Tigase8 SSL安全连接配置与代码实现

SSL安全连接

tigase版本：8.1.2

默认tigase在certs目录下有tigase自签证书，参考：Server Certificates

备份tigase原certs目录（里面的域名证书，如ubuntu.pem是使用开源ca创建的，参考上面的文章），然后把我们自定义生成的服务证书（pem格式，包括证书和私钥内容）放置到certs目录，然后客户端使用服务端的crt证书（不包含私钥）即可。

不用ca签，使用自己的key来签(虚拟机：192.168.43.23)

输入密码并记住
openssl req -nodes -new -newkey rsa:2048 -keyout tigase_certs/tigase8.key -out tigase_certs/tigase8.csr

附加用途，添加 tigase_certs/ubuntu.ext文件

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName

[ SubjectAlternativeName ]
IP.1=192.168.43.23
IP.2=192.168.43.24
DNS.1=ubuntu
DNS.2=ubuntu24

生成证书

openssl x509 -req -days 365 -in tigase_certs/tigase8.csr -signkey tigase_certs/tigase8.key -out tigase_certs/tigase8.crt -extfile tigase_certs/tigase8.ext

新建一个tigase8.pem文件，将上面的crt文件内容拷贝进去，再把key文件内容拷贝进去，大致内容如下：

-----BEGIN CERTIFICATE-----
MIIDhDCCAmwCCQCqYO2d0SnjmjANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMC
...
WZQERoZS5K4ZFQhHcfrBK8ypaBFgmtNCaHIkQEHO/A7Rh/zAi5ZrPOfHoVnSgCBx
CmUEQn0rvtnKtYMTYN8gXrGlQ3I0HAOFpcD/qChnJosDr0nnY/x4Ng==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCx9d5Qw8N9kJvk
...
X6M+/Y4fSD4FbnYZSLpyL4o7EkvyafoZZGbWR0ADKcwOw4lJ1sXgR4Wfz8yHe+Mj
5oUd2r6EAT0Ql/OZBiqloiRt
-----END PRIVATE KEY-----

生成客户端需要的keystore文件

密码
openssl pkcs12 -export -in tigase_certs/tigase8.crt -inkey tigase_certs/tigase8.key -out tigase_certs/tigase8.p12

（java平台支持jks）
keytool -importkeystore -v  -srckeystore tigase_certs/tigase8.p12 -srcstoretype pkcs12 -srcstorepass 你的密码 -destkeystore tigase_certs/tigase8.keystore -deststoretype jks -deststorepass 你的密码


安卓平台支持bks bcprov-ext-jdk15on-157.jar下载地址
https://mvnrepository.com/artifact/org.bouncycastle/bcprov-ext-jdk15on/1.57

密码
keytool -importkeystore -srckeystore tigase_certs/tigase8.p12 -srcstoretype pkcs12 -destkeystore tigase_certs/tigase8.bks -deststoretype bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath tigase_certs/bcprov-ext-jdk15on-1.57.jar

将tigase8.pem拷贝到/home/kangming/tigase-server-8.1.2-b10915/certs/目录，将ubuntu.keystore拷贝到代码工程。重启tigase(正确加载了ubuntu.pem)，然后使用客户端进行连接测试。

通过上面的操作，已经准备好了服务端所需的证书（tigase8.pem，包含自签证书和私钥）和Java端的证书，安卓端的证书。下面就可以使用证书进行安全连接了。注意服务端的证书，tigase8.pem这个名字需要根据你当前使用的domain来命名，比如说我当前当前的tigase使用的domain是ubuntu，那么需要把tigase8.pem改名为ubuntu.pem放置到tigase根目录的certs目录下。

SSL安全连接代码实现

代码如下

package com.nufront.xmpp.client.conn;import org.jivesoftware.smack.ConnectionConfiguration;
import org.jivesoftware.smack.tcp.XMPPTCPConnection;
import org.jivesoftware.smack.tcp.XMPPTCPConnectionConfiguration;import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import java.security.KeyStore;
import java.security.cert.X509Certificate;public class XMPPSSLTest {static {}public static void main(String[] args) {try {SSLContext ctx = SSLContext.getInstance("SSL");TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");KeyStore tks = KeyStore.getInstance("JKS");tks.load(XMPPSSLTest.class.getResourceAsStream("/tigase8.keystore"), "你的密码".toCharArray());tmf.init(tks);ctx.init(null, tmf.getTrustManagers(), null);XMPPTCPConnectionConfiguration config = XMPPTCPConnectionConfiguration.builder().setHost("ubuntu").setXmppDomain("ubuntu").setPort(5222).setSslContextFactory(() -> ctx).setSecurityMode(ConnectionConfiguration.SecurityMode.required).setResource("Smack")//信任自签证书.setCustomX509TrustManager(new X509TrustManager() {@Overridepublic java.security.cert.X509Certificate[] getAcceptedIssuers() {return new X509Certificate[0];}@Overridepublic void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {}@Overridepublic void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {}}).build();XMPPTCPConnection connection = new XMPPTCPConnection(config);connection.connect();try {connection.login("admin@192.168.31.61", "123456");System.out.println("登陆成功");} catch (Exception e) {System.out.println("登录失败");e.printStackTrace();}} catch (Exception e) {e.printStackTrace();}}
}