DotNetty TLS 开启双向认证加密传输数据
2024-05-13 22:30:58
这里写目录标题
- DotNetty TLS 开启双向认证加密传输数据
- 一、生成PFX证书
- 二、服务器端
- 2.1 引用Nuget:
- 2.2 创建处理请求类
- 2.3 注册DotNetty监听服务
- 三、客户端端
- 3.1 引用Nuget
- 3.2 响应处理
- 3.3 连接到服务端
DotNetty TLS 开启双向认证加密传输数据
DotNetty为服务间通讯,包括提供服务的服务器端和请求数据的客户端。如果需要密文传输数据则需要开启TLS,用于通讯加密。TLS涉及到的是证书,首先来看看如果生成DotNetty的TLS证书。
一、生成PFX证书
SSL/TLS证书格式(X.509)分为PEM - Privacy Enhanced Mail、DER - Distinguished Encoding Rules
- PEM
Apache和Nginx服务器偏向于使用这种编码格式,内容是BASE64编码,"-----BEGIN…"开始, "-----END…"结束; - DER
Java和Windows服务器偏向于使用这种编码格式,二进制格式,不可读(cat打开有惊喜)。window为PFX/P12(pfx/p12),包含公钥和私钥的二进制格式证书,Java为JKS(Java Key Storage)。
Netty使用的是JKS,可以由keytool将pfx证书转为jks,或者keytool生成jks证书;
DotNetty使用的是PFX,用OpenSSL生成,原理和详细说明看上篇OpenSSL 生成pfx,以下节选linux下生成pfx证书脚本:
# 生成私钥
openssl genrsa -aes256 -passout "pass:yangyiquan" -out key.pem 4096
# 生成公钥
openssl req -new -x509 -days 3650 -key key.pem -passin "pass:yangyiquan" -out cert.csr -subj "/C=CN"
# 打包为pfx
openssl pkcs12 -export -in cert.csr -inkey key.pem -out dotnett.linux.pfx## 输入三次密码:yangyiquan
注:需要将证书拷贝到工程中,服务端、客户端都要,并且在证书属性中将‘生成操作’改为‘内容’,‘复制到输出目录’改为‘如果较新则复制’
二、服务器端
2.1 引用Nuget:
- DotNetty.Codecs
- DotNetty.Handlers
- DotNetty.Transport.Libuv
- DotNetty.Handlers
- DotNetty.Transport
展示DotNetty项目的演示代码SecureChat.Server,有改动删除了一些依赖:
2.2 创建处理请求类
SecureChatServerHandler.cs
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.namespace SecureChat.Server
{using System;using System.Net;using DotNetty.Transport.Channels;using DotNetty.Transport.Channels.Groups;public class SecureChatServerHandler : SimpleChannelInboundHandler<string>{static volatile IChannelGroup group;public override void ChannelActive(IChannelHandlerContext contex){IChannelGroup g = group;//单例 保证只有一个Groupif (g == null){lock (this){if (group == null){g = group = new DefaultChannelGroup(contex.Executor);}}}contex.WriteAndFlushAsync(string.Format("Welcome to {0} secure chat server!\n", Dns.GetHostName()));g.Add(contex.Channel);}//删了业务类:EveryOneBut//这里 实际用的时候改为了 ChannelRead,读取请求信息并进行处理protected override void ChannelRead0(IChannelHandlerContext contex, string msg){//send message to all but this onestring broadcast = string.Format("[{0}] {1}\n", contex.Channel.RemoteAddress, msg);string response = string.Format("[you] {0}\n", msg);//处理业务contex.WriteAndFlushAsync(response);if (string.Equals("bye", msg, StringComparison.OrdinalIgnoreCase)){contex.CloseAsync();}}//读取请求数据完毕public override void ChannelReadComplete(IChannelHandlerContext ctx) => ctx.Flush();//当客户端断开时触发该方法,用于关闭连接public override void ExceptionCaught(IChannelHandlerContext ctx, Exception e){Console.WriteLine("{0}", e.StackTrace);ctx.CloseAsync();}public override bool IsSharable => true;}
}
2.3 注册DotNetty监听服务
Program.cs
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.namespace SecureChat.Server
{using System;using System.IO;using System.Security.Cryptography.X509Certificates;using System.Threading.Tasks;using DotNetty.Codecs;using DotNetty.Handlers.Logging;using DotNetty.Handlers.Tls;using DotNetty.Transport.Bootstrapping;using DotNetty.Transport.Channels;using DotNetty.Transport.Channels.Sockets;//using Examples.Common;class Program{static async Task RunServerAsync(){ExampleHelper.SetConsoleLogger();var bossGroup = new MultithreadEventLoopGroup(1);var workerGroup = new MultithreadEventLoopGroup();var STRING_ENCODER = new StringEncoder();var STRING_DECODER = new StringDecoder();var SERVER_HANDLER = new SecureChatServerHandler();X509Certificate2 tlsCertificate = null;//注释 示例代码的依赖//if (ServerSettings.IsSsl)//{//tlsCertificate = new X509Certificate2(Path.Combine(ExampleHelper.ProcessDirectory, "dotnetty.com.pfx"), "password");//改为 dotnetty.linux.pfx证书为第一步生成,yangyiquan证书密码tlsCertificate = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "dotnetty.linux.pfx"), "yangyiquan");//}try{var bootstrap = new ServerBootstrap();bootstrap.Group(bossGroup, workerGroup).Channel<TcpServerSocketChannel>().Option(ChannelOption.SoBacklog, 100).Handler(new LoggingHandler(LogLevel.INFO)).ChildHandler(new ActionChannelInitializer<ISocketChannel>(channel =>{IChannelPipeline pipeline = channel.Pipeline;if (tlsCertificate != null){pipeline.AddLast(TlsHandler.Server(tlsCertificate));}pipeline.AddLast(new DelimiterBasedFrameDecoder(8192, Delimiters.LineDelimiter()));pipeline.AddLast(STRING_ENCODER, STRING_DECODER, SERVER_HANDLER);}));IChannel bootstrapChannel = await bootstrap.BindAsync(ServerSettings.Port);Console.ReadLine();await bootstrapChannel.CloseAsync();}finally{Task.WaitAll(bossGroup.ShutdownGracefullyAsync(), workerGroup.ShutdownGracefullyAsync());}}static void Main() => RunServerAsync().Wait();}
}
三、客户端端
3.1 引用Nuget
3.2 响应处理
展示DotNetty项目的演示代码SecureChat.Client,有改动删除了一些依赖
客户端发起请求到服务器端,服务器端处理完毕后发送数据到客户端,客户端需要接收并处理。
SecureChatClientHandler.cs
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.namespace SecureChat.Client
{using System;using DotNetty.Transport.Channels;public class SecureChatClientHandler : SimpleChannelInboundHandler<string>{//接收到数据,并处理业务 注意改为 ChannelRead,protected override void ChannelRead0(IChannelHandlerContext contex, