SSL / TLS - 我做得对吗？ [英] SSL/TLS - am I doing it right?

问题描述

大家好


我正在编写一个多用户会计/业务应用程序，它使用

套接字在客户端和服务器之间进行通信。我想提供加密两者之间流量的

选项。

的主要原因是为了满足无线通信的需要。


我已经读过SSL，或多或少了解这些概念。我已经下载了一些额外的软件，阅读说明书，似乎

已经让它工作了。但是，我没有深入了解

正在进行什么，我不知道如何检查我是否正确执行。


这个主题太重要了，无法学习我正在做的艰难工作

出错了。因此，如果有人会审查我已经采取的步骤（如下所列），我将不胜感激，并建议是否有任何明显错误或遗漏的事情。

。


TIA


Frank Millman

1.安装

------- ---

OpenSSL

M2Crypto

TLSLite


2.创建KeyPair +证书

-------------------------------

openssl genrsa -out privkey .key 1024

openssl req -new -x509 -key privkey.key -out privkey.crt -days 1095

cp privkey.key privkey.pem

cat privkey.crt>> privkey.pem


3.修改服务器

----------------

old -

s = socket.socket（socket.AF_INET，socket.SOCK_STREAM）

s.bind（（HOST，PORT））

s.listen（1）

而1：

conn，addr = s.accept（）

data = conn.recv（1024）


new -

f = open（''/ home / frank / secrets / privkey.pem''）。read（）

x509 = X509（）

x509.parse（f）

certChain = X509CertChain（[x509]）

f = open（'' /home/frank/secrets/privkey.pem''）。read（）

privateKey = parsePEMKey（f，private = True）


s = socket。 socket（socket.AF_INET，socket.SOCK_STREAM）

s.bind（（HOST，PORT））

s.listen（1）

1：

conn，addr = s.accept（）

c = TLSConnection（conn）

c.handshakeServer（certChain = certChain，privateKey = p rivateKey）

data = c.recv（1024）

4.Modify客户

------ ---------

old -

s = socket.socket（socket.AF_INET，socket.SOCK_STREAM）

s.connect（（HOST，PORT））

s.send（数据）


new -

s = socket.socket（socket.AF_INET，socket.SOCK_STREAM）

s.connect（（HOST，PORT））

c = TLSConnection（s）

c.handshakeClientCert（）

c.send（数据）

Hi all

I am writing a multi-user accounting/business application, which uses
sockets to communicate between client and server. I want to offer the
option of encrypting the traffic between the two. The main reason for
this is to cater for wireless communication.

I have read up on SSL, and more or less understand the concepts. I have
downloaded some additional software, read the instructions, and seem to
have got it working. However, I have no in-depth knowledge of what is
going on, and I have no idea how to check if I am doing it correctly.

The subject is too important to learn the hard way that I am doing
something wrong. Therefore I would be grateful if someone would review
the steps I have taken (listed below), and advise on whether there is
anything obviously wrong or missing.

TIA

Frank Millman
1. Install
----------
OpenSSL
M2Crypto
TLSLite

2. Create KeyPair + Certificate
-------------------------------
openssl genrsa -out privkey.key 1024
openssl req -new -x509 -key privkey.key -out privkey.crt -days 1095
cp privkey.key privkey.pem
cat privkey.crt >> privkey.pem

3. Modify Server
----------------
old -
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST,PORT))
s.listen(1)
while 1:
conn,addr = s.accept()
data = conn.recv(1024)

new -
f = open(''/home/frank/secrets/privkey.pem'').read()
x509 = X509()
x509.parse(f)
certChain = X509CertChain([x509])
f = open(''/home/frank/secrets/privkey.pem'').read()
privateKey = parsePEMKey(f,private=True)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST,PORT))
s.listen(1)
while 1:
conn,addr = s.accept()
c = TLSConnection(conn)
c.handshakeServer(certChain=certChain,privateKey=p rivateKey)
data = c.recv(1024)

4.Modify Client
---------------
old -
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST,PORT))
s.send(data)

new -
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST,PORT))
c = TLSConnection(s)
c.handshakeClientCert()
c.send(data)

推荐答案

Frank Millman启发我们：

Frank Millman enlightened us with:

