89:59:4A
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Certificate[2]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
*******************************************
*******************************************
创建客户端的 truststore 并导入服务器公共证书:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-import&-v&-trustcacerts&-keystore&client_truststore.jks&-storepass&snaplogic&-alias&server&-file&/etc/apache2/ssl/server-cert.pem
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100001
Valid&from:&Tue&Oct&06&13:15:13&MDT&2015&until:&Wed&Oct&05&13:15:13&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&62:83:6B:84:1B:CB:DE:26:CA:E0:9D:E8:04:84:B6:C1
&&&&&SHA1:&AD:D4:27:FF:9A:68:77:25:95:C3:A2:BE:F6:22:AD:82:5C:2B:AF:EB
&&&&&SHA256:&8D:8D:EA:E5:7C:7A:E9:42:C9:9E:71:2A:76:C7:BE:BE:34:CC:4A:CC:83:ED:FE:C8:8E:C6:06:D2:D8:89:59:4A
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Trust&this&certificate?&[no]:&&yes
Certificate&was&added&to&keystore
[Storing&client_truststore.jks]
查看客户端 truststore 以确认它现在包含了服务器证书:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-list&-v&-keystore&client_truststore.jks&
Enter&keystore&password:&&
Keystore&type:&JKS
Keystore&provider:&SUN
Your&keystore&contains&1&entry
Alias&name:&server
Creation&date:&Jan&4,&2016
Entry&type:&trustedCertEntry
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100001
Valid&from:&Tue&Oct&06&13:15:13&MDT&2015&until:&Wed&Oct&05&13:15:13&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&62:83:6B:84:1B:CB:DE:26:CA:E0:9D:E8:04:84:B6:C1
&&&&&SHA1:&AD:D4:27:FF:9A:68:77:25:95:C3:A2:BE:F6:22:AD:82:5C:2B:AF:EB
&&&&&SHA256:&8D:8D:EA:E5:7C:7A:E9:42:C9:9E:71:2A:76:C7:BE:BE:34:CC:4A:CC:83:ED:FE:C8:8E:C6:06:D2:D8:89:59:4A
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
*******************************************
*******************************************
&翻译的不错哦!
此时此刻,我们必须通过本地测试的 HttpServer 实例来足够地证明单向 SSL。createLocalTestServer 方法使用一个(选项)sslContext(null仅仅意味着http)以及一个boolean
“forceSSLAuth”表明是否请求客户端证书来实例化一个嵌入式的 HttpServer 实例:
protected&HttpServer&createLocalTestServer(SSLContext&sslContext,&boolean&forceSSLAuth)&&&&&&&&throws&UnknownHostException&{&&&&final&HttpServer&server&=&ServerBootstrap.bootstrap()&&&&&&&&&&&&.setLocalAddress(Inet4Address.getByName("localhost"))&&&&&&&&&&&&.setSslContext(sslContext)&&&&&&&&&&&&.setSslSetupHandler(socket&-&&socket.setNeedClientAuth(forceSSLAuth))&&&&&&&&&&&&.registerHandler
getStore 方法从类路径加载 jks 文件,以及 getKeyManagers&与&getTrustManagers 方法,把那个存储转变成各自的用于初始化一个 SSLContext 的 Key-&o 或者&TrustManager 数组:
创建 SSLContext 以及像这样初始化:
/Create&an&SSLContext&for&the&server&using&the&server's
以下的单元测试显示了对本地测试 HttpServer 实例做了一个 HTTPS 请求,以及使用客户端 truststore 来验证服务器公开证书:
在&,以上的单元测试中,连同以下的(当 SSL 信号交换失败时,当绕过服务器证书验证时,以及难看的上下文等等时,你可以看到该行为有利。
execute_WithNoScheme_ThrowsClientProtocolExceptionInvalidHostname
httpRequest_Returns200OK
httpsRequest_WithNoSSLContext_ThrowsSSLExceptionPlaintextConnection
httpsRequest_With1WaySSLAndValidatingCertsButNoClientTrustStore_ThrowsSSLException
httpsRequest_With1WaySSLAndTrustingAllCertsButNoClientTrustStore_Returns200OK
httpsRequest_With1WaySSLAndValidatingCertsAndClientTrustStore_Returns200OK
&翻译的不错哦!
双向 SSL(客户端证书)
配置双向 SSL,我们必须更新服务器的&keystore,并且创建客户端的 keystore。
因为服务器的 jks 文件 keystore 与 truststore,两者都用作服务器,并把客户的公共证书导入到&keystore 服务器:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-import&-v&-trustcacerts&-keystore&server_keystore.jks&-storepass&snaplogic&-file&/etc/apache2/ssl/client-cert.pem&-alias&client
Owner:&CN=client,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100002
Valid&from:&Tue&Oct&06&13:15:41&MDT&2015&until:&Wed&Oct&05&13:15:41&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F1:EF:60:64:48:DC:9B:C1:92:37:61:90:ED:48:01:1C
&&&&&SHA1:&C5:4B:1C:EF:85:C1:8C:5A:AA:74:54:49:F0:B5:97:F1:EC:34:49:6F
&&&&&SHA256:&B0:00:E4:C1:AE:03:92:95:9C:A2:BB:DB:13:3A:B6:38:BE:B4:BF:04:D0:72:41:6D:62:A6:93:D0:46:7E:3C:97
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Trust&this&certificate?&[no]:&&yes
Certificate&was&added&to&keystore
[Storing&server_keystore.jks]
由于客户端证书通过一个我们自己创建的 CA 来自签,并把根 C A证书导入到&keystore 服务器之中:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-keystore&server_keystore.jks&-import&-file&/etc/apache2/ssl/cacert.pem&-alias&cacert
Enter&keystore&password:&&
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
Trust&this&certificate?&[no]:&&yes
Certificate&was&added&to&keystore
& & 现在查看&keystore服务器,它将在keystore中列出诸如:客户端,CA,服务器的三个证书:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-list&-v&-keystore&server_keystore.jks&
Enter&keystore&password:&&
Keystore&type:&JKS
Keystore&provider:&SUN
Your&keystore&contains&3&entries
Alias&name:&client
Creation&date:&Jan&4,&2016
Entry&type:&trustedCertEntry
Owner:&CN=client,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100002
Valid&from:&Tue&Oct&06&13:15:41&MDT&2015&until:&Wed&Oct&05&13:15:41&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F1:EF:60:64:48:DC:9B:C1:92:37:61:90:ED:48:01:1C
&&&&&SHA1:&C5:4B:1C:EF:85:C1:8C:5A:AA:74:54:49:F0:B5:97:F1:EC:34:49:6F
&&&&&SHA256:&B0:00:E4:C1:AE:03:92:95:9C:A2:BB:DB:13:3A:B6:38:BE:B4:BF:04:D0:72:41:6D:62:A6:93:D0:46:7E:3C:97
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
*******************************************
*******************************************
Alias&name:&cacert
Creation&date:&Jan&4,&2016
Entry&type:&trustedCertEntry
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
*******************************************
*******************************************
Alias&name:&server
Creation&date:&Jan&4,&2016
Entry&type:&PrivateKeyEntry
Certificate&chain&length:&2
Certificate[1]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100001
Valid&from:&Tue&Oct&06&13:15:13&MDT&2015&until:&Wed&Oct&05&13:15:13&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&62:83:6B:84:1B:CB:DE:26:CA:E0:9D:E8:04:84:B6:C1
&&&&&SHA1:&AD:D4:27:FF:9A:68:77:25:95:C3:A2:BE:F6:22:AD:82:5C:2B:AF:EB
&&&&&SHA256:&8D:8D:EA:E5:7C:7A:E9:42:C9:9E:71:2A:76:C7:BE:BE:34:CC:4A:CC:83:ED:FE:C8:8E:C6:06:D2:D8:89:59:4A
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Certificate[2]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
*******************************************
*******************************************
最后,客户端 keystore 可以存储提交 SSL 服务器认证的客户端证书。该证书从客户端的 PKCS12 文件导入(以上创建的):
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-importkeystore&-srckeystore&/etc/apache2/ssl/client-cert.p12&-srcstoretype&pkcs12&-destkeystore&client_keystore.jks&-deststoretype&jks&-deststorepass&snaplogic
Enter&source&keystore&password:&&
Entry&for&alias&client&successfully&imported.
Import&command&completed:&&1&entries&successfully&imported,&0&entries&failed&or&cancelled
查看创建的 client_keystore.jks 文件,它将显示在 keystore 之中的 client 条目:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-list&-v&-keystore&client_keystore.jks&
Enter&keystore&password:&&
Keystore&type:&JKS
Keystore&provider:&SUN
Your&keystore&contains&1&entry
Alias&name:&client
Creation&date:&Jan&4,&2016
Entry&type:&PrivateKeyEntry
Certificate&chain&length:&2
Certificate[1]:
Owner:&CN=client,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100002
Valid&from:&Tue&Oct&06&13:15:41&MDT&2015&until:&Wed&Oct&05&13:15:41&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F1:EF:60:64:48:DC:9B:C1:92:37:61:90:ED:48:01:1C
&&&&&SHA1:&C5:4B:1C:EF:85:C1:8C:5A:AA:74:54:49:F0:B5:97:F1:EC:34:49:6F
&&&&&SHA256:&B0:00:E4:C1:AE:03:92:95:9C:A2:BB:DB:13:3A:B6:38:BE:B4:BF:04:D0:72:41:6D:62:A6:93:D0:46:7E:3C:97
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Certificate[2]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
*******************************************
*******************************************
现在,HttpServer 实例可以通过 forceSSLAuth 参数设置到 true 来创建(参阅TWO_WAY_SSL&boolean)将请求客户端证书。现在,该客户端 SSLContext 有两个客户端&truststore 与 keystore&加载:
private&static&final&bool
再次说明,在之中, 包括以上的单元测试。
连同以下的:
& & & & httpsRequest_With2WaySSLAndUnknownClientCert_ThrowsSSLExceptionBadCertificate
& & & & & & httpsRequest_With2WaySSLButNoClientKeyStore_ThrowsSSLExceptionBadCertificate
&翻译的不错哦!
