如何在dart中创建安全的http服务器？ [英] How to create a secure http server in dart?

问题描述

我尝试将我的dart http服务器设置为仅使用https运行。因此，我需要使用 HttpServer.bindSecure ，但我不清楚从什么需要传递为 certificateName 和 requestClientCertificate 为true使它或多或少的安全，或对安全没有影响。 <$ c $顶部的小示例代码c> HttpServer page 传递 certificateName：'localhost_cert'，但在此之前，它对数据库做了一些事情，无论如何使用它。

解决方案

a href =https://api.dartlang.org/apidocs/channels/stable/dartdoc-viewer/dart:io.HttpServer#id_bindSecure,requestClientCertificate =nofollow> requestClientCertificate 参数 bindSecure 用于指定客户端证书。服务器使用客户端证书来识别和授权客户端，这似乎不是此问题的目标。请注意，使用客户端时出现已知问题

certificateName 参数用于指定证书数据库中存在的证书的昵称。在使用 -n 选项指定证书昵称en-US / docs / Mozilla / Projects / NSS / tools / NSS_Tools_certutilrel =nofollow> certutil 。

使用以下步骤： / p>

• 安装NSS实用程序（包括certutil），




• 使用密码< password> 在目录< dir> 中创建一个新的证书数据库， >




• 汇入以昵称< host> 识别的自签名或购买的凭证，使用以下示例代码创建HTTPS服务器。虽然昵称可以任意选择，但我们在本例中使用主机名。这些步骤已经确认在Ubuntu 14.04和Dart SDK 1.6通过（目前最后的稳定版本）1.8.3。

  
  

  1. 安装NSS实用程序
     
     sudo apt-get install libnss3-tools

  
  

  2. cd到包含您的证书数据库的目录
     
     cd< dir>

  
  
  3. p>创建要与证书数据库一起使用的密码文件：
     
     echo< password> > pwdfile

  
  

  4. 创建证书数据库
     
     certutil -N -d'sql ：./'-f pwdfile

  
  

  5. 可以：

     
     
     
     
     

     • 生成自签名证书：

       
       
       

       certutil -S -scn =< host& -n自签名dart-x -tC，C，C-m 1000 -v 120 -dsql：./-k rsa -g 2048 -f pwdfile

       
       
       

       其中< host> 是生成证书的主机（通用名称），例如localhost

     
     

     • 或者，首先为真实域创建签名请求购买证书< host> ，例如myhost.com：

       
       
       

       certutil -R -sCN =< host> L = San Diego，ST = California，C = US-a -g 2048 -o< host> .csr -dsql：./

       
       
       

       然后在从签名授权机构购买证书时提示输入CSR时指定文件< host> .csr的内容。

       
       
       

       将购买的证书复制到< host> .crt

       
       
       

       将证书导入数据库
       
       certutil -A -n< host> -tp，p，p-i< host> .crt -dsql：./

       
       
       

       使用中间证书，可以这样导入：
       
       certutil -A -n my_intermediate_certificate -t​​p，p，p-i intermediate.crt -dsql： ./\"
       
       其中intermediate.crt是从签名中心下载的中间证书文件。

     
     
  
  主机> -dsql：./
  
  certutil -L -n my_intermediate_certificate -dsql：./
  
  

$ b $ p

要使用此证书并创建HTTPS服务器，请执行

  //初始化安全套接字以使用证书数据库（注意：用证书数据库目录的绝对路径替换``dir>`
 //，并用上面选择的值替换`< password>`
 //）
 SecureSocket .initialize（database：< dir>，password：< password>）; 
 
 //将安全HTTP服务器绑定到指定的主机和端口（通常为443）
 HttpServer.bindSecure（< host>，443，certificateName：< host& b $ b .then（（HttpServer httpServer）{
 
 //监听传入的请求
 httpServer.listen（（HttpRequest httpRequest）{
 
 // TODO：过程请求
}）; 
}）
 .catchError（（error）{
 
 // TODO：handle error 
}）; 
  