1：
conn， addr = s.accept（）
c = TLSConnection（conn）
c.handshakeServer（certChain = certChain，privateKey = p rivateKey）
data = c.recv（1024）


设置TLS连接很好，但是你永远不会检查另一方的

证书是否有价值。您应该确保

证书链从上到下完全签名。然后检查

底部证书是否在可信CA中。同时检查链中的所有

证书与CA的CRL。我已经向TLS Lite的作者提交了这个CRL支票，因此它应该很快就会发布

。

s。 connect（（HOST，PORT））
c = TLSConnection（s）
c.handshakeClientCert（）
c.send（data）

while 1:
conn,addr = s.accept()
c = TLSConnection(conn)
c.handshakeServer(certChain=certChain,privateKey=p rivateKey)
data = c.recv(1024)
It''s nice that you set up a TLS connection, but you never check the
certificate of the other side for vality. You should make sure the
certificate chain is completely signed from top to bottom. Then check
that the bottom certificate is amongst trusted CAs. Also check all the
certificates in the chain against the CRL of the CA. I''ve submitted
this CRL check to the author of TLS Lite, so it should be in a release
soon.
s.connect((HOST,PORT))
c = TLSConnection(s)
c.handshakeClientCert()
c.send(data)

见上文。你设置了一个TLS连接，但是你永远不会验证

你正在和正确的电脑对话。


Sybren

-

世界的问题是愚蠢。并不是说应该对愚蠢的死刑进行处罚，但为什么我们不要仅仅拿掉

安全标签来解决问题呢？
Frank Zappa

See above. You set up a TLS connection, but you never verify that
you''re talking to the right computer.

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don''t we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa

Sybren Stuvel写道：

Sybren Stuvel wrote:

Frank Millman启发我们：

Frank Millman enlightened us with:

而1：
conn，addr = s.accept（）
c = TLSConnection（conn）
c.handshakeServer（certChain = certChain，privateKey = p rivateKey ）
data = c.recv（1024）

while 1:
conn,addr = s.accept()
c = TLSConnection(conn)
c.handshakeServer(certChain=certChain,privateKey=p rivateKey)
data = c.recv(1024)

设置TLS连接很好，但是你永远不会检查
证书。勇敢的另一面。您应该确保
证书链从上到下完全签名。然后检查底层证书是否在可信CA中。同时检查链中的所有证书与CA的CRL。

It''s nice that you set up a TLS connection, but you never check the
certificate of the other side for vality. You should make sure the
certificate chain is completely signed from top to bottom. Then check
that the bottom certificate is amongst trusted CAs. Also check all the
certificates in the chain against the CRL of the CA.

感谢回复，Sybren。


我希望避免这一步。我的练习点是

加密。我不太担心身份验证。

的下一步我的应用程序是客户端输入用户ID和密码，并且

服务器不会在没有验证的情况下继续。


然而，我意识到安全性并不是一件轻而易举的事情，所以

如果你的建议是我完成验证步骤，我将会b / b
将尝试理解文档的这一部分并将其应用为

。


谢谢


Frank

Thanks for the reply, Sybren.

I was hoping to avoid this step. The point of the exercise for me is
encryption. I am not too worried about authentication. The next step in
my app is for the client to enter a user id and password, and the
server will not proceed without verifying this.

However, I realise that security is not something to be trivialised, so
if your recommendation is that I do complete the validation steps, I
will try to understand that part of the documentation and apply that as
well.

Thanks

Frank

" Frank Millman" < FR *** @ chagford.com>写道：

"Frank Millman" <fr***@chagford.com> writes:

我希望避免这一步。对我来说，练习的重点是加密。我不太担心身份验证。我的应用程序的下一步是客户端输入用户ID和密码，如果没有验证，
服务器将无法继续。

I was hoping to avoid this step. The point of the exercise for me is
encryption. I am not too worried about authentication. The next step in
my app is for the client to enter a user id and password, and the
server will not proceed without verifying this.

这是一场没有身份验证的完全灾难，因为这意味着

客户端可以显示冒名顶替者的密码。

That is a total disaster without authentication, since it means the
client can reveal the password to an imposter.

这篇关于SSL / TLS - 我做得对吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！