使用&Spring Boot,嵌入式&Tomcat ,“以及 Rest 模板 &“以一个固执己见的观点来构建生产就绪的 Spring (Java) 应用程序”,从而来进行双向 SSL 认证。Spring Boot 的&和& 能使它轻而易举的启动。
Spring Boot 文档--。不过出于测试目的,我想要两者都支持 HTTP 和 HTTPS,所以一个很明确的 SSL 连接器是用来创建所需的嵌入式 tomcat 容器:
Config.java
然而该 application.properties 文件定义了所需的 SSL 属性:
ssl.port=8443
ssl.scheme=https
ssl.secure=true
ssl.client-auth=true
ssl.enabled=true
ssl.key-password=snaplogic
ssl.store=ssl/server_keystore.jks
ssl.store-password=snaplogic
ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
该 ssl.client-auth=true 属性强制双向 SSL。
我们重新使用先前创建的 JKS 文件(上图)
一个简单的 REST 界面定义返回&JSON 表示问候的实例:
GreetingController.java
/*&*&Just&says&hello&/@RestControllerpublic&class&Greetin
Spring Security 自动配置将在 REST 默认端点启动基本身份验证,因此,让我们关掉它吧:
HttpSecurityConfig.java
/*&*&Disable&default-enabled&basic&auth&/@EnableWebSecuritypublic&class&HttpSecurityCo
使用&Spring的TestRest 模板进行集成测试
确实,Spring Boot 很伟大--使用运行在嵌入式 tomcat 容器之上的应用程序,它可以很容易地编写集成测试,演示双向 SSL 身份认证。
首先,我创建一个 integration-test.properties 文件,设置&HTTPS 端口,是为了不同于主应用程序(http 端口通过自身测试的注释来设置成一个随机开发端口)。该文件的唯一内容是 ssl.port 属性。所有的其他属性将来自于 application.properties 文件
以上详细的:
ssl.port=54321
该集成测试类有使用 SpringJUnit4ClassRunner来指示其运行的注释,在 EverythingSSLApplication 类的基础包上,扫描 @Configuration 类,使用 @WebIntegrationTest 注释来选择一个随机应用 http 端口(其本身就是@IntegrationTest&与&@WebAppConfiguration 注释的组合),最后,该 integration-test.properties 文件被定义为 @TestPropertySource。
ITEverythingSSL.java
/*&*&Integration&test&that&uses&the&embedded&Tomcat&instance&configured&by&this&Spring&Boot&app&/@RunWith(SpringJUnit4ClassRunner.class)@SpringApplicationConfiguration(classes&=&EverythingSSLApplication.class)@WebIntegrationTest(randomPort&=&true)@TestPropertySource(locations&=&"classpath:integration-test.properties")public&class&ITEverythingSSL&{&&&&public&static&final&String&CLIENT_TRUSTSTORE&=&"ssl/client_truststore.jks";&&&&public&static&final&String&CLIENT_KEYSTORE&=&"ssl/client_keystore.jks";&&&&@Rule&&&&public&ExpectedException&thrown&=&ExpectedException.none();&&&&@Value("${local.server.port}")&&&&private&int&port&=&0;&&&&@Value("${ssl.port}")&&&&private&int&sslPort&=&0;&&&&@Value("${ssl.store-password}")&&&&private&String&storePassw
首要的测试确认普通的http被支持:
@Testpublic&void&rest_OverPlainHttp_GetsExpectedResponse()&throws&Exception&{&&&&Greeting&expected&=&new&Greeting("Hello,&Robin!");&&&&RestTemplate&template&=&new&TestRestTemplate();&&&&ResponseEntity&Greeting&&responseEntity&=&&&&&&&&&&&&template.getForEntity("http://localhost:&&+&port&+&"/greeting?name={name}",&&&&&&&&&&&&&&&&&&&&Greeting.class,&"Robin");&&&&assertT
就是”&用于集成测试Spring的&RestTemplate的一个子类“
getRestTemplateForHTTPS方法使用一个支持客户端的keystore 与truststore的SSLContext设置来创建TestRestTemplate实例:
private&RestTemplate&getRestTemplateForHTTPS(SSLContext&sslContex
演示双向SSL的测试相当简单:
以下的集成测试也被包括在项目中:
@Testpublic&void&rest_WithTwoWaySSL_AuthenticatesAndGetsExpectedResponse()&throws&Exception&{&&&&Greeting&expected&=&new&Greeting("Hello,&Robin!");&&&&SSLContext&sslContext&=&SSLContexts.custom()&&&&&&&&&&&&.loadKeyMaterial(&&&&&&&&&&&&&&&&&&&&getStore(CLIENT_KEYSTORE,&storePassword.toCharArray()),&&&&&&&&&&&&&&&&&&&&storePassword.toCharArray())&&&&&&&&&&&&.loadTrustMaterial(&&&&&&&&&&&&&&&&&&&&getStore(CLIENT_TRUSTSTORE,&storePassword.toCharArray()),&&&&&&&&&&&&&&&&&&&&new&TrustSelfSignedStrategy())&&&&&&&&&&&&.useProtocol("TLS").build();&&&&RestTemplate&template&=&getRestTemplateForHTTPS(sslContext);&&&&ResponseEntity&Greeting&&responseEntity&=&&&&&&&&&&&&template.getForEntity("https://localhost:&&+&sslPort&+&"/greeting?name={name}",&&&&&&&&&&&&&&&&&&&&Greeting.class,
rest_WithMissingClientCert_ThrowsSSLHandshakeExceptionBadCertificate
& & & & & & rest_WithUntrustedServerCert_ThrowsSSLHandshakeExceptionUnableFindValidCertPath
Spring Boot 应用程序指南应在
使用 SnapLogic 的 REST Snap 进行双向 SSL 认证
很自然地,SnapLogic 的 REST Snap 能够使这一切都变得很简单。
&翻译的不错哦!}
This page uses frames, but your browser doesn't support them.回龙观文化讨论区_回龙观社区网
This page uses frames, but your browser doesn't support them.你想要了解但是却羞于发问的有关SSL的一切 - 技术翻译 - 开源中国社区
当前访客身份:游客 [
已有文章 2424 篇
当前位置:
你想要了解但是却羞于发问的有关SSL的一切
英文原文:
0人收藏此文章,
推荐于 11个月前 (共 12 段, 翻译完成于 01-14) ()
参与翻译(5人):
你想要了解但是却羞于发问的有关SSL的一切
或者更准确的说,“我所知的关于的SSL的实事”。本文()将告诉你在一些通用服务(web服务器、浏览器认证、单元和集成测试)的使用场景中,如何使用SSL证书来保证通过HTTPS与远端的连接的安全性。其间介绍了如何配置Apache HTTP服务器的双向SSL,使用Apache’sHttpClient和HttpServer进行单元测试时的SSL认证(java),以及使用运行在嵌入的Tomcat容器里的Spring Boot应用来进行REST API集成测试。
客户端向服务器认证自己有很多种方式,包括basic认证,基于form的认证和OAuth。
为了防止用户认证信息在网络上泄露,客户端与服务端的通信需要建立在HTTPS上,通过验证服务端的SSL证书来确定其身份。服务端并不需要关心客户端是谁,只需要它们有正确的身份。
通过同时在服务端和客户端启用SSL证书来获得更高的安全级别。
&翻译的不错哦!
双向 SSL 认证(也被称为“相互认证”,或“使用客户端证书的 TLS/SSL”)是指双方通过校验彼此提供的数字证书来进行认证,以便双方都可以确认对方的身份。
& & & & 术语
TLS 与 SSL
TLS 的前身是 SSL。其是一个用于在应用程序之间进行通信时保障隐私的协议。除非另有说明,本文中认为 TLS 与 SSL 是等价的。
证书(cert)
包含了提供者信息等一些额外元数据的公钥/私钥对的公钥部分。它可以被自由的提供给任何人。
一个私钥可以验证与其对应的用来对数据进行加密的证书和公钥。其决不公开提供。
证书颁发机构(CA)
一个颁发数字证书的公司。对于 SSL/TLS 证书,也有少数供应商(例如 Symantec/Versign/Thawte、Comodo、GoDaddy)的证书囊括了大多数浏览器和操作系统。它们的目的是成为一个“可信的第三方”。
证书签名请求(CSR)
用私钥生成的一个文件。一个 CSR 可以向一个 CA 发送签名请求。CA 则使用其私钥对 CSR 进行数字签名,并创建一个已签名的证书。然后浏览器可以使用 CA 提供的证书来验证新的证书是否已被 CA 批准。
用于描述证书的格式和用法的一个规范。
&翻译的不错哦!
SSL实际上就是在一个web服务器与浏览器之间建立加密链接的标准安全技术。一般来说,一个浏览器(客户端)建立一个SSL连接到一个安全的web站点,它只检查该服务器证书。该浏览器一方面依靠其本身,或者提供已经被指定为根证书的列表证书以及受信任的CAs的操作系统。
单向SSL认证(服务器-&客户端)
客户端与服务器使用9个握手消息,以及通过优先建立加密通道来进行消息交换。
& 1.客户端发送ClientHello消息来提议SSL选项。
& 2.服务器通过响应ServerHello消息来选择SSL选项。
& 3.服务器发送Certificate消息,其中包括该服务器证书。
& 4.客户端通过ServerHelloDone消息,来判断其部分谈判.
