SSL/TLS Support

支持安全套接字层/传输层安全。在使用 NIO 时,JDK 5+ SSLEngine 功能用于在建立连接后处理握手。在不使用 NIO 时,标准 SSLSocketFactorySSLServerSocketFactory 对象用于创建连接。提供了一些策略接口来允许进行大量的自定义。这些接口的默认实现提供了开始使用安全通信的最简单方法。

Secure Sockets Layer/Transport Layer Security is supported. When using NIO, the JDK 5+ SSLEngine feature is used to handle handshaking after the connection is established. When not using NIO, standard SSLSocketFactory and SSLServerSocketFactory objects are used to create connections. A number of strategy interfaces are provided to allow significant customization. The default implementations of these interfaces provide for the simplest way to get started with secure communications.

Getting Started

无论是否使用 NIO,都需要在连接工厂上配置 ssl-context-support 属性。此属性引用描述必需密钥库的位置和密码的 <bean/> 定义。

Regardless of whether you use NIO, you need to configure the ssl-context-support attribute on the connection factory. This attribute references a <bean/> definition that describes the location and passwords for the required key stores.

SSL/TLS 对等方各需要两个密钥库:

SSL/TLS peers require two key stores each:

  • A keystore that contains private and public key pairs to identify the peer

  • A truststore that contains the public keys for peers that are trusted. See the documentation for the keytool utility provided with the JDK. The essential steps are[style="arabic"]

    1. Create a new key pair and store it in a keystore.

    2. Export the public key.

    3. Import the public key into the peer’s truststore.

    4. Repeat for the other peer.

在测试用例中,在两个对等方上使用相同的密钥库很常见,但在生产中应避免这样做。

It is common in test cases to use the same key stores on both peers, but this should be avoided for production.

建立密钥库后,下一步是将其位置指示给 TcpSSLContextSupport bean,并将对该 bean 的引用提供给连接工厂。

After establishing the key stores, the next step is to indicate their locations to the TcpSSLContextSupport bean and provide a reference to that bean to the connection factory.

以下示例配置 SSL 连接:

The following example configures an SSL connection:

<bean id="sslContextSupport"
    class="o.sf.integration.ip.tcp.connection.support.DefaultTcpSSLContextSupport">
    <constructor-arg value="client.ks"/>
    <constructor-arg value="client.truststore.ks"/>
    <constructor-arg value="secret"/>
    <constructor-arg value="secret"/>
</bean>

<ip:tcp-connection-factory id="clientFactory"
    type="client"
    host="localhost"
    port="1234"
    ssl-context-support="sslContextSupport" />

DefaultTcpSSLContextSupport 类还有一个可选的 protocol 属性,该属性可以是 SSLTLS(默认)。

The DefaultTcpSSLContextSupport class also has an optional protocol property, which can be SSL or TLS (the default).

密钥库文件名(前两个构造函数参数)使用 Spring Resource 抽象。默认情况下,文件位于类路径上,但是可以通过使用 file: 前缀(改而在文件系统上查找文件)来覆盖这一点。

The keystore file names (the first two constructor arguments) use the Spring Resource abstraction. By default, the files are located on the classpath, but you can override this by using the file: prefix (to find the files on the filesystem instead).

从版本 4.3.6 开始,在使用 NIO 时,可以在连接工厂上指定 ssl-handshake-timeout(以秒为单位)。当等待数据时,此超时(默认值为 30 秒)在 SSL 握手期间使用。如果超过超时,则将停止该过程并关闭套接字。

Starting with version 4.3.6, when you use NIO, you can specify an ssl-handshake-timeout (in seconds) on the connection factory. This timeout (the default is 30 seconds) is used during SSL handshake when waiting for data. If the timeout is exceeded, the process is stopped and the socket is closed.

Host Verification

从版本 5.0.8 开始,可以配置是否启用主机验证。从版本 5.1 开始,默认情况下已启用该功能;禁用它的机制取决于是否使用 NIO。

Starting with version 5.0.8, you can configure whether to enable host verification. Starting with version 5.1, it is enabled by default; the mechanism to disable it depends on whether you are using NIO.

主机验证用于确保连接到的服务器与证书中的信息匹配,即使证书受信任也是如此。

Host verification is used to ensure the server you are connected to matches information in the certificate, even if the certificate is trusted.

例如,在使用 NIO 时,配置 DefaultTcpNioSSLConnectionSupport

When using NIO, configure the DefaultTcpNioSSLConnectionSupport, for example.

@Bean
public DefaultTcpNioSSLConnectionSupport connectionSupport() {
    DefaultTcpSSLContextSupport sslContextSupport = new DefaultTcpSSLContextSupport("test.ks",
            "test.truststore.ks", "secret", "secret");
    sslContextSupport.setProtocol("SSL");
    DefaultTcpNioSSLConnectionSupport tcpNioConnectionSupport =
            new DefaultTcpNioSSLConnectionSupport(sslContextSupport, false);
    return tcpNioConnectionSupport;
}

第二个构造函数参数禁用主机验证。然后将 connectionSupport bean 注入到 NIO 连接工厂。

The second constructor argument disables host verification. The connectionSupport bean is then injected into the NIO connection factory.

在不使用 NIO 的情况下,配置位于 TcpSocketSupport 中:

When not using NIO, the configuration is in the TcpSocketSupport:

connectionFactory.setTcpSocketSupport(new DefaultTcpSocketSupport(false));

同样,构造函数参数禁用主机验证。

Again, the constructor argument disables host verification.