未加密的SSL协议? [英] Unencrypted SSL protocol?
问题描述
是否可以通过HTTPS发送未加密的邮件?例如,要求证书验证和授权发生,但是不加密通过套接字发送的实际数据?
是的, TLS和SSL支持无加密模式。无论配置为启用的特定客户端和服务器是否是单独的问题。
尽管不太可能,服务器可能默认启用其中一个密码套件。默认情况下,服务器可能会启用弱密码套件(如导出级别的基于DES的套件)。这就是为什么您应该仔细检查服务器的密码套件白名单,只留下几个值得信赖的广泛支持的算法。 / p> 您可以使用TLS_RSA_WITH_NULL_SHA加密套件来保护流量的真实性和完整性,而无需加密。
<在这种情况下,RSA是指密钥交换算法,而SHA是指用于保护流量不被改变的消息认证算法。 NULL是加密算法,或者在这种情况下,缺少加密。
重要的是意识到流量虽然没有被加密,但是被捆绑在一起在SSL记录中。客户端和服务器必须启用SSL。
如果您正在寻找通过SSL交换某些数据的降压解决方案,则SSL已关闭,但是应用程序流量持续,这也是可能的,但请记住,它绝对不会为明文流量提供安全性;它可以被攻击者篡改。因此,例如,使用SSL进行身份验证,然后逐步下达到明确协议,以接收使用通过SSL协商的身份验证的命令将不安全。
Is it possible to send a message over https that isn't encrypted? For example, require that certificate validation and authorization occur, but not encrypt the actual data being sent over the socket?
Yes, TLS and SSL support "no-encryption" modes. Whether the particular client and server in question are configured to enable is a separate issue.
It's possible, though unlikely, that a server could enable one of these cipher suites by default. What is more likely is that a server would enable weak cipher suites (like the "export"-grade DES-based suites) by default. That's why you should carefully review the server's whitelist of cipher suites, and leave only a few trusted, widely-supported algorithms.
You can use the TLS_RSA_WITH_NULL_SHA cipher suite, among others, to protect the authenticity and integrity of traffic, without encryption.
The "RSA" in this case refers to the key exchange algorithm, while "SHA" refers to the message authentication algorithm used to protect the traffic from being altered. "NULL" is the encryption algorithm, or, in this case, the lack of encryption.
It's important to realize that the traffic, though it's not encrypted, is bundled up in SSL records. The client and server must be SSL-enabled.
If you are looking for a step-down solution where some data is exchanged over SSL, then SSL is turned off but the application traffic continues, that's possible too, but keep in mind that it offers absolutely no security for the cleartext traffic; it can be tampered with by an attacker. So, for example, authenticating with SSL, then stepping down to an "in-the-clear" protocol to receive commands that use the authentication negotiated via SSL would unsafe.
这篇关于未加密的SSL协议?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