& 5.客户端在其ClientKeyExchange消息之中发送会话密匙信息(加密服务器公匙)
& 6.客户端通过发送ChangeCipherSpec消息来激活所有发送的未来消息的谈判选项。
& 7。客户端通过发送Finished消息,让服务器检查新激活的选项。
& 8.客户端通过发送ChangeCipherSpec消息来激活所有发送未来消息的谈判选项。
& 9.服务器发送Finished消息,让客户端检查新激活的选项。
双向SSL认证(服务器&-&客户端)
&客户端与服务器使用12个握手消息,以及优先建立加密通道来进行消息交换:
& 1.客户端发送ClientHello消息来提议SSL选项。
& 2.服务器通过响应ServerHello消息来选择SSL选项。
& 3.服务器发送Certificate消息,其中包括该服务器证书。
& 4.客户端通过ServerHelloDone消息,来判断其部分谈判.
& 5.客户端在其ClientKeyExchange消息之中发送会话密匙信息(加密服务器公匙)
& 6.客户端通过发送ChangeCipherSpec消息来激活所有发送的未来消息的谈判选项。
& 7。客户端通过发送Finished消息,让服务器检查新激活的选项。
& 8.客户端通过发送ChangeCipherSpec消息来激活所有发送未来消息的谈判选项。
& 9.服务器发送Finished消息,让客户端检查新激活的选项。
&翻译的不错哦!
文件格式证书与密匙
私人安全增强性邮件(PEM)
PEM 就是使用 Base64 编码的区分编码规则(DER)。通常用于密匙与认证。
PKCS12 就是一个能含有多个证书与密匙的密码保护格式。
Java KeyStore (JKS)
PKCS12 的 Java 版本以及密码保护。一个 JKS 文件的条目必须有一个“alias” ,即独一无二。如果一个 alias 不是特定的,“mykey” 默认会被使用。它就像一个密匙与证书数据库。
一个实现&SSL (v2/v3) 与 TLS (v1)协议的开源工具包,以及一个通用地完全版加密库。
管理一个加密鈅匙,&X.509 证书链,以及受信任证书的 Java KeyStore。附带 JDK 的 ships
使用Apache创建本地SSL服务器
配置 Apache
切换到 root:
在终端,启动 Apache:
apachectl&start
在 web 浏览器中,访问&。你应该看到它运行的工作状态。
为 http 配置 Apache:设置一个 80 端口的虚拟主机
在终端,编辑 Apache 配置:
vi&/etc/apache2/httpd.conf
通过取消第 143 行,启用 SSL:
LoadModule&ssl_module&libexec/apache2/mod_ssl.so
在你的编辑器里,通过替换第 212 行来压制服务器被完全地限定域名的消息:
ServerName&localhost
下一步,取消批注 160 行与499 行,支持虚拟主机。
LoadModule&vhost_alias_module&libexec/apache2/mod_vhost_alias.soInclude&/private/etc/apache2/extra/httpd-vhosts.conf
取消批注第 518 行,包括&httpd-ssl.conf(监听 443 端口)
Include&/private/etc/apache2/extra/httpd-ssl.conf
在终端,重启 Apache:
apachectl&restart
&翻译的不错哦!
配置Apache: 建立一个站点
在终端, 建立Sites文件夹, 它将是很多独立Site子文件夹的父文件夹:
mkdir&~/Sites
接下来建立一个在Sites文件夹下建立localhost子文件夹,它将是我们的第一个站点:
mkdir&~/Sites/localhost
最后,在localhost内建立HTML文档:
echo&“&h1&localhost&works&/h1&”&&&~/Sites/localhost/index.html
现在,在浏览器访问,你会看到一个消息,代表localhost已经起作用。
提示: 下面的密码我都用dsnaplogic
从这个链接修改而来:&
在终端内,建立SSL文件夹:
mkdir&/etc/apache2/sslcd&/etc/apache2/sslmkdir&certs&private
建立CA证书
建立一个数据库来跟踪所有签了名的证书:
echo&‘100001’&&&serialtouch&certindex.txt
定义一个openssl的config文件:
#&OpenSSL&configuration&file.
#&Establish&working&directory.
default_ca&=&CA_default
[&CA_default&]
serial&=&$dir/serial
database&=&$dir/certindex.txt
new_certs_dir&=&$dir/certs
certificate&=&$dir/cacert.pem
private_key&=&$dir/private/cakey.pem
default_days&=&365
default_md&=&sha512
preserve&=&no
email_in_dn&=&no
nameopt&=&default_ca
certopt&=&default_ca
policy&=&policy_match
[&policy_match&]
countryName&=&match
stateOrProvinceName&=&match
organizationName&=&match
organizationalUnitName&=&optional
commonName&=&supplied
emailAddress&=&optional
default_bits&=&2048&#&Size&of&keys
default_keyfile&=&key.pem&#&name&of&generated&keys
default_md&=&sha512&#&message&digest&algorithm
string_mask&=&nombstr&#&permitted&characters
distinguished_name&=&req_distinguished_name
req_extensions&=&v3_req
[&req_distinguished_name&]
countryName&=&Country&Name&(2&letter&code)
countryName_default&=&US
countryName_min&=&2
countryName_max&=&2
stateOrProvinceName&=&State&or&Province&Name&(full&name)
stateOrProvinceName_default&=&Colorado
localityName&=&Locality&Name&(eg,&city)
localityName_default&=&Boulder
0.organizationName&=&Organization&Name&(eg,&company)
0.organizationName_default&=&SnapLogic
#&we&can&do&this&but&it&is¬&needed&normally&:-)
#1.organizationName&=&Second&Organization&Name&(eg,&company)
#1.organizationName_default&=&World&Wide&Web&Pty&Ltd
organizationalUnitName&=&Organizational&Unit&Name&(eg,§ion)
organizationalUnitName_default&=&SnapTeam
commonName&=&Common&Name&(eg,&YOUR&name)
commonName_max&=&64
commonName_default&=&localhost&
emailAddress&=&Email&Address
emailAddress_max&=&64
#&SET-ex3&=&SET&extension&number&3
[&req_attributes&]
challengePassword&=&A&challenge&password
challengePassword_min&=&4
challengePassword_max&=&20
unstructuredName&=&An&optional&company&name
[&req_distinguished_name&]
countryName&=&Country&Name&(2&letter&code)
countryName_default&=&US&
countryName_min&=&2
countryName_max&=&2
stateOrProvinceName&=&State&or&Province&Name&(full&name)
stateOrProvinceName_default&=&Colorado
localityName&=&Locality&Name&(eg,&city)
0.organizationName&=&Organization&Name&(eg,&company)
0.organizationName_default&=&SnapLogic
#&we&can&do&this&but&it&is¬&needed&normally&:-)
#1.organizationName&=&Second&Organization&Name&(eg,&company)
#1.organizationName_default&=&World&Wide&Web&Pty&Ltd
organizationalUnitName&=&Organizational&Unit&Name&(eg,§ion)
organizationalUnitName_default&=&SnapTeam
commonName&=&Common&Name&(eg,&YOUR&name)
commonName_max&=&64
commonName_default&=&localhost
emailAddress&=&Email&Address
emailAddress_max&=&64
#&SET-ex3&=&SET&extension&number&3
[&req_attributes&]
challengePassword&=&A&challenge&password
challengePassword_min&=&4
challengePassword_max&=&20
unstructuredName&=&An&optional&company&name
basicConstraints&=&CA:TRUE
subjectKeyIdentifier&=&hash
authorityKeyIdentifier&=&keyid:always,issuer:always
[&v3_req&]
basicConstraints&=&CA:FALSE
subjectKeyIdentifier&=&hash注意,我还将default_md设置为sha512,这样,现在的浏览器就不会报。
&翻译的不错哦!
通过建立Root证书方式建立CA证书,这同时也会建立CA的私钥&(private/cakey.pem) 和公钥 (cacert.pem)。使用默认的localhost作为Common Name:
|&root@SL-MBP-RHOWLETT.local:/private/etc/apache2/ssl&
|&=&&openssl&req&-new&-x509&-extensions&v3_ca&-keyout&private/cakey.pem&-out&cacert.pem&-days&365&-config&./f
Generating&a&2048&bit&RSA&private&key
................................+++
.............................+++
writing&new&private&key&to&'private/cakey.pem'
Enter&PEM&pass&phrase:
Verifying&-&Enter&PEM&pass&phrase:
phrase&is&too&short,&needs&to&be&at&least&4&chars
Enter&PEM&pass&phrase:
Verifying&-&Enter&PEM&pass&phrase:
You&are&about&to&be&asked&to&enter&information&that&will&be&incorporated
into&your&certificate&request.
What&you&are&about&to&enter&is&what&is&called&a&Distinguished&Name&or&a&DN.
There&are&quite&a&few&fields&but&you&can&leave&some&blank
For&some&fields&there&will&be&a&default&value,
If&you&enter&'.',&the&field&will&be&left&blank.
Country&Name&(2&letter&code)&[US]:
State&or&Province&Name&(full&name)&[Colorado]:
Locality&Name&(eg,&city)&[Milan]:Boulder
Organization&Name&(eg,&company)&[Organization&default]:SnapLogic
Organizational&Unit&Name&(eg,§ion)&[SnapLogic]:SnapTeam&
Common&Name&(eg,&YOUR&name)&[localhost]:
Email&Address&[]:
建立服务器证书
为服务器建立密钥和签名请求,这将会为服务器建立CSR文件 (server-req.pem) 以及服务器的私钥 (private/server-key.pem)。同样使用默认的localhost作为Common Name:
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&req&-new&-nodes&-out&server-req.pem&-keyout&private/server-key.pem&-days&365&-config&f&
Generating&a&2048&bit&RSA&private&key
..................................+++
writing&new&private&key&to&'private/server-key.pem'
You&are&about&to&be&asked&to&enter&information&that&will&be&incorporated
into&your&certificate&request.
