Thrift ssl Certificate arrangement, thriftssl
1. Generate A certificate. The number of machines required must be greater than or equal to 2 (one server certificate is generated and one server certificate is generated). The following server uses A as the server and B as the client for example, thrift version 0.7.0
1. Generate and test a self-signed certificate
1) generate key and Certificate-related
Server,
Openssl genrsa-out server-key.pem 2048
Openssl req-new-x509-key server-key.pem-out server-cert.pem-days 10000
Client B
Openssl genrsa-out client-key.pem 2048
Openssl req-new-x509-key client-key.pem-out client-cert.pem-days 10000
Keystore generated by key and truststore generated by crt (similar to server and client)
Openssl pkcs12-export-in server-key.pem-inkey server-key.pem-out server. pkcs12 package server data in pkcs12 format
Keytool-importkeystore-srckeystore server. pkcs12-destkeystore server. jks-srcstoretype pkcs12 generates the keystore and uses the importkeystore command of keytool. Pkcs12 to jks. The pkcs12 password and jks password are required.
Keytool-importcert-alias servercert-file server. crt-keystore servertrust. jks adds the Server certificate to the external KeyStore.
2) test
1. c ++ --- c ++ succeeded.
Linux6u3-64 Environment
A:./server 9091 self_signed_normal/server-cert.pem self_signed_normal/server-key.pem self_signed_normal/client-cert.pem
B:./client A 9091 selfsigned/client-cert.pem selfsigned/client-key.pem selfsigned/server-cert.pem
2. java --- java succeeded
1) Environment: win7
A: keystore: server. jks
B: truststore: servertrust. jks
2) Environment: linu6u3-64
A: keystore: server. jks
B: truststore: servertrust. jks
3) Environment:
A: linux6u3-64 keystore: server. jks
B: win7 servertrust. jks
4) Environment:
A: win7
B: linux6u3-64
3. c ++ --- java partially succeeded
1) unsuccessful: c ++ is on machine A, java is on machine B (c ++ serves as the server, and java serves as the client)
Error reported by client A: TThreadedServer client died: SSL_accept: wrong version number
2) Success (java serves as the server and c ++ client)
Environment:
A: linux6u3-64 java server. jks
B:./client A 9091 selfsigned/client-cert.pem selfsigned/client-key.pem selfsigned/server-cert.pem ,,
Note: If the IP address of A in B's command line is not the IP address of A (the IP address of the original server certificate), ERROR: authorize: cannot authorize peer is reported, the reason is that the IP address is not the IP address of the server certificate.
Therefore, in the case of c ++ client, the server program must be the same as the machine that generates the server certificate (java client is not required )()
Conclusion:
1. When connecting to the server, the client must specify the Server IP address as the IP address for creating the server certificate.
2. c ++ is used as the server and java is used as the client, but fails (but thrift, socketFactory-> authenticate (false) in Internet 0.9.3, 0.7.0 won't work in any way)
2. Issue the root certificate
1) Root Certificate IP address 192.168.137.10
Openssl genrsa-out rootkey. pem 2048
Openssl req-x509-new-key rootkey. pem-out root. crt
2) Client IP address 192.168.137.11
Openssl genrsa-out clientkey. pem 2048
Openssl req-new-key clientkey. pem-out client. csr
Openssl x509-req-in client. csr-CA root. crt-CAkey rootkey. pem-CAcreateserial-days 3650-out client. crt
3) Server IP address 192.168.137.12
Openssl genrsa-out serverkey. pem 2048
Openssl req-new-key serverkey. pem-out server. csr
Openssl x509-req-in server. csr-CA root. crt-CAkey rootkey. pem-CAcreateserial-days 3650-out server. crt
4) keystore is generated by the key and truststore is generated by the crt (similar to that on the server and client, required for communication between c ++ and java)
Openssl pkcs12-export-in server. crt-inkey serverkey. pem-out server. pkcs12 package the server data in pkcs12 format (server. pkcs12 ). Enter a password. Remember.
Keytool-importkeystore-srckeystore server. pkcs12-destkeystore server. jks-srcstoretype pkcs12 generate server-side keystore (server. jks ). Use the importkeystore command of keytool. Pkcs12 to jks. The pkcs12 password and jks password are required.
Keytool-importcert-alias ca-file root. crt-keystore servertrust. jks generate the external KeyStore of the Server. Put the root certificate in it first.
Keytool-importcert-alias servercert-file server. crt-keystore servertrust. jks adds the Server certificate to the external KeyStore.
Test
C ++ --- c ++ successful
./Server_normal 9091 keys/server. crt keys/server. key keys/ca. crt
./Client. bak 172.16.22.22 9091 keys/client. crt keys/clientkey. pem keys/ca. crt
Java --- java succeeded (same as self-signed)
C ++ --- java
1) The c ++ server and java client fail.
2) java Server, c ++ client succeeded, but client socketFactory-> loadTrustedCertificates ("" ca. crt ");
Ssl creates an encrypted communication code:
Server:
Shared_ptr <TBufferedTransportFactory> transportFactory =
Shared_ptr <TBufferedTransportFactory> (new TBufferedTransportFactory ());
Shared_ptr <TProtocolFactory> protocolFactory (new TBinaryProtocolFactory ());
Shared_ptr <TProcessor> processor (new CalculatorProcessor (handler ));
Shared_ptr <TSSLSocketFactory> socketFactory =
Shared_ptr <TSSLSocketFactory> (new TSSLSocketFactory ());
SocketFactory-> server (true );
SocketFactory-> authenticate (true );
SocketFactory-> loadCertificate ("/home/study/openssl-ca/self_signed_normal/server. crt ");
SocketFactory-> loadPrivateKey ("/home/study/openssl-ca/self_signed_normal/server. key ");
SocketFactory-> loadTrustedCertificates ("/home/study/openssl-ca/self_signed_normal/client. crt ");
SocketFactory-> ciphers ("HIGH :! DSS :! ANULL @ STRENGTH ");
Shared_ptr <TSSLServerSocket> socket (new TSSLServerSocket (port, socketFactory ));
TThreadedServer server (processor,
Socket,
TransportFactory,
ProtocolFactory );
Printf ("Security server start \ n ");
Server. serve ();
Client
Shared_ptr <TSSLSocketFactory> socketFactory = shared_ptr <TSSLSocketFactory> (new TSSLSocketFactory ());
SocketFactory-> authenticate (true );
SocketFactory-> loadCertificate ("/home/study/openssl-ca/self_signed_normal/client. crt ");
SocketFactory-> loadPrivateKey ("/home/study/openssl-ca/self_signed_normal/client-key.pem ");
SocketFactory-> loadTrustedCertificates ("/home/study/openssl-ca/self_signed_normal/server. crt ");
// SocketFactory-> ciphers ("HIGH :! DSS :! ANULL @ STRENGTH ");
Shared_ptr <TSSLSocket> socket = socketFactory-> createSocket ("localhost", 9091 );
Shared_ptr <TBufferedTransport> transport (new TBufferedTransport (socket ));
Shared_ptr <TProtocol> protocol (new TBinaryProtocol (transport ));
CalculatorClient client (protocol );