如何正常检测SSL [英] How to detect SSL gracefully

问题描述

我有一个可以绑定到ssl或plain http的Web服务。配置为知道服务器主机和端口的Java客户端。当客户端连接时，我构建服务器端点，如 http：// host：port / service 。客户端不知道服务器是否正在使用ssl - 服务器始终绑定到单个端口，以便它是安全的或不安全的。现在，问题是如何让客户端在不引入其他参数的情况下发现它？我是否可以挑战普通的http请求，然后在特定的异常情况下回到ssl（或反之）？或者我必须为客户端明确引入新的连接参数？

I've got a web service which may be bound either to ssl or plain http. The java clients configured to know the server host and port. When client connects, I construct the server end point like http://host:port/service. Clients don't have a knowledge whether the server is using ssl - server always binds to a single port so that it's either secure or not. Now, the question is how to make a client to discover this without introducing another parameter? Can I challenge plain http request and then fall back to ssl (or vice verse) on a certain exception? Or I must explicitly introduce new connection parameter for the clients?

推荐答案

在服务器端，您可以使用像 Grizzly的港口统一实施。这可用于在同一端口上提供HTTP和HTTPS。这取决于以下事实：在两种情况下，客户端首先进行会话，并发送HTTP请求或SSL / TLS客户端Hello消息。它在服务器端非常方便（虽然我不确定我建议在同一端口上运行两个协议）。

On the server side, you could use a mechanism like Grizzly's port unification implementation. This can be used to serve HTTP and HTTPS on the same port. This relies on the fact that in both cases, the client talks first and either sends an HTTP request or an SSL/TLS Client Hello message. It's quite handy for this on the server side (although I'm not sure I'd recommend running two protocols on the same port in general).

从客户端的角度来看视图（这是你要问的），其后果是：

From the client's point of view (which is what you're asking about), the consequences of that are:

• 客户先谈的事实意味着它总是要先尝试。如果您尝试将SSL / TLS与普通HTTP服务进行通信，则会出现某种异常。反之亦然。


• 如果服务器使用端口统一，则无法进行能够可靠地找到。

除了端口统一（毕竟这是一种罕见的情况），你可以尝试缓存结果过去的尝试。

Port unification aside (this is a rare case after all), you could try to cache results of past attempts.

从根本上讲，从安全的角度来看，不知道应该使用哪种协议会引入漏洞：您的系统会对降级攻击持开放态度（与盲目依赖自动重定向的方式类似）。如果您的用户代理支持 HSTS ，则值得研究（尽管需要）用户代理要记住哪些网站将与HTTPS一起使用。）

More fundamentally, from a security point of view, not knowing which protocol should be used introduces a vulnerability: your system will be open to downgrade attacks (in a similar way as blindly relying on automatic redirects would). If your user-agent supports HSTS, it would be worth looking into that (although it would require the user-agent to remember which sites are to be used with HTTPS).

无论哪种方式，如果您担心安全性，必须配置客户端以了解何时使用 https：// 。

Either way, if you're concerned about security, you must configure the client to know when to use https://.

这篇关于如何正常检测SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！