What&you&are&about&to&enter&is&what&is&called&a&Distinguished&Name&or&a&DN.
There&are&quite&a&few&fields&but&you&can&leave&some&blank
For&some&fields&there&will&be&a&default&value,
If&you&enter&'.',&the&field&will&be&left&blank.
Country&Name&(2&letter&code)&[US]:
State&or&Province&Name&(full&name)&[Colorado]:
Locality&Name&(eg,&city)&[Boulder]:
Organization&Name&(eg,&company)&[SnapLogic]:
Organizational&Unit&Name&(eg,§ion)&[SnapTeam]:
Common&Name&(eg,&YOUR&name)&[localhost]:
Email&Address&[]:
获得了CA签名和服务器的CSR之后,下面会生成服务器的共有证书&(server-cert.pem):
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&ca&-out&server-cert.pem&-days&365&-config&f&-infiles&server-req.pem&
Using&configuration&from&f
Enter&pass&phrase&for&./private/cakey.pem:
Check&that&the&request&matches&the&signature
Signature&ok
The&Subject's&Distinguished&Name&is&as&follows
countryName&&&&&&&&&&&:PRINTABLE:'US'
stateOrProvinceName&&&:PRINTABLE:'Colorado'
localityName&&&&&&&&&&:PRINTABLE:'Boulder'
organizationName&&&&&&:PRINTABLE:'SnapLogic'
organizationalUnitName:PRINTABLE:'SnapTeam'
commonName&&&&&&&&&&&&:PRINTABLE:'localhost'
Certificate&is&to&be&certified&until&Oct&&4&16:30:23&2016&GMT&(365&days)
Sign&the&certificate?&[y/n]:y
1&out&of&1&certificate&requests&certified,&commit?&[y/n]y
Write&out&database&with&1&new&entries
Data&Base&Updated
生成客户端证书
每个客户端都会生成一个密钥和签名请求,我们在这里只做一次。你必须使用与服务器不同的Common Name,这里我用client。 下面会生成客户端的CSR (client-req.pem) 和其私钥 (private/client-key.pem):
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&req&-new&-nodes&-out&client-req.pem&-keyout&private/client-key.pem&-days&365&-config&f&
Generating&a&2048&bit&RSA&private&key
....................................................+++
...........+++
writing&new&private&key&to&'private/client-key.pem'
You&are&about&to&be&asked&to&enter&information&that&will&be&incorporated
into&your&certificate&request.
What&you&are&about&to&enter&is&what&is&called&a&Distinguished&Name&or&a&DN.
There&are&quite&a&few&fields&but&you&can&leave&some&blank
For&some&fields&there&will&be&a&default&value,
If&you&enter&'.',&the&field&will&be&left&blank.
Country&Name&(2&letter&code)&[US]:
State&or&Province&Name&(full&name)&[Colorado]:
Locality&Name&(eg,&city)&[Boulder]:
Organization&Name&(eg,&company)&[SnapLogic]:
Organizational&Unit&Name&(eg,§ion)&[SnapTeam]:
Common&Name&(eg,&YOUR&name)&[localhost]:client
Email&Address&[]:
有了CA签名和客户端的CSR,下面会生成客户端的公有证书&(client-cert.pem):
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&ca&-out&client-cert.pem&-days&365&-config&f&-infiles&client-req.pem&
Using&configuration&from&f
Enter&pass&phrase&for&./private/cakey.pem:
Check&that&the&request&matches&the&signature
Signature&ok
The&Subject's&Distinguished&Name&is&as&follows
countryName&&&&&&&&&&&:PRINTABLE:'US'
stateOrProvinceName&&&:PRINTABLE:'Colorado'
localityName&&&&&&&&&&:PRINTABLE:'Boulder'
organizationName&&&&&&:PRINTABLE:'SnapLogic'
organizationalUnitName:PRINTABLE:'SnapTeam'
commonName&&&&&&&&&&&&:PRINTABLE:'client'
Certificate&is&to&be&certified&until&Oct&&4&16:40:01&2016&GMT&(365&days)
Sign&the&certificate?&[y/n]:y
1&out&of&1&certificate&requests&certified,&commit?&[y/n]y
Write&out&database&with&1&new&entries
Data&Base&Updated
最后生成包含客户端私钥、共有证书和CA证书的的PKCS12文件。下面会生成&(以Mac为例) PKCS12文件 (client-cert.p12):
|&root@SL-MBP-RHOWLETT.local:/etc/apache2/ssl&
|&=&&openssl&pkcs12&-export&-in&client-cert.pem&-inkey&private/client-key.pem&-certfile&cacert.pem&-name&"Client"&-out&client-cert.p12&
Enter&Export&Password:
Verifying&-&Enter&Export&Password:
配置Apache的HTTPS和单向SSL验证
vi&/etc/apache2/extra/httpd-vhosts.conf
添加一个443端口的Virtual Host并且开启SSL:
&VirtualHost&*:80&
&&&&ServerName&localhost
&&&&DocumentRoot&"/Users/rhowlett/Sites/localhost"
&&&&&Directory&"/Users/rhowlett/Sites/localhost"&
&&&&&&&&Options&Indexes&FollowSymLinks
&&&&&&&&AllowOverride&All
&&&&&&&&Order&allow,deny
&&&&&&&&Allow&from&all
&&&&&&&&Require&all&granted
&&&&&/Directory&
&/VirtualHost&
&VirtualHost&*:443&
&&&&ServerName&localhost
&&&&DocumentRoot&"/Users/rhowlett/Sites/localhost"
&&&&SSLCipherSuite&HIGH:MEDIUM:!aNULL:!MD5
&&&&SSLEngine&on
&&&&SSLCertificateFile&/etc/apache2/ssl/server-cert.pem
&&&&SSLCertificateKeyFile&/etc/apache2/ssl/private/server-key.pem
&&&&&Directory&"/Users/rhowlett/Sites/localhost"&
&&&&&&&&Options&Indexes&FollowSymLinks
&&&&&&&&AllowOverride&All
&&&&&&&&Order&allow,deny
&&&&&&&&Allow&from&all
&&&&&&&&Require&all&granted
&&&&&/Directory&
&/VirtualHost&
重启Apache:
apachectl&restart
&(在Mac下) 安装CA证书到Keychain Access
&翻译的不错哦!
在&Finder 中打开 /etc/apache2/ssl
开发 CA 证书(cacert.pem)通过双击它来安装 Keychain Access:
标记为可信任的:在你的浏览器中打开& 地址,你就可以看到一个成功的安全连接:
为双向 SSL 认证配置 Apache
vi&/etc/apache2/extra/httpd-vhosts.conf
增加 SSLVerifyClient,&SSLCertificateFile,以及 SSLCACertificateFile 选项:
&VirtualHost&*:80&
&&&&ServerName&localhost
&&&&DocumentRoot&"/Users/rhowlett/Sites/localhost"
&&&&&Directory&"/Users/rhowlett/Sites/localhost"&
&&&&&&&&Options&Indexes&FollowSymLinks
&&&&&&&&AllowOverride&All
&&&&&&&&Order&allow,deny
&&&&&&&&Allow&from&all
&&&&&&&&Require&all&granted
&&&&&/Directory&
&/VirtualHost&
&VirtualHost&*:443&
&&&&ServerName&localhost
&&&&DocumentRoot&"/Users/rhowlett/Sites/localhost"
&&&&SSLCipherSuite&HIGH:MEDIUM:!aNULL:!MD5
&&&&SSLEngine&on
&&&&SSLCertificateFile&/etc/apache2/ssl/server-cert.pem
&&&&SSLCertificateKeyFile&/etc/apache2/ssl/private/server-key.pem
&&&&SSLVerifyClient&require
&&&&SSLVerifyDepth&10
&&&&SSLCACertificateFile&/etc/apache2/ssl/cacert.pem
&&&&&Directory&"/Users/rhowlett/Sites/localhost"&
&&&&&&&&Options&Indexes&FollowSymLinks
&&&&&&&&AllowOverride&All
&&&&&&&&Order&allow,deny
&&&&&&&&Allow&from&all
&&&&&&&&Require&all&granted
&&&&&/Directory&
&/VirtualHost&
重启 Apache:
apachectl&restart
现在,OpenSSL 能确认双向 SSL 信号交换能成功地完成:
|&rhowlett@SL-MBP-RHOWLETT.local:~/Downloads&
