Introduction to HTTPS protocol instances, https protocol instances

Introduction to HTTPS protocol instances, https protocol instances

HTTPS is an SSL-based HTTP protocol, which is simply a secure version of HTTP. Relying on the SSL protocol, the HTTPS protocol can ensure that the entire communication process is encrypted, the key is generated randomly, and the identity of both parties can be verified through digital certificates to ensure information security. The certificate contains the public key representing one end of the certificate and some basic information, such as the organization name, the scope of the certificate, and the digital signature of the certificate, A digital signature can be used to verify the authenticity of the certificate. The communication content is encrypted using symmetric encryption. After a communication password is agreed between the two ends, the password is encrypted and transmitted using the public key. Only the private key corresponding to the public key is used, that is, the other end of the communication can decrypt and obtain the communication password, which ensures the communication security and controllable encryption performance and time cost.

HTTPS supports both one-way and two-way authentication. The so-called one-way authentication only verifies the validity of the server certificate, while two-way authentication both verifies the validity of the server certificate, you also need to verify the validity of the client certificate. In most cases, we do not need client certificates. Many users do not even have client certificates,

In some specific environments, such as large transaction payment scenarios, you also need to verify the user's client certificate to ensure communication security.

1. SSL/TLS

The advantage of the SSL protocol is that it is independent from the application layer protocol. High-level application layer protocols such as HTTP, SSH, FTP, and so on can be transparently established on the SSL protocol.

The encryption algorithm, communication key negotiation, and server-side and client-side authentication have been completed before the layer-based communication. After that, all data transmitted by the application-layer protocol will be encrypted,

This ensures the privacy of communications.

The successor TLS protocol of SSL is a general protocol based on the SSL protocol. It is also located between the application layer and the transport layer and is gradually replacing SSL as the next generation network security protocol.

SSL/TLS protocols can be divided into two layers: one layer is the record protocol and the other layer is the handshake protocol. The record protocol is built on reliable transmission protocols to provide data encapsulation and encryption.

Decryption, data compression, data verification, and other basic functions. The handshake protocol is built on the record protocol. Before the actual data transmission starts, the encryption algorithm negotiation and

Exchange and verification by both parties.

2. java Development

The SSL handshake protocol is very complex. For ordinary developers who are not cryptographic experts, it is not easy to understand the interaction process. For common developers

It is not how to implement the SSL/TLS protocol, but how to make their programs access the powerful Security Protection Functions of SSL/TLS in the simplest way. JSSE is such a tool.

JSSE is a solution proposed by Sun to secure Internet information transmission. It implements SSL and TSL protocols, including data encryption, server verification,

Message Integrity, client verification, and other technologies. By using the JSSE introduction API, data can be securely transmitted between the server and the client through the SSL/TSL protocol.

First, generate the client certificate and server certificate. Export of trust certificate: because the client and server certificates are issued by the following CA, you only need to use the root certificate of the following CA as the trust database, you can identify the client and server certificates.

Server:

 public static void main(String[] args) throws Exception {          String serverKeyStoreFile = "c:\\_tmp\\catserver.keystore";          String serverKeyStorePwd = "catserverks";          String catServerKeyPwd = "catserver";          String serverTrustKeyStoreFile = "c:\\_tmp\\catservertrust.keystore";          String serverTrustKeyStorePwd = "catservertrustks";            KeyStore serverKeyStore = KeyStore.getInstance("JKS");          serverKeyStore.load(new FileInputStream(serverKeyStoreFile), serverKeyStorePwd.toCharArray());            KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");          serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());          kmf.init(serverKeyStore, catServerKeyPwd.toCharArray());            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());          tmf.init(serverTrustKeyStore);            SSLContext sslContext = SSLContext.getInstance("TLSv1");          sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);            SSLServerSocketFactory sslServerSocketFactory = sslContext.getServerSocketFactory();          SSLServerSocket sslServerSocket = (SSLServerSocket) sslServerSocketFactory.createServerSocket(SERVER_PORT);          sslServerSocket.setNeedClientAuth(true);            while (true) {              SSLSocket s = (SSLSocket)sslServerSocket.accept();              CatServer cs = new CatServer(s);              s.addHandshakeCompletedListener(cs);              new Thread(cs).start();          }      }  

Client:

public static void main(String[] args) throws Exception {          String clientKeyStoreFile = "c:\\_tmp\\foxclient.keystore";          String clientKeyStorePwd = "foxclientks";          String foxclientKeyPwd = "foxclient";          String clientTrustKeyStoreFile = "c:\\_tmp\\foxclienttrust.keystore";          String clientTrustKeyStorePwd = "foxclienttrustks";            KeyStore clientKeyStore = KeyStore.getInstance("JKS");          clientKeyStore.load(new FileInputStream(clientKeyStoreFile), clientKeyStorePwd.toCharArray());            KeyStore clientTrustKeyStore = KeyStore.getInstance("JKS");          clientTrustKeyStore.load(new FileInputStream(clientTrustKeyStoreFile), clientTrustKeyStorePwd.toCharArray());            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());          kmf.init(clientKeyStore, foxclientKeyPwd.toCharArray());            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());          tmf.init(clientTrustKeyStore);            SSLContext sslContext = SSLContext.getInstance("TLSv1");          sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);                    SSLSocketFactory socketFactory = sslContext.getSocketFactory();          Socket socket = socketFactory.createSocket("localhost", CatServer.SERVER_PORT);                    PrintWriter out = new PrintWriter(socket.getOutputStream(), true);          BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));                    send("hello", out);          send("exit", out);          receive(in);          socket.close();      }  

3. Deploy HTTPS Web

Tomcat one-way authentication Configuration:

Edit the conf \ server. xml file and cancel the HTTPS configuration line. Because the keystore is in PKCS #12 format, you need to add Parameters

KeystoreType = "pkcs12". Because one-way authentication is configured here, you only need to verify the validity of the server certificate. Set clientAuth to false.

Tomcat two-way authentication Configuration:

Compared with the one-way authentication configuration, two-way authentication must be modified based on the Configuration:

The server. xml file of tomcat adds the trust library configuration. The truststoreFile refers to the address of the trust library. Only through the root certificate in the trust library can the server identify the client with the root certificate signature. TruststorePass refers to the key of the trust database, and truststoreType refers to the format of the trust database, and enables client authentication

Set clientAuth to true.

Import the keystore file containing the client certificate and private key in the browser.