java - 为 Java JDK 11 中可用的 TLS 1.3 实现会话恢复
问题描述
尝试实施 TLS 1.2 与 TLS 1.3 握手测量,重点是会话恢复。
TLS 1.2 运行良好,可恢复 ID 和票证,但更改为 TLS 1.3 时却不行。
不幸的是,wireshark 数据是加密的,但 java 声明如下:
javax.net.ssl|DEBUG|17|Thread-3|2021-01-09 20:36:54.491 CET|PreSharedKeyExtension.java:634|No session to resume.
javax.net.ssl|DEBUG|17|Thread-3|2021-01-09 20:36:54.491 CET|SSLExtensions.java:260|Ignore, context unavailable extension: pre_shared_key
我们不是试图实现 0RTT 恢复,而是使用 SessionTickets。客户端不会向服务器发送 PresharedKey。
javax.net.ssl|DEBUG|16|Thread-2|2021-01-09 20:36:54.564 CET|PreSharedKeyExtension.java:807|Handling pre_shared_key absence.
代码(客户端):
public class Client implements Runnable {
private String version;
private int count;
private final int PORT = 8084;
private String[] cipher_suites;
private boolean sessionResumption;
private SSLServerSocket serverSocket;
public Client(String tlsVersion,int count, boolean resumeSession) {
this.version = tlsVersion;
this.count = count;
this.sessionResumption = resumeSession;
}
private SSLContext getContext() {
SSLContext context = null;
try {
InputStream stream = this.getClass().getResourceAsStream("/sslclienttrust");
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
char[] trustStorePassword = "]3!z2Tb?@EHu%d}Q".toCharArray();
trustStore.load(stream, trustStorePassword);
context = SSLContext.getInstance(version);
TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
factory.init(trustStore);
TrustManager[] managers = factory.getTrustManagers();
context.init(null, managers, null);
} catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | KeyManagementException e) {
e.printStackTrace();
}
return context;
}
public void startHandshake(SSLSocketFactory sf) throws IOException {
long startTime = -1;
try (SSLSocket socket = createSocket(sf)) {
//InputStream is = new BufferedInputStream(socket.getInputStream());
startTime = System.currentTimeMillis();
socket.startHandshake();
}
long endTime = System.currentTimeMillis();
long timeElapsed = endTime - startTime;
System.out.println("Time Handshake " + timeElapsed );
}
private SSLSocket createSocket(SSLSocketFactory sf) throws IOException {
SSLSocket s = (SSLSocket) sf.createSocket("localhost", PORT);
s.setEnabledProtocols(new String[]{version});
//s.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA256"});
return s;
}
@Override
public void run() {
startTime = System.currentTimeMillis();
SSLSocketFactory s = null;
if(sessionResumption){
s = getContext().getSocketFactory();
}
while(count>0){
try {
if(!sessionResumption){
s = getContext().getSocketFactory();
}
startHandshake(s);
count--;
Thread.sleep(1);
} catch (IOException | InterruptedException e) {
e.printStackTrace();
count = 0;
}
}
}
服务器 :
public class Server implements Runnable {
private String version;
private boolean keepAlive;
private final int PORT = 8084;
private String[] cipher_suites;
private SSLServerSocket serverSocket;
public Server(String tlsVersion, boolean keepAlive) {
this.version = tlsVersion;
this.keepAlive = keepAlive;
}
private SSLContext getContext() {
SSLContext context = null;
try {
InputStream stream = this.getClass().getResourceAsStream("/sslserverkeys");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(stream, "7x*;^C(HU~5}@P?h".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "7x*;^C(HU~5}@P?h".toCharArray());
KeyManager[] km = keyManagerFactory.getKeyManagers();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
TrustManager[] tm = trustManagerFactory.getTrustManagers();
context = SSLContext.getInstance(version);
context.init(km, tm, null);
} catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | KeyManagementException | UnrecoverableKeyException e) {
e.printStackTrace();
}
return context;
}
public void acceptHandshake() throws IOException {
//verbindung
try (SSLSocket socket = (SSLSocket) serverSocket.accept()) {
socket.setEnabledProtocols(new String[]{version});
socket.startHandshake();
}
}
public void configure(){
SSLServerSocketFactory factory = getContext().getServerSocketFactory();
try {
serverSocket = ((SSLServerSocket) factory.createServerSocket(this.PORT));
//config
serverSocket.setEnabledProtocols(new String[]{version});
serverSocket.setEnabledCipherSuites(serverSocket.getSupportedCipherSuites());
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public void run() {
configure();
try {
while(keepAlive){
acceptHandshake();
}
} catch (IOException e) {
e.printStackTrace();
}
}
}
提前致谢 :)
解决方案
更新:这似乎尚未实施(尚未)。
“仅使用 PSK 恢复:初始实现允许通过使用 PSK 进行身份验证,然后通过 DHE 交换设置主密钥来恢复。仅 PSK 模式更有效,但它的前向和后向保密安全性较弱。”
推荐阅读
- spring-boot - 如何在单元测试中模拟 Spring Boot 应用程序上下文
- javascript - for 循环不会停止循环并导致网页崩溃
- swift - 函数创建 2 个相同的类实例而不是仅 1 个
- ruby-on-rails - 我应该如何在 Rails 中安全地保存用户访问代码?
- c# - Azure 和本地测试中的服务总线输出绑定引发错误
- mathematical-optimization - 如何通过使用具有 IFF 条件的方程作为 GAMS 中的切割来增加这个 MILP?
- c# - 十六进制范围模式匹配
- json - PowerShell 无法将 JSON 转换为 CSV
- bash - 什么时候 bash 变量被导出到子 shell 和/或被脚本访问?
- spring - SocketTimeoutException:新的 Spring Starter 项目