|&=&&openssl&s_client&-connect&localhost:443&-tls1&-cert&/etc/apache2/ssl/client-cert.pem&-key&/etc/apache2/ssl/private/client-key.pem
CONNECTED()
depth=1&/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
verify&error:num=19:self&signed&certificate&in&certificate&chain
verify&return:0
Certificate&chain
&0&s:/C=US/ST=Colorado/O=SnapLogic/OU=SnapTeam/CN=localhost
&&&i:/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
&1&s:/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
&&&i:/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
Server&certificate
-----BEGIN&CERTIFICATE-----
MIIDPjCCAiYCAxAAATANBgkqhkiG9w0BAQ0FADBtMQswCQYDVQQGEwJVUzERMA8G
A1UECBMIQ29sb3JhZG8xEDAOBgNVBAcTB0JvdWxkZXIxEjAQBgNVBAoTCVNuYXBM
b2dpYzERMA8GA1UECxMIU25hcFRlYW0xEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0x
NTEwMDYxOTE1MTNaFw0xNjEwMDUxOTE1MTNaMFsxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhDb2xvcmFkbzESMBAGA1UEChMJU25hcExvZ2ljMREwDwYDVQQLEwhTbmFw
VGVhbTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAyvia0x0Nd4tYyvoXEYtI3s/eLIQ3wFsOJIibNy70PLhp35gScQ69
MiIrVDYqIydVbInzyY5kuhttrUIrHCIiDwa5OqEiExJ+ollY9icnrMLrEXJqvv5C
/fduS5byC6StNg7xHQkYlYLUYMw8QQyCZFQVGXlxZeG6i086ffMYduFimkBAkNj5
/LkIwrOELpGnNcrOJxQEnLi8vmRI3oiCrgVc0ugrFBnoj3Tf6y3lx23fYgLbqf9c
bRCS6V3eppa/x9sezv9KQ+pDYly0bwKIcvJ9xLp7qPiO+smGGvS97Ec4NAif8y6v
pU92cPH32cv1p0AIDF0+GMOgVyAYZgSKQwIDAQABMA0GCSqGSIb3DQEBDQUAA4IB
AQBedsAvkB1yNLE2GCJWWQ19qEKOIBYCRQc2z29PgF/LAz5GVOIw/ZiN37C2vTob
jk1NnqfOx5aipQ5Pe5D2yfbarDl0kaqRn9MhBySi+oi3AgUZ5yL0x/nGF9O8jszJ
OM1FUC6qXKic5pR0qTrdXigONlKb0Au+l3z5dFMiqnNmDrNlI8kW1OXrwy/jvyPv
H1bHWAKYFTvHi2v7A0B96V1VvFBLbuQztckPQ3VpFDOwWhWLr2D90vxFd1Ea0SCi
3bysz4ax9XP0bmXJY+968nV31qQJMkk5/3rE5PWVZibsniccfdujgSQYl+yNA3sB
F5h6mCR6pAONZFo6+U3zARSb
-----END&CERTIFICATE-----
subject=/C=US/ST=Colorado/O=SnapLogic/OU=SnapTeam/CN=localhost
issuer=/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
Acceptable&client&certificate&CA&names
/C=US/ST=Colorado/L=Boulder/O=SnapLogic/OU=SnapTeam/CN=localhost
SSL&handshake&has&read&4004&bytes&and&written&1539&bytes
New,&TLSv1/SSLv3,&Cipher&is&DHE-RSA-AES256-SHA
Server&public&key&is&2048&bit
Secure&Renegotiation&IS&supported
Compression:&NONE
Expansion:&NONE
SSL-Session:
&&&&Protocol&&:&TLSv1
&&&&Cipher&&&&:&DHE-RSA-AES256-SHA
&&&&Session-ID:&A1D9CE5273963BCF14ECE2B628CEE59CEACEEA8E281
&&&&Session-ID-ctx:&
&&&&Master-Key:&0920CEEB2DF9D49DA990A178C0AC980DD5AF359B7E1CDD4B2DBAE186BC06E7BB0
&&&&Key-Arg&&&:&None
&&&&TLS&session&ticket:
&&&&0000&-&5c&8f&01&d5&5d&c1&62&d5-65&d7&8f&05&5f&47&d2&82&&&\...].b.e..._G..
&&&&0010&-&f0&fd&2c&88&be&58&25&6c-9e&9a&1e&78&6a&b4&66&c4&&&..,..X%l...xj.f.
&&&&0020&-&0d&3d&31&04&97&a2&5f&e7-6f&3c&9f&c9&b1&44&6a&ab&&&.=1..._.o&...Dj.
&&&&0030&-&84&89&76&e4&63&9b&81&b7-c3&28&e0&95&c6&c3&f5&89&&&..v.c....(......
&&&&0040&-&d5&f9&7f&da&df&fb&12&f7-de&2a&ec&e8&c2&01&59&07&&&.........*....Y.
&&&&0050&-&9e&ad&91&56&91&34&88&73-66&d1&ea&c1&72&dc&56&ee&&&...V.4.sf...r.V.
&&&&0060&-&ee&61&fe&5e&38&f0&aa&d6-3a&7d&ad&ef&e6&be&2a&15&&&.a.^8...:}....*.
&&&&0070&-&dc&cc&9f&04&5e&e8&f9&2b-07&21&6b&0f&da&9f&08&2e&&&....^..+.!k.....
&&&&0080&-&88&af&96&41&98&f3&ff&8a-01&66&1a&1d&61&47&1b&e5&&&...A.....f..aG..
&&&&0090&-&ec&ab&b7&af&79&aa&7d&25-ca&e0&fa&f4&2b&2e&9a&dd&&&....y.}%....+...
&&&&00a0&-&95&0c&4b&35&d8&96&8b&f0-1e&20&c1&c3&47&fc&65&ed&&&..K5.....&..G.e.
&&&&00b0&-&21&e4&50&59&1e&33&6a&5c-c6&27&f1&65&be&5b&0f&35&&&!.PY.3j\.'.e.[.5
&&&&00c0&-&1d&ba&ac&bf&f5&9c&d9&b7-32&87&11&ae&b7&87&9b&52&&&........2......R
&&&&00d0&-&bb&00&6b&66&af&e2&94&45-e3&8f&fb&e0&b4&c6&d7&5a&&&..kf...E.......Z
&&&&00e0&-&f8&1d&7a&af&e3&ee&bb&6b-93&ff&46&af&ed&86&bc&f8&&&..z....k..F.....
&&&&00f0&-&6d&e2&c9&60&eb&61&8e&b9-7e&bd&4d&bb&1e&01&95&d2&&&m..`.a..~.M.....
&&&&0100&-&f5&d5&ee&82&10&4a&1d&23-9e&94&d7&0b&46&e4&d4&32&&&.....J.#....F..2
&&&&0110&-&11&92&76&4a&94&9e&a3&61-21&9b&4c&49&6c&df&7b&18&&&..vJ...a!.LIl.{.
&&&&0120&-&b7&49&66&bd&48&0d&eb&9a-ad&e9&32&c7&b9&6d&70&1a&&&.If.H.....2..mp.
&&&&0130&-&c7&a1&25&21&b4&f1&03&5b-80&83&e9&da&8d&56&f1&d9&&&..%!...[.....V..
&&&&0140&-&8b&c5&32&b7&3a&67&5b&9c-51&84&a0&09&04&4f&48&60&&&..2.:g[.Q....OH`
&&&&0150&-&27&c0&fe&1c&45&7a&3b&b2-22&8d&ed&65&72&23&8a&bf&&&'...Ez;."..er#..
&&&&0160&-&e3&09&eb&78&98&ec&08&06-9d&37&02&1a&4b&ae&cd&3a&&&...x.....7..K..:
&&&&0170&-&9c&a4&bd&5d&47&5e&d3&d7-7b&89&7b&97&78&a6&4c&10&&&...]G^..{.{.x.L.
&&&&0180&-&bf&3e&ed&1f&f4&fe&e5&97-90&ee&31&58&5f&ff&c6&c2&&&.&........1X_...
&&&&0190&-&61&b7&df&0a&f5&27&c6&a8-ac&61&a3&d0&1e&3a&6a&42&&&a....'...a...:jB
&&&&01a0&-&a9&18&b4&fb&4b&25&87&62-97&26&48&35&d0&16&d1&06&&&....K%.b.&H5....
&&&&01b0&-&9d&82&b5&e2&7b&f2&24&c5-83&a1&4b&fe&8d&38&ae&30&&&....{.$...K..8.0
&&&&01c0&-&8e&eb&e1&ac&8b&48&fa&27-b0&e1&ce&b3&17&62&69&f0&&&.....H.'.....bi.
&&&&01d0&-&30&17&ae&31&9d&bf&77&64-66&5b&13&8e&a2&63&2e&58&&&0..1..wdf[...c.X
&&&&01e0&-&02&10&26&e1&3b&0d&55&fc-3d&0f&d5&08&2d&1e&28&0a&&&..&.;.U.=...-.(.
&&&&01f0&-&c2&fd&a2&f3&2a&40&25&ed-2b&06&2c&92&c3&78&a3&b3&&&....*@%.+.,..x..
&&&&0200&-&35&bc&d9&6c&57&97&ca&93-0f&f3&b8&e4&60&d8&99&b4&&&5..lW.......`...
&&&&0210&-&b8&ba&ae&b7&47&4a&59&84-5b&f9&5e&b2&11&44&42&bd&&&....GJY.[.^..DB.
&&&&0220&-&e8&46&3d&1d&09&70&72&f6-23&df&89&f8&f7&b7&84&d2&&&.F=..pr.#.......
&&&&0230&-&7d&42&0e&5d&d7&76&c2&da-0b&61&f9&48&3c&c9&5f&ba&&&}B.].v...a.H&._.
&&&&0240&-&ab&be&5f&82&2b&03&07&f1-83&12&69&ee&56&b5&7e&06&&&.._.+.....i.V.~.
&&&&0250&-&03&d7&8e&b3&70&7c&93&75-3d&cd&e0&a1&1b&8a&14&ef&&&....p|.u=.......
&&&&0260&-&91&c6&74&14&1e&16&4c&46-07&c5&62&04&70&a7&fd&5d&&&..t...LF..b.p..]
&&&&0270&-&e5&67&d8&bf&43&bb&5e&f3-7c&37&db&1a&66&cb&ad&7d&&&.g..C.^.|7..f..}
&&&&0280&-&cc&30&e4&9b&35&30&b5&6c-d0&4b&ba&b2&8b&01&71&0e&&&.0..50.l.K....q.
&&&&0290&-&0a&af&ec&4e&6a&1a&f8&6f-b7&5e&2b&b9&e9&ec&b6&b6&&&...Nj..o.^+.....
