Thrift ssl Certificate arrangement, thriftssl

Source: Internet
Author: User
Tags openssl x509 pkcs12

Thrift ssl Certificate arrangement, thriftssl

1. Generate A certificate. The number of machines required must be greater than or equal to 2 (one server certificate is generated and one server certificate is generated). The following server uses A as the server and B as the client for example, thrift version 0.7.0
1. Generate and test a self-signed certificate
1) generate key and Certificate-related
Server,
Openssl genrsa-out server-key.pem 2048
Openssl req-new-x509-key server-key.pem-out server-cert.pem-days 10000
Client B
Openssl genrsa-out client-key.pem 2048
Openssl req-new-x509-key client-key.pem-out client-cert.pem-days 10000
Keystore generated by key and truststore generated by crt (similar to server and client)
Openssl pkcs12-export-in server-key.pem-inkey server-key.pem-out server. pkcs12 package server data in pkcs12 format
Keytool-importkeystore-srckeystore server. pkcs12-destkeystore server. jks-srcstoretype pkcs12 generates the keystore and uses the importkeystore command of keytool. Pkcs12 to jks. The pkcs12 password and jks password are required.
Keytool-importcert-alias servercert-file server. crt-keystore servertrust. jks adds the Server certificate to the external KeyStore.
2) test
1. c ++ --- c ++ succeeded.
Linux6u3-64 Environment
A:./server 9091 self_signed_normal/server-cert.pem self_signed_normal/server-key.pem self_signed_normal/client-cert.pem
B:./client A 9091 selfsigned/client-cert.pem selfsigned/client-key.pem selfsigned/server-cert.pem
2. java --- java succeeded
1) Environment: win7
A: keystore: server. jks
B: truststore: servertrust. jks
2) Environment: linu6u3-64
A: keystore: server. jks
B: truststore: servertrust. jks
3) Environment:
A: linux6u3-64 keystore: server. jks
B: win7 servertrust. jks
4) Environment:
A: win7
B: linux6u3-64


3. c ++ --- java partially succeeded
1) unsuccessful: c ++ is on machine A, java is on machine B (c ++ serves as the server, and java serves as the client)
Error reported by client A: TThreadedServer client died: SSL_accept: wrong version number
2) Success (java serves as the server and c ++ client)
Environment:
A: linux6u3-64 java server. jks
B:./client A 9091 selfsigned/client-cert.pem selfsigned/client-key.pem selfsigned/server-cert.pem ,,
Note: If the IP address of A in B's command line is not the IP address of A (the IP address of the original server certificate), ERROR: authorize: cannot authorize peer is reported, the reason is that the IP address is not the IP address of the server certificate.
Therefore, in the case of c ++ client, the server program must be the same as the machine that generates the server certificate (java client is not required )()

Conclusion:
1. When connecting to the server, the client must specify the Server IP address as the IP address for creating the server certificate.
2. c ++ is used as the server and java is used as the client, but fails (but thrift, socketFactory-> authenticate (false) in Internet 0.9.3, 0.7.0 won't work in any way)

2. Issue the root certificate
1) Root Certificate IP address 192.168.137.10
Openssl genrsa-out rootkey. pem 2048
Openssl req-x509-new-key rootkey. pem-out root. crt
2) Client IP address 192.168.137.11
Openssl genrsa-out clientkey. pem 2048
Openssl req-new-key clientkey. pem-out client. csr
Openssl x509-req-in client. csr-CA root. crt-CAkey rootkey. pem-CAcreateserial-days 3650-out client. crt
3) Server IP address 192.168.137.12
Openssl genrsa-out serverkey. pem 2048
Openssl req-new-key serverkey. pem-out server. csr
Openssl x509-req-in server. csr-CA root. crt-CAkey rootkey. pem-CAcreateserial-days 3650-out server. crt

4) keystore is generated by the key and truststore is generated by the crt (similar to that on the server and client, required for communication between c ++ and java)
Openssl pkcs12-export-in server. crt-inkey serverkey. pem-out server. pkcs12 package the server data in pkcs12 format (server. pkcs12 ). Enter a password. Remember.
Keytool-importkeystore-srckeystore server. pkcs12-destkeystore server. jks-srcstoretype pkcs12 generate server-side keystore (server. jks ). Use the importkeystore command of keytool. Pkcs12 to jks. The pkcs12 password and jks password are required.
Keytool-importcert-alias ca-file root. crt-keystore servertrust. jks generate the external KeyStore of the Server. Put the root certificate in it first.
Keytool-importcert-alias servercert-file server. crt-keystore servertrust. jks adds the Server certificate to the external KeyStore.

Test
C ++ --- c ++ successful
./Server_normal 9091 keys/server. crt keys/server. key keys/ca. crt
./Client. bak 172.16.22.22 9091 keys/client. crt keys/clientkey. pem keys/ca. crt

Java --- java succeeded (same as self-signed)

C ++ --- java
1) The c ++ server and java client fail.
2) java Server, c ++ client succeeded, but client socketFactory-> loadTrustedCertificates ("" ca. crt ");

Ssl creates an encrypted communication code:

Server:

Shared_ptr <TBufferedTransportFactory> transportFactory =
Shared_ptr <TBufferedTransportFactory> (new TBufferedTransportFactory ());
Shared_ptr <TProtocolFactory> protocolFactory (new TBinaryProtocolFactory ());
Shared_ptr <TProcessor> processor (new CalculatorProcessor (handler ));
Shared_ptr <TSSLSocketFactory> socketFactory =
Shared_ptr <TSSLSocketFactory> (new TSSLSocketFactory ());
SocketFactory-> server (true );
SocketFactory-> authenticate (true );
SocketFactory-> loadCertificate ("/home/study/openssl-ca/self_signed_normal/server. crt ");
SocketFactory-> loadPrivateKey ("/home/study/openssl-ca/self_signed_normal/server. key ");
SocketFactory-> loadTrustedCertificates ("/home/study/openssl-ca/self_signed_normal/client. crt ");
SocketFactory-> ciphers ("HIGH :! DSS :! ANULL @ STRENGTH ");
Shared_ptr <TSSLServerSocket> socket (new TSSLServerSocket (port, socketFactory ));
TThreadedServer server (processor,
Socket,
TransportFactory,
ProtocolFactory );

Printf ("Security server start \ n ");
Server. serve ();

 

Client

Shared_ptr <TSSLSocketFactory> socketFactory = shared_ptr <TSSLSocketFactory> (new TSSLSocketFactory ());
SocketFactory-> authenticate (true );
SocketFactory-> loadCertificate ("/home/study/openssl-ca/self_signed_normal/client. crt ");
SocketFactory-> loadPrivateKey ("/home/study/openssl-ca/self_signed_normal/client-key.pem ");
SocketFactory-> loadTrustedCertificates ("/home/study/openssl-ca/self_signed_normal/server. crt ");
// SocketFactory-> ciphers ("HIGH :! DSS :! ANULL @ STRENGTH ");

Shared_ptr <TSSLSocket> socket = socketFactory-> createSocket ("localhost", 9091 );
Shared_ptr <TBufferedTransport> transport (new TBufferedTransport (socket ));
Shared_ptr <TProtocol> protocol (new TBinaryProtocol (transport ));
CalculatorClient client (protocol );

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.