更新

我没有足够的信誉点来回应评论，因此这里有一些额外的细节可能有助于回答这些问题：客户端证书不用于加密客户端 - 服务器通信，在建立安全的常见场景中不需要通过HTTPS在Web浏览器和Web服务器之间进行通信。上述步骤说明了如何使用 bindSecure 。

I am trying to setup my dart http server to run only with https. So I gather I need to use HttpServer.bindSecure but I'm not clear from the description what needs to be passed in as certificateName and whether requestClientCertificate being true makes it more or less secure, or has no impact on security what so ever. The small sample code at the top of the HttpServer page passes in certificateName: 'localhost_cert' but before that it does something with a database, but doesn't seem to use it in anyway. Can anyone explain in more detail what these values are and what they need to be in order to make them secure?

解决方案

The requestClientCertificate parameter of bindSecure is used to specify a client certificate. Client certificates are used by servers to identify and authorize clients, which appears not to be the objective of this question. It should be noted that there is a known issue with using client certificates in Dart on IE9 and Windows 7.

The certificateName parameter is used to specify the nickname of a certificate that exists in your certificate database. You specify the certificate nickname using the -n <nickname> option when importing a certificate to your database using certutil.

Use the following steps to:

• Install the NSS utility (including certutil),

• Create a new certificate database in directory <dir> with a password <password>, and

• Import your self-signed or purchased certificate identified by nickname <host> such that it can be used to create an HTTPS server using the following sample code. Though the nickname can be chosen arbitrarily, we use the host name in this example. These steps have been confirmed working in Ubuntu 14.04 and Dart SDK 1.6 through (currently last stable version) 1.8.3.

  1. Install the NSS utility
     sudo apt-get install libnss3-tools

  2. cd to the directory that will contain your certificate database
     cd <dir>

  3. Create a password file to use with the certificate database:
     echo "<password>" > pwdfile

  4. Create the certificate database
     certutil -N -d 'sql:./' -f pwdfile

  5. Either:

     • Generate a self-signed certificate:

       certutil -S -s "cn=<host>" -n "self signed for dart" -x -t "C,C,C" -m 1000 -v 120 -d "sql:./" -k rsa -g 2048 -f pwdfile

       where <host> is the host ("common name") for which to generate a certificate, for example "localhost"

     • Or, purchase a certificate by first creating a signing request for a real domain <host>, for example "myhost.com":

       certutil -R -s "CN=<host>, O=None, L=San Diego, ST=California, C=US" -a -g 2048 -o <host>.csr -d "sql:./"

       Then specify the content of file <host>.csr when prompted for a CSR upon purchasing a certificate from a signing authority.

       Copy the purchased certificate to a file named <host>.crt

       Import the certificate to the database
       certutil -A -n <host> -t "p,p,p" -i <host>.crt -d "sql:./"

       If necessary to use an intermediate certificate, it can be imported as such:
       certutil -A -n my_intermediate_certificate -t "p,p,p" -i intermediate.crt -d "sql:./"
       where "intermediate.crt" is the intermediate certificate file downloaded from the signing authority.

  6. Verify that the certificates exist in the database

     certutil -L -n <host> -d "sql:./"
certutil -L -n my_intermediate_certificate -d "sql:./"

To use this certificate and create an HTTPS server, do the following:

// Initialize secure socket to use certificate database (note: replace `<dir>`
// with the absolute path to the certificate database directory, and `<password>`
// with the value chosen above)
SecureSocket.initialize(database: "<dir>", password: "<password>");

// Bind secure HTTP server to specified host and port (typically 443)
HttpServer.bindSecure("<host>", 443, certificateName: "<host>")
  .then((HttpServer httpServer) {

    // Listen for incoming requests
    httpServer.listen((HttpRequest httpRequest) {

      // TODO: process request
    });
  })
  .catchError((error) {

    // TODO: handle error
  });

Update

I don't have enough reputation points to respond to the comments, so here are additional details that may help answer the questions: Client certificates are not used to encrypt client-server communication and are not needed in the common scenario of establishing secure communication between a web browser and a webserver via HTTPS. The steps outlined above show how to create an HTTPS server in Dart using bindSecure.

这篇关于如何在dart中创建安全的http服务器？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！