在Java CXF客户端中实施双向SSL [英] Enforce Two-Way SSL in Java CXF clients

问题描述

双向SSL(或相互认证)通常由服务器在HTTPS中规定.例如，本教程说明了如何设置WildFly应用服务器以要求Web服务客户端在通信期间出示证书.

Two-Way SSL - or mutual authentication - is typically dictated in HTTPS by the server. For example, this tutorial explains how to set up WildFly application server to require webservice clients to present a certificate during communication.

但是，在我们的情况下，我们需要在客户端实施双向SSL.这意味着我们的客户端配置有客户端证书，以便它可以在握手期间提供证书.如果要连接的服务器不要求提供证书，则我们要中止通信.

However, in our case we need to enforce Two-Way SSL on the client side. That means our client is configured with a client certificate so that it can supply the certificate during handshake. If a server we are connecting to does not ask for the certificate, we want to abort communication.

SSL握手的描述，如"SSL协议"一节中的图所示

Descriptions of the SSL handshake like the diagram in the section titled "The SSL Protocol" here (a bit further down) explain how the first thing happening is selection of a cipher suite:

"1.客户端问候-客户端发送服务器信息，包括 它支持的最高版本的SSL及其密码套件列表 支持. (TLS 1.0表示为SSL 3.1.)密码套件 信息包括密码算法和密钥大小."

"1. Client hello - The client sends the server information including the highest version of SSL it supports and a list of the cipher suites it supports. (TLS 1.0 is indicated as SSL 3.1.) The cipher suite information includes cryptographic algorithms and key sizes."

在Java方面(更具体地说:在我的情况下为CXF)，可以过滤器密码套件("cipherSuitesFilter" )-因此，我认为可以将密码套件限制为需要相互认证的密码套件.但我在密码套件和双向SSL之间找不到任何链接.例如，此页面注意:

On Java side (more specifically: CXF in my case) , it's possible to filter cipher suites("cipherSuitesFilter") - so I thought it would be possible to limit cipher suites to those requiring mutual authentication. But I don't find any links between cipher suites and two-way SSL. For example, this page notes:

身份验证算法-指示如何进行服务器身份验证和(如果 需要)将进行客户端身份验证.

authentication algorithm - dictates how server authentication and (if needed) client authentication will be carried out.

我开始认为这意味着密码套件仅指示如何客户端身份验证，而不指示是否客户端身份验证.

I'm starting to think that means the cipher suite only dictates how client authentication is done, not if client authentication is required.

那使我陷入死胡同.还有其他方法可以在客户端实施客户端身份验证吗?

That leaves me at a dead end. Is there any other way to enforce client authentication on the client side?

目前，我能想到的唯一解决方案是在握手完成后找到用于SSL通信的正确钩子方法，检查连接是否使用客户端身份验证，否则中止.但是，如果存在这种情况，我想使用任何一种通用方法.

Right now the only solution I can think of is finding the right hook method to implement for SSL communication after the handshake has been done, checking if the connection uses client authentication and aborting if it's not. But I'd like to use any kind of common approach for, if such a thing exists.

推荐答案

我们没有找到比我在问题中已经提到的解决方案更好的解决方案. 作为客户端，我们只能检查是否使用客户端证书建立了连接.这不能保证服务器完全验证了证书，仅保证它已请求证书.

We didn't find a better solution than the one I already mentioned in my question. As a client, we can only check whether a connection was established using a client certificate. That does not guarantee that the server thoroughly verified the certificate, just that it requested a certificate.

我们的实现是自定义的javax.net.ssl.SSLSocketFactory，它扩展了createSocket方法以检查javax.net.ssl.SSLSession.getLocalCertificates()是否返回某些内容.如果不是，则抛出javax.net.ssl.SSLException的异常子类以中止通信. 套接字工厂是通过org.apache.cxf.configuration.jsse.TLSClientParameters.setSSLSocketFactory(SSLSocketFactory).

Our implementation is a custom javax.net.ssl.SSLSocketFactory that extends createSocket methods to check whether javax.net.ssl.SSLSession.getLocalCertificates() returns something. If not, an exception subclass of javax.net.ssl.SSLException is thrown to abort communication. The socket factory is set via org.apache.cxf.configuration.jsse.TLSClientParameters.setSSLSocketFactory(SSLSocketFactory).

这篇关于在Java CXF客户端中实施双向SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！