Java客户端中具有SNI的TLS [英] TLS with SNI in Java clients
问题描述
目前正在讨论 NHIN Direct的安全和信任工作组 关于使用传统方法创建的IP到域映射问题SSL 。如果HISP(由NHIN Direct定义)想要为提供商托管数千个NHIN Direct健康域名,则必须为这些域中的每个域购买IP,这将是人为膨胀的成本。
There is an ongoing discussion on the security and trust working group for NHIN Direct regarding the IP-to-domain mapping problem that is created with traditional SSL. If an HISP (as defined by NHIN Direct) wants to host thousands of NHIN Direct "Health Domains" for providers, then it will an "artificially inflated cost" to have to purchase an IP for each of those domains.
由于Apache和OpenSSL最近发布了支持SNI扩展的TLS,因此可以使用SNI作为此问题的解决方案在服务器端。但是,如果我们决定允许 NHINDirect传输层的服务器实现来支持TLS + SNI,那么我们必须要求所有客户端也支持SNI。默认情况下,基于OpenSSL的客户端应该这样做,如果您的给定编程语言SSL实现不支持SNI,我们总是可以实现TLS + SNI感知客户端代理。看来使用OpenJDK的本地Java应用程序还不支持SNI,但我无法从该项目中得到直接的答案。我知道有OpenSSL Java库可用,但我不知道这是否可行。
Because Apache and OpenSSL have recently released TLS with support for the SNI extension, it is possible to use SNI as a solution to this problem on the server side. However, if we decide that we will allow server implementations of the NHINDirect transport layer to support TLS+SNI, then we must require that all clients support SNI too. OpenSSL based clients should do this by default and one could always us stunnel to implement an TLS+SNI aware client to proxy if your given programming language SSL implementation does not support SNI. It appears that native Java applications using OpenJDK do not yet support SNI, but I cannot get a straight answer out of that project. I know that there are OpenSSL Java libraries available but I have no idea if that would be considered viable.
你能给我一个最先进的摘要TLS + SNI支持适用于Java客户端?我需要一个Java实现者的观点。
Can you give me a "state of the art" summary of where TLS+SNI support is for Java clients? I need a Java implementers perspective on this.
推荐答案
我正在和ftrotter一样的项目。
I'm working on the same project as ftrotter.
请注意支持千域的要求。我不认为SAN会因为两个原因而削减芥末。首先,证书的大小将变得巨大,这可能会导致性能问题至少。其次,这些领域将频繁出现,特别是在NHIN Direct的早期阶段。每次域名进出时都必须更新证书的操作负担将是不可接受的,恕我直言。
Note the requirement of support for thousands of domains. I don't think that SANs are going to cut the mustard for two reasons. First, the size of the certificate is going to get enormous, which will likely cause performance problems at a minimum. Second, these domains are going to come and go frequently, particularly in the early days of NHIN Direct. The operational burden of having to update the certificate every time a domain comes or goes, is going to be unacceptable, IMHO.
在ftrotter的要求下,我做了一些谷歌搜索java,TLS和SNI的主题,以及实现相当于基于命名的虚拟主机情况的其他方法,每个虚拟主机有一个证书。以下是我的想法:
At ftrotter's request, I did some googling around on the subject of java, TLS and SNI, and other ways to implement what amounts to a named-based virtual hosting situation, with one certificate per virtual host. Here's what I've come up with:
-
JSSE(Java安全套接字扩展)支持TLS,并具有部分支持对于TLS + SNI。我不知道在这种情况下部分支持意味着什么。我看到的评论表明存在的支持不足以完成基于命名的虚拟主机,这基本上就是我们所需要的。
JSSE (Java Secure Socket Extension) supports TLS, and has "partial support" for TLS+SNI. I have no idea what partial support means in this context. The commentary I'm seeing indicates that the support that exists is not adequate for doing named-based virtual hosts, which is basically what we need.
我'我发现有一篇文章声称JDSE7版本的JSSE 将支持TLS + SNI(日期为2008年11月20日),我发现了一篇声称它不会的文章(日期为2月27日) 2009)。两者都没有特别的权威性。
I've found one article that claims the JDK7 version of JSSE will support TLS+SNI (dated 11/20/2008), and I've found one that claims it won't (dated 2/27/2009). Neither is particularly authoritative.
一些致力于OpenJDK 7的人讨论了2009年2月至3月期间向JSSE添加SNI支持的问题,包括发布一个源补丁。 (线程从这里开始:
http:/ /www.mail-archive.com/security-dev@openjdk.java.net/msg00612.html )。 OpenJDK7将不会在2010年9月之前的任何时间发布。我不知道Java 7平台什么时候发布。
Some of the folks working on OpenJDK 7 discussed the issues around adding SNI support to JSSE back in Feb-Mar 2009, including posting a source patch. (thread starts here: http://www.mail-archive.com/security-dev@openjdk.java.net/msg00612.html). OpenJDK7 isn't going to be released any time before about September 2010. I have no idea when the Java 7 platform will be released.
没有实质内容在java.sun.com上,所以我真的不知道Sun的计划是什么。
There is nothing substantive on java.sun.com at all, so I really don't know what Sun's plans are at all.
显然有一种不同的方式来完成名称基于虚拟主机,显然广泛兼容,每个托管服务器使用一个证书,其中包含多个通用名称和多个主题备用名称。请参阅 http://wiki.cacert.org/VhostTaskForce 和通过连接器为同一个Tomcat应用程序提供不同的证书?
There is apparently a different way to accomplish name-based virtual hosts which is apparently widely compatible, using a single certificate per hosting server which contains multiple common names and multiple subject alt names. See http://wiki.cacert.org/VhostTaskForce and Serve different certs for same Tomcat application via connectors?
如果您拥有大量虚拟主机,这种方法将创建非常大的证书(由于所有这些CN和SAN)。 NHIN Direct最近面对面会议的其中一位人士正在谈论想要支持数千个的虚拟主机。我的猜测是,这会破坏很多实现。此外,每次添加或删除虚拟主机时都必须更新证书听起来像是一个荒谬的操作负担。
This approach would create really large certificates (due to all those CNs and SANs) if you have lots of virtual hosts. One of the folks at NHIN Direct's recent face-to-face meeting was talking about wanting to support thousands of virtual hosts. My guess is that this will break a lot of implementations. In addition, having to update the certificate each time you add or remove a virtual host sounds like a ridiculous operational burden.
总之,当前Java的最新技术水平每个虚拟主机具有单独证书的基于名称的虚拟主机似乎是不能做。此外,还不清楚何时或是否会被添加。
In summary, the current Java state of the art for name-based virtual hosting with separate certificates per virtual host appears to be "no can do". In addition, it's not clear when or if it will be added.
有没有人同意或不同意?有谁知道OpenJDK项目是否有意反向移植对Java 6的SNI支持?
Does anyone agree or disagree? Does anyone know if the OpenJDK project has any intention of "backporting" SNI support for Java 6?
这篇关于Java客户端中具有SNI的TLS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