&&&&02a0&-&38&1c&70&5c&86&bf&ae&a4-e6&41&9d&c9&9f&40&e4&a0&&&8.p\.....A...@..
&&&&02b0&-&4b&0d&3d&ab&01&90&da&55-cb&b8&c8&e6&94&8d&76&35&&&K.=....U......v5
&&&&02c0&-&94&b5&e2&1a&7c&69&5c&b3-ee&08&8b&bd&3f&97&c4&31&&&....|i\.....?..1
&&&&02d0&-&72&8a&30&a8&c6&3e&74&74-dc&47&c1&d0&ce&bd&0b&19&&&r.0..&tt.G......
&&&&02e0&-&f4&93&55&8c&1f&02&b3&6e-f3&4d&44&f1&cc&f0&ef&2d&&&..U....n.MD....-
&&&&02f0&-&4d&16&92&a3&15&fe&69&db-cc&b1&b5&6b&d0&4a&49&fc&&&M.....i....k.JI.
&&&&0300&-&67&9e&0c&47&96&08&0e&f2-b2&5c&06&24&45&f3&6a&7d&&&g..G.....\.$E.j}
&&&&0310&-&6e&1b&2b&9a&68&23&11&3a-43&79&8c&77&9e&98&be&38&&&n.+.h#.:Cy.w...8
&&&&0320&-&9a&0e&e1&a5&17&bd&0f&7b-e0&ac&ca&94&ac&48&68&5c&&&.......{.....Hh\
&&&&0330&-&f1&2b&98&b5&8d&36&b6&4f-aa&6f&e7&d4&4d&a3&f0&4c&&&.+...6.O.o..M..L
&&&&0340&-&cb&09&92&91&01&b9&c2&f1-49&24&64&d3&14&2f&a3&5f&&&........I$d../._
&&&&0350&-&74&6f&c0&54&16&73&c8&40-33&bc&7e&e9&3b&d8&d5&7c&&&to.T.s.@3.~.;..|
&&&&0360&-&78&49&5c&80&83&88&4e&4b-46&f2&7a&6b&62&c4&ca&42&&&xI\...NKF.zkb..B
&&&&0370&-&18&b6&22&40&77&fc&26&0e-28&50&89&7a&14&49&ba&b0&&&.."@w.&.(P.z.I..
&&&&0380&-&2c&d7&26&7a&30&f9&9b&90-ba&9a&1f&3b&80&1b&0b&25&&&,.&z0......;...%
&&&&0390&-&f0&e7&83&83&55&1f&1e&f0-71&5b&64&a4&1e&76&91&bb&&&....U...q[d..v..
&&&&03a0&-&d9&19&f5&2d&2e&54&d7&3a-93&95&29&ae&44&09&e6&cd&&&...-.T.:..).D...
&&&&03b0&-&ec&79&8d&b6&3c&09&d5&05-8d&fc&2b&79&88&37&25&92&&&.y..&.....+y.7%.
&&&&03c0&-&73&ae&e6&8a&d6&0c&1a&eb-7b&b9&08&44&4e&81&67&36&&&s.......{..DN.g6
&&&&03d0&-&a6&3a&57&43&d0&ed&dc&3e-bb&0f&87&02&f5&fe&80&bb&&&.:WC...&........
&&&&03e0&-&28&17&6e&7e&ad&c4&d9&4c-0a&53&fa&41&d2&d2&7c&76&&&(.n~...L.S.A..|v
&&&&03f0&-&a4&95&10&26&1d&5b&7d&19-23&dd&28&a0&48&c1&96&d9&&&...&.[}.#.(.H...
&&&&Start&Time:&
&&&&Timeout&&&:&7200&(sec)
&&&&Verify&return&code:&0&(ok)
(Mac)在&Keychain Access 中安装客户端 PKCS12 文件
在&Finder 中打开 /etc/apache2/ssl,通过双击客户端 PKCS12 文件(client-cert.p12)来安装Keychain Access:
在你的浏览器中打开& 地址,当提示时,选择客户端证书:
那时,你应该再一次看到一个安全的连接:
也将运行:
|&=&&curl&-v&--cert&/etc/apache2/ssl/client-cert.p12:snaplogic&https://localhost
*&Rebuilt&URL&to:&https://localhost/
*&&&Trying&::1...
*&Connected&to&localhost&(::1)&port&443&(#0)
*&WARNING:&SSL:&Certificate&type¬&set,&assuming&PKCS#12&format.
*&Client&certificate:&client
|&=&&curl&-v&--cert&/etc/apache2/ssl/client-cert.p12:snaplogic&https://localhost
*&Rebuilt&URL&to:&https://localhost/
*&&&Trying&::1...
*&Connected&to&localhost&(::1)&port&443&(#0)
*&WARNING:&SSL:&Certificate&type¬&set,&assuming&PKCS#12&format.
*&Client&certificate:&client
*&TLS&1.0&connection&using&TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*&Server&certificate:&localhost
*&Server&certificate:&localhost
&&GET&/&HTTP/1.1
&&Host:&localhost
&&User-Agent:&curl/7.43.0
&&Accept:&*/*
&&HTTP/1.1&200&OK
&&Date:&Tue,&05&Jan&:29&GMT
&&Server:&Apache/2.4.16&(Unix)&PHP/5.5.29&OpenSSL/0.9.8zg
&&Last-Modified:&Fri,&02&Oct&:41&GMT
&&ETag:&"19-521236aaf5240"
&&Accept-Ranges:&bytes
&&Content-Length:&25
&&Content-Type:&text/html
&h1&localhost&works&/h1&
*&Connection�&to&host&localhost&left&intact
&翻译的不错哦!
使用&Apache 的 HttpClient 和 HttpServer 进行单元测试 SSL 认证
Apache 的& 提供 ,“一个有效的,最新的,以及实现最近的客户端 http 标准与建议的丰富多样的包”
它也提供 ,其中包括一个嵌入式的 HttpServer,可用于单元测试。
通过本地测试 HttpServer 实例来创建以上的:从公众的&server-cert.pem,私人的 server-key.pem,以及 CA 证书 cacert.pem 来生成 PKCS12 (.p12) 文件:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&openssl&pkcs12&-export&-in&/etc/apache2/ssl/server-cert.pem&-inkey&/etc/apache2/ssl/private/server-key.pem&-certfile&/etc/apache2/ssl/cacert.pem&-name&"Server"&-out&server-cert.p12
Enter&Export&Password:
Verifying&-&Enter&Export&Password:
如果你看到 unable to write 'random state',运行 sudo rm ~/.rnd,再试一次
Java&KeyStores(JKS)
Java 有它自己所谓的 Java KeyStore (JKS)PKCS12 版本。也就是密码保护。在 JKS 条目文件中,必须有一个“alias” ,意即独一无二。如果
一个 alias 不是被指定,那么“mykey”会被默认使用。它就像一个数据库组与钥匙。
对于在 REST SSL 账号设置中的两个“KeyStore”与“TrustStore”&字段,我们将使用&JKS 文件。它们之间的差异原因是因为术语。KeyStores 提供凭证,TrustStores 验证凭证。
客户端使用存贮在&TrustStores 之中的证书来验证服务器身份。他们将呈现存储在&KeyStores 之中的证书,以此让服务器来请求他们。
使用所谓一个 Keytool 工具的 JDK ships。它管理一个 JKS 的加密密匙,X.509 证书链接,以及可信任的证书。
&翻译的不错哦!
使用 Keytool 创建 KeyStores 和 TrustStores
从&PKCS12 文件中创建服务器的 KeyStore:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-importkeystore&-deststorepass&snaplogic&-destkeypass&snaplogic&-destkeystore&server_keystore.jks&-srckeystore&server-cert.p12&-srcstoretype&PKCS12&-srcstorepass&snaplogic&-alias&server
查看服务器 keystore 以确认它现在包含了服务器证书:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-list&-v&-keystore&server_keystore.jks&
Enter&keystore&password:&&
Keystore&type:&JKS
Keystore&provider:&SUN
Your&keystore&contains&1&entry
Alias&name:&server
Creation&date:&Jan&4,&2016
Entry&type:&PrivateKeyEntry
Certificate&chain&length:&2
Certificate[1]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100001
Valid&from:&Tue&Oct&06&13:15:13&MDT&2015&until:&Wed&Oct&05&13:15:13&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&62:83:6B:84:1B:CB:DE:26:CA:E0:9D:E8:04:84:B6:C1
&&&&&SHA1:&AD:D4:27:FF:9A:68:77:25:95:C3:A2:BE:F6:22:AD:82:5C:2B:AF:EB
&&&&&SHA256:&8D:8D:EA:E5:7C:7A:E9:42:C9:9E:71:2A:76:C7:BE:BE:34:CC:4A:CC:83:ED:FE:C8:8E:C6:06:D2:D8:89:59:4A
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Certificate[2]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
*******************************************
*******************************************
创建客户端的 truststore 并导入服务器公共证书:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-import&-v&-trustcacerts&-keystore&client_truststore.jks&-storepass&snaplogic&-alias&server&-file&/etc/apache2/ssl/server-cert.pem
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100001
Valid&from:&Tue&Oct&06&13:15:13&MDT&2015&until:&Wed&Oct&05&13:15:13&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&62:83:6B:84:1B:CB:DE:26:CA:E0:9D:E8:04:84:B6:C1
&&&&&SHA1:&AD:D4:27:FF:9A:68:77:25:95:C3:A2:BE:F6:22:AD:82:5C:2B:AF:EB
&&&&&SHA256:&8D:8D:EA:E5:7C:7A:E9:42:C9:9E:71:2A:76:C7:BE:BE:34:CC:4A:CC:83:ED:FE:C8:8E:C6:06:D2:D8:89:59:4A
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Trust&this&certificate?&[no]:&&yes
Certificate&was&added&to&keystore
[Storing&client_truststore.jks]
查看客户端 truststore 以确认它现在包含了服务器证书:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-list&-v&-keystore&client_truststore.jks&
Enter&keystore&password:&&
Keystore&type:&JKS
Keystore&provider:&SUN
Your&keystore&contains&1&entry
Alias&name:&server
Creation&date:&Jan&4,&2016
Entry&type:&trustedCertEntry
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100001
Valid&from:&Tue&Oct&06&13:15:13&MDT&2015&until:&Wed&Oct&05&13:15:13&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&62:83:6B:84:1B:CB:DE:26:CA:E0:9D:E8:04:84:B6:C1
&&&&&SHA1:&AD:D4:27:FF:9A:68:77:25:95:C3:A2:BE:F6:22:AD:82:5C:2B:AF:EB
&&&&&SHA256:&8D:8D:EA:E5:7C:7A:E9:42:C9:9E:71:2A:76:C7:BE:BE:34:CC:4A:CC:83:ED:FE:C8:8E:C6:06:D2:D8:89:59:4A
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
*******************************************
*******************************************
&翻译的不错哦!
