Thrift ssl Certificate arrangement, thriftssl

Last Update:2016-02-18 Source: Internet

Author: User

Tags openssl x509 pkcs12

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Thrift ssl Certificate arrangement, thriftssl

1. Generate A certificate. The number of machines required must be greater than or equal to 2 (one server certificate is generated and one server certificate is generated). The following server uses A as the server and B as the client for example, thrift version 0.7.0
1. Generate and test a self-signed certificate
1) generate key and Certificate-related
Server,
Openssl genrsa-out server-key.pem 2048
Openssl req-new-x509-key server-key.pem-out server-cert.pem-days 10000
Client B
Openssl genrsa-out client-key.pem 2048
Openssl req-new-x509-key client-key.pem-out client-cert.pem-days 10000
Keystore generated by key and truststore generated by crt (similar to server and client)
Openssl pkcs12-export-in server-key.pem-inkey server-key.pem-out server. pkcs12 package server data in pkcs12 format
Keytool-importkeystore-srckeystore server. pkcs12-destkeystore server. jks-srcstoretype pkcs12 generates the keystore and uses the importkeystore command of keytool. Pkcs12 to jks. The pkcs12 password and jks password are required.
Keytool-importcert-alias servercert-file server. crt-keystore servertrust. jks adds the Server certificate to the external KeyStore.
2) test
1. c ++ --- c ++ succeeded.
Linux6u3-64 Environment
A:./server 9091 self_signed_normal/server-cert.pem self_signed_normal/server-key.pem self_signed_normal/client-cert.pem
B:./client A 9091 selfsigned/client-cert.pem selfsigned/client-key.pem selfsigned/server-cert.pem
2. java --- java succeeded
1) Environment: win7
A: keystore: server. jks
B: truststore: servertrust. jks
2) Environment: linu6u3-64
A: keystore: server. jks
B: truststore: servertrust. jks
3) Environment:
A: linux6u3-64 keystore: server. jks
B: win7 servertrust. jks
4) Environment:
A: win7
B: linux6u3-64

3. c ++ --- java partially succeeded
1) unsuccessful: c ++ is on machine A, java is on machine B (c ++ serves as the server, and java serves as the client)
Error reported by client A: TThreadedServer client died: SSL_accept: wrong version number
2) Success (java serves as the server and c ++ client)
Environment:
A: linux6u3-64 java server. jks
B:./client A 9091 selfsigned/client-cert.pem selfsigned/client-key.pem selfsigned/server-cert.pem ,,
Note: If the IP address of A in B's command line is not the IP address of A (the IP address of the original server certificate), ERROR: authorize: cannot authorize peer is reported, the reason is that the IP address is not the IP address of the server certificate.
Therefore, in the case of c ++ client, the server program must be the same as the machine that generates the server certificate (java client is not required )()

Conclusion:
1. When connecting to the server, the client must specify the Server IP address as the IP address for creating the server certificate.
2. c ++ is used as the server and java is used as the client, but fails (but thrift, socketFactory-> authenticate (false) in Internet 0.9.3, 0.7.0 won't work in any way)

2. Issue the root certificate
1) Root Certificate IP address 192.168.137.10
Openssl genrsa-out rootkey. pem 2048
Openssl req-x509-new-key rootkey. pem-out root. crt
2) Client IP address 192.168.137.11
Openssl genrsa-out clientkey. pem 2048
Openssl req-new-key clientkey. pem-out client. csr
Openssl x509-req-in client. csr-CA root. crt-CAkey rootkey. pem-CAcreateserial-days 3650-out client. crt
3) Server IP address 192.168.137.12
Openssl genrsa-out serverkey. pem 2048
Openssl req-new-key serverkey. pem-out server. csr
Openssl x509-req-in server. csr-CA root. crt-CAkey rootkey. pem-CAcreateserial-days 3650-out server. crt

4) keystore is generated by the key and truststore is generated by the crt (similar to that on the server and client, required for communication between c ++ and java)
Openssl pkcs12-export-in server. crt-inkey serverkey. pem-out server. pkcs12 package the server data in pkcs12 format (server. pkcs12 ). Enter a password. Remember.
Keytool-importkeystore-srckeystore server. pkcs12-destkeystore server. jks-srcstoretype pkcs12 generate server-side keystore (server. jks ). Use the importkeystore command of keytool. Pkcs12 to jks. The pkcs12 password and jks password are required.
Keytool-importcert-alias ca-file root. crt-keystore servertrust. jks generate the external KeyStore of the Server. Put the root certificate in it first.
Keytool-importcert-alias servercert-file server. crt-keystore servertrust. jks adds the Server certificate to the external KeyStore.

Test
C ++ --- c ++ successful
./Server_normal 9091 keys/server. crt keys/server. key keys/ca. crt
./Client. bak 172.16.22.22 9091 keys/client. crt keys/clientkey. pem keys/ca. crt

Java --- java succeeded (same as self-signed)

C ++ --- java
1) The c ++ server and java client fail.
2) java Server, c ++ client succeeded, but client socketFactory-> loadTrustedCertificates ("" ca. crt ");

Ssl creates an encrypted communication code:

Server:

Shared_ptr <TBufferedTransportFactory> transportFactory =
Shared_ptr <TBufferedTransportFactory> (new TBufferedTransportFactory ());
Shared_ptr <TProtocolFactory> protocolFactory (new TBinaryProtocolFactory ());
Shared_ptr <TProcessor> processor (new CalculatorProcessor (handler ));
Shared_ptr <TSSLSocketFactory> socketFactory =
Shared_ptr <TSSLSocketFactory> (new TSSLSocketFactory ());
SocketFactory-> server (true );
SocketFactory-> authenticate (true );
SocketFactory-> loadCertificate ("/home/study/openssl-ca/self_signed_normal/server. crt ");
SocketFactory-> loadPrivateKey ("/home/study/openssl-ca/self_signed_normal/server. key ");
SocketFactory-> loadTrustedCertificates ("/home/study/openssl-ca/self_signed_normal/client. crt ");
SocketFactory-> ciphers ("HIGH :! DSS :! ANULL @ STRENGTH ");
Shared_ptr <TSSLServerSocket> socket (new TSSLServerSocket (port, socketFactory ));
TThreadedServer server (processor,
Socket,
TransportFactory,
ProtocolFactory );

Printf ("Security server start \ n ");
Server. serve ();

Client

Shared_ptr <TSSLSocketFactory> socketFactory = shared_ptr <TSSLSocketFactory> (new TSSLSocketFactory ());
SocketFactory-> authenticate (true );
SocketFactory-> loadCertificate ("/home/study/openssl-ca/self_signed_normal/client. crt ");
SocketFactory-> loadPrivateKey ("/home/study/openssl-ca/self_signed_normal/client-key.pem ");
SocketFactory-> loadTrustedCertificates ("/home/study/openssl-ca/self_signed_normal/server. crt ");
// SocketFactory-> ciphers ("HIGH :! DSS :! ANULL @ STRENGTH ");

Shared_ptr <TSSLSocket> socket = socketFactory-> createSocket ("localhost", 9091 );
Shared_ptr <TBufferedTransport> transport (new TBufferedTransport (socket ));
Shared_ptr <TProtocol> protocol (new TBinaryProtocol (transport ));
CalculatorClient client (protocol );

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More