此时此刻,我们必须通过本地测试的 HttpServer 实例来足够地证明单向 SSL。createLocalTestServer 方法使用一个(选项)sslContext(null仅仅意味着http)以及一个boolean
“forceSSLAuth”表明是否请求客户端证书来实例化一个嵌入式的 HttpServer 实例:
protected&HttpServer&createLocalTestServer(SSLContext&sslContext,&boolean&forceSSLAuth)&&&&&&&&throws&UnknownHostException&{&&&&final&HttpServer&server&=&ServerBootstrap.bootstrap()&&&&&&&&&&&&.setLocalAddress(Inet4Address.getByName("localhost"))&&&&&&&&&&&&.setSslContext(sslContext)&&&&&&&&&&&&.setSslSetupHandler(socket&-&&socket.setNeedClientAuth(forceSSLAuth))&&&&&&&&&&&&.registerHandler
getStore 方法从类路径加载 jks 文件,以及 getKeyManagers&与&getTrustManagers 方法,把那个存储转变成各自的用于初始化一个 SSLContext 的 Key-&o 或者&TrustManager 数组:
创建 SSLContext 以及像这样初始化:
/Create&an&SSLContext&for&the&server&using&the&server's
以下的单元测试显示了对本地测试 HttpServer 实例做了一个 HTTPS 请求,以及使用客户端 truststore 来验证服务器公开证书:
在&,以上的单元测试中,连同以下的(当 SSL 信号交换失败时,当绕过服务器证书验证时,以及难看的上下文等等时,你可以看到该行为有利。
execute_WithNoScheme_ThrowsClientProtocolExceptionInvalidHostname
httpRequest_Returns200OK
httpsRequest_WithNoSSLContext_ThrowsSSLExceptionPlaintextConnection
httpsRequest_With1WaySSLAndValidatingCertsButNoClientTrustStore_ThrowsSSLException
httpsRequest_With1WaySSLAndTrustingAllCertsButNoClientTrustStore_Returns200OK
httpsRequest_With1WaySSLAndValidatingCertsAndClientTrustStore_Returns200OK
&翻译的不错哦!
双向 SSL(客户端证书)
配置双向 SSL,我们必须更新服务器的&keystore,并且创建客户端的 keystore。
因为服务器的 jks 文件 keystore 与 truststore,两者都用作服务器,并把客户的公共证书导入到&keystore 服务器:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-import&-v&-trustcacerts&-keystore&server_keystore.jks&-storepass&snaplogic&-file&/etc/apache2/ssl/client-cert.pem&-alias&client
Owner:&CN=client,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100002
Valid&from:&Tue&Oct&06&13:15:41&MDT&2015&until:&Wed&Oct&05&13:15:41&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F1:EF:60:64:48:DC:9B:C1:92:37:61:90:ED:48:01:1C
&&&&&SHA1:&C5:4B:1C:EF:85:C1:8C:5A:AA:74:54:49:F0:B5:97:F1:EC:34:49:6F
&&&&&SHA256:&B0:00:E4:C1:AE:03:92:95:9C:A2:BB:DB:13:3A:B6:38:BE:B4:BF:04:D0:72:41:6D:62:A6:93:D0:46:7E:3C:97
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Trust&this&certificate?&[no]:&&yes
Certificate&was&added&to&keystore
[Storing&server_keystore.jks]
由于客户端证书通过一个我们自己创建的 CA 来自签,并把根 C A证书导入到&keystore 服务器之中:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-keystore&server_keystore.jks&-import&-file&/etc/apache2/ssl/cacert.pem&-alias&cacert
Enter&keystore&password:&&
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
Trust&this&certificate?&[no]:&&yes
Certificate&was&added&to&keystore
& & 现在查看&keystore服务器,它将在keystore中列出诸如:客户端,CA,服务器的三个证书:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-list&-v&-keystore&server_keystore.jks&
Enter&keystore&password:&&
Keystore&type:&JKS
Keystore&provider:&SUN
Your&keystore&contains&3&entries
Alias&name:&client
Creation&date:&Jan&4,&2016
Entry&type:&trustedCertEntry
Owner:&CN=client,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100002
Valid&from:&Tue&Oct&06&13:15:41&MDT&2015&until:&Wed&Oct&05&13:15:41&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F1:EF:60:64:48:DC:9B:C1:92:37:61:90:ED:48:01:1C
&&&&&SHA1:&C5:4B:1C:EF:85:C1:8C:5A:AA:74:54:49:F0:B5:97:F1:EC:34:49:6F
&&&&&SHA256:&B0:00:E4:C1:AE:03:92:95:9C:A2:BB:DB:13:3A:B6:38:BE:B4:BF:04:D0:72:41:6D:62:A6:93:D0:46:7E:3C:97
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
*******************************************
*******************************************
Alias&name:&cacert
Creation&date:&Jan&4,&2016
Entry&type:&trustedCertEntry
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
*******************************************
*******************************************
Alias&name:&server
Creation&date:&Jan&4,&2016
Entry&type:&PrivateKeyEntry
Certificate&chain&length:&2
Certificate[1]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100001
Valid&from:&Tue&Oct&06&13:15:13&MDT&2015&until:&Wed&Oct&05&13:15:13&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&62:83:6B:84:1B:CB:DE:26:CA:E0:9D:E8:04:84:B6:C1
&&&&&SHA1:&AD:D4:27:FF:9A:68:77:25:95:C3:A2:BE:F6:22:AD:82:5C:2B:AF:EB
&&&&&SHA256:&8D:8D:EA:E5:7C:7A:E9:42:C9:9E:71:2A:76:C7:BE:BE:34:CC:4A:CC:83:ED:FE:C8:8E:C6:06:D2:D8:89:59:4A
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Certificate[2]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
*******************************************
*******************************************
最后,客户端 keystore 可以存储提交 SSL 服务器认证的客户端证书。该证书从客户端的 PKCS12 文件导入(以上创建的):
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-importkeystore&-srckeystore&/etc/apache2/ssl/client-cert.p12&-srcstoretype&pkcs12&-destkeystore&client_keystore.jks&-deststoretype&jks&-deststorepass&snaplogic
Enter&source&keystore&password:&&
Entry&for&alias&client&successfully&imported.
Import&command&completed:&&1&entries&successfully&imported,&0&entries&failed&or&cancelled
查看创建的 client_keystore.jks 文件,它将显示在 keystore 之中的 client 条目:
|&rhowlett@SL-MBP-RHOWLETT.local:~/dev/robinhowlett/github/everything-ssl/src/main/resources/ssl&
|&=&&keytool&-list&-v&-keystore&client_keystore.jks&
Enter&keystore&password:&&
Keystore&type:&JKS
Keystore&provider:&SUN
Your&keystore&contains&1&entry
Alias&name:&client
Creation&date:&Jan&4,&2016
Entry&type:&PrivateKeyEntry
Certificate&chain&length:&2
Certificate[1]:
Owner:&CN=client,&OU=SnapTeam,&O=SnapLogic,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&100002
Valid&from:&Tue&Oct&06&13:15:41&MDT&2015&until:&Wed&Oct&05&13:15:41&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F1:EF:60:64:48:DC:9B:C1:92:37:61:90:ED:48:01:1C
&&&&&SHA1:&C5:4B:1C:EF:85:C1:8C:5A:AA:74:54:49:F0:B5:97:F1:EC:34:49:6F
&&&&&SHA256:&B0:00:E4:C1:AE:03:92:95:9C:A2:BB:DB:13:3A:B6:38:BE:B4:BF:04:D0:72:41:6D:62:A6:93:D0:46:7E:3C:97
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&1
Certificate[2]:
Owner:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Issuer:&CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US
Serial&number:&e4e00ed
Valid&from:&Tue&Oct&06&13:14:51&MDT&2015&until:&Wed&Oct&05&13:14:51&MDT&2016
Certificate&fingerprints:
&&&&&MD5:&&F3:5E:28:E4:28:47:F2:EC:82:E2:BD:16:31:DC:90:02
&&&&&SHA1:&6F:0F:49:BA:A9:30:01:E9:4C:60:B3:A1:85:7D:BB:C6:79:1F:41:7B
&&&&&SHA256:&A7:9D:25:E4:A6:34:8A:A3:5B:9A:CD:F3:62:D0:D8:2F:6A:A0:71:6A:6D:19:F3:04:A1:FD:BC:FB:21:40:DE:A1
&&&&&Signature&algorithm&name:&SHA512withRSA
&&&&&Version:&3
Extensions:&
#1:&ObjectId:&2.5.29.35&Criticality=false
AuthorityKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
[CN=localhost,&OU=SnapTeam,&O=SnapLogic,&L=Boulder,&ST=Colorado,&C=US]
SerialNumber:&[&&&&e4e00ed0&]
#2:&ObjectId:&2.5.29.19&Criticality=false
BasicConstraints:[
&&PathLen:
#3:&ObjectId:&2.5.29.14&Criticality=false
SubjectKeyIdentifier&[
KeyIdentifier&[
&12&6E&8B&DD&7A&80&&&FB&F5&21&AB&75&D9&B8&49&&...n..z...!.u..I
B&61&1F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&y[a.
*******************************************
*******************************************
现在,HttpServer 实例可以通过 forceSSLAuth 参数设置到 true 来创建(参阅TWO_WAY_SSL&boolean)将请求客户端证书。现在,该客户端 SSLContext 有两个客户端&truststore 与 keystore&加载:
private&static&final&bool
再次说明,在之中, 包括以上的单元测试。
连同以下的:
& & & & httpsRequest_With2WaySSLAndUnknownClientCert_ThrowsSSLExceptionBadCertificate
& & & & & & httpsRequest_With2WaySSLButNoClientKeyStore_ThrowsSSLExceptionBadCertificate
&翻译的不错哦!
使用&Spring Boot,嵌入式&Tomcat ,“以及 Rest 模板 &“以一个固执己见的观点来构建生产就绪的 Spring (Java) 应用程序”,从而来进行双向 SSL 认证。Spring Boot 的&和& 能使它轻而易举的启动。
Spring Boot 文档--。不过出于测试目的,我想要两者都支持 HTTP 和 HTTPS,所以一个很明确的 SSL 连接器是用来创建所需的嵌入式 tomcat 容器:
Config.java
然而该 application.properties 文件定义了所需的 SSL 属性:
ssl.port=8443
ssl.scheme=https
ssl.secure=true
ssl.client-auth=true
ssl.enabled=true
ssl.key-password=snaplogic
ssl.store=ssl/server_keystore.jks
ssl.store-password=snaplogic
ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
该 ssl.client-auth=true 属性强制双向 SSL。
我们重新使用先前创建的 JKS 文件(上图)
一个简单的 REST 界面定义返回&JSON 表示问候的实例:
GreetingController.java
/*&*&Just&says&hello&/@RestControllerpublic&class&Greetin
Spring Security 自动配置将在 REST 默认端点启动基本身份验证,因此,让我们关掉它吧:
HttpSecurityConfig.java
/*&*&Disable&default-enabled&basic&auth&/@EnableWebSecuritypublic&class&HttpSecurityCo
使用&Spring的TestRest 模板进行集成测试
确实,Spring Boot 很伟大--使用运行在嵌入式 tomcat 容器之上的应用程序,它可以很容易地编写集成测试,演示双向 SSL 身份认证。
首先,我创建一个 integration-test.properties 文件,设置&HTTPS 端口,是为了不同于主应用程序(http 端口通过自身测试的注释来设置成一个随机开发端口)。该文件的唯一内容是 ssl.port 属性。所有的其他属性将来自于 application.properties 文件
以上详细的:
ssl.port=54321
该集成测试类有使用 SpringJUnit4ClassRunner来指示其运行的注释,在 EverythingSSLApplication 类的基础包上,扫描 @Configuration 类,使用 @WebIntegrationTest 注释来选择一个随机应用 http 端口(其本身就是@IntegrationTest&与&@WebAppConfiguration 注释的组合),最后,该 integration-test.properties 文件被定义为 @TestPropertySource。
ITEverythingSSL.java
/*&*&Integration&test&that&uses&the&embedded&Tomcat&instance&configured&by&this&Spring&Boot&app&/@RunWith(SpringJUnit4ClassRunner.class)@SpringApplicationConfiguration(classes&=&EverythingSSLApplication.class)@WebIntegrationTest(randomPort&=&true)@TestPropertySource(locations&=&"classpath:integration-test.properties")public&class&ITEverythingSSL&{&&&&public&static&final&String&CLIENT_TRUSTSTORE&=&"ssl/client_truststore.jks";&&&&public&static&final&String&CLIENT_KEYSTORE&=&"ssl/client_keystore.jks";&&&&@Rule&&&&public&ExpectedException&thrown&=&ExpectedException.none();&&&&@Value("${local.server.port}")&&&&private&int&port&=&0;&&&&@Value("${ssl.port}")&&&&private&int&sslPort&=&0;&&&&@Value("${ssl.store-password}")&&&&private&String&storePassw
首要的测试确认普通的http被支持:
@Testpublic&void&rest_OverPlainHttp_GetsExpectedResponse()&throws&Exception&{&&&&Greeting&expected&=&new&Greeting("Hello,&Robin!");&&&&RestTemplate&template&=&new&TestRestTemplate();&&&&ResponseEntity&Greeting&&responseEntity&=&&&&&&&&&&&&template.getForEntity("http://localhost:&&+&port&+&"/greeting?name={name}",&&&&&&&&&&&&&&&&&&&&Greeting.class,&"Robin");&&&&assertT
就是”&用于集成测试Spring的&RestTemplate的一个子类“
getRestTemplateForHTTPS方法使用一个支持客户端的keystore 与truststore的SSLContext设置来创建TestRestTemplate实例:
private&RestTemplate&getRestTemplateForHTTPS(SSLContext&sslContex
演示双向SSL的测试相当简单:
以下的集成测试也被包括在项目中:
@Testpublic&void&rest_WithTwoWaySSL_AuthenticatesAndGetsExpectedResponse()&throws&Exception&{&&&&Greeting&expected&=&new&Greeting("Hello,&Robin!");&&&&SSLContext&sslContext&=&SSLContexts.custom()&&&&&&&&&&&&.loadKeyMaterial(&&&&&&&&&&&&&&&&&&&&getStore(CLIENT_KEYSTORE,&storePassword.toCharArray()),&&&&&&&&&&&&&&&&&&&&storePassword.toCharArray())&&&&&&&&&&&&.loadTrustMaterial(&&&&&&&&&&&&&&&&&&&&getStore(CLIENT_TRUSTSTORE,&storePassword.toCharArray()),&&&&&&&&&&&&&&&&&&&&new&TrustSelfSignedStrategy())&&&&&&&&&&&&.useProtocol("TLS").build();&&&&RestTemplate&template&=&getRestTemplateForHTTPS(sslContext);&&&&ResponseEntity&Greeting&&responseEntity&=&&&&&&&&&&&&template.getForEntity("https://localhost:&&+&sslPort&+&"/greeting?name={name}",&&&&&&&&&&&&&&&&&&&&Greeting.class,
rest_WithMissingClientCert_ThrowsSSLHandshakeExceptionBadCertificate
& & & & & & rest_WithUntrustedServerCert_ThrowsSSLHandshakeExceptionUnableFindValidCertPath
Spring Boot 应用程序指南应在
使用 SnapLogic 的 REST Snap 进行双向 SSL 认证
很自然地,SnapLogic 的 REST Snap 能够使这一切都变得很简单。
&翻译的不错哦!}
我要回帖
更多关于 苹果发短信怎么取消 的文章
更多推荐
- ·京东家政官网电话的工具包怎么退?
- ·达尔优鼠标几档是dpi800A980PRO鼠标的传感器最高支持多少dpi?
- ·达尔优鼠标几档是dpi800A980PRO鼠标是否适合长时间使用?
- ·EK75RT机械键盘什么轴手感最好的75%紧凑布局有哪些好处?
- ·EK87Pro打字是薄膜键盘好还是机械键盘好的输入效率和准确性如何?
- ·三星容声bcd252wrr1dygmjv冷藏的温度下不去一直在20度以上,怎么办?
- ·三星a3怎么连接电脑如何从电脑传照片到手机
- ·空调开到几度最省电为什么开到二十度就变f3
- ·步步高x7plus多少钱官网报价
- ·电冰箱保鲜室不制冷24小时不停止保鲜不制冷是什么呢?
- ·三星la40r71b有暗光杀戮没亮屏
- ·vivox7s什么时候上市啥时候到兰州
- ·igame gtx1080 x top和技嘉gtx970 g1 gaming1080gaming哪个好??
- ·长虹空调与格力长虹空调遥控器怎么用能匹配吗
- ·今天360wifi 又不能在天翼飞扬客户端的客户端上用了,到底该怎么办,原来还用的好好的
- ·华为p8青春版内存卡max能否装内存卡
- ·苏27航模组装视频教程可以装照相机吗
- ·半封闭螺杆式中低温螺杆冷水机组机组从哪儿注油
- ·胶东喜饼的做法大全能放冰箱冷藏吗
- ·取消自移动发短信取消业务ssll
- ·双卡手机控制电脑开关机一张卡自动开关机软件
- ·这是怎么回事儿!是破解对方qq设置问题设置!还是?
- ·乐视1s系统更新5.82什么时候进行5.8系统推送
- ·联想b360录音笔说明书手机vibe x2的录音录完后在那
- ·联想g450g450联想笔记本升级3d怎么关
- ·有没有不带外机的空调没有外机能配吗?
- ·怎样把ipadipad中的视频导入电脑传到电脑
- ·vivo v3max怎么样v3手机卸载软件后又重新下载打开帐号还在
- ·衣领式红米2a通话出现器什么时候出现的
- ·京藏高速出口名称北京段到张家口段哪个地方靠高速出口近
- ·综合值法明和尚抢明夺现在农民叫苦连天,不赶卖东西,他们看到就抢,给土匪有什么区别
- ·要把宁波余姚属于绍兴三年前的养老保险转到绍兴新昌要怎么转
- ·我想问一下卖伦教卫浴厂好还是卖汽配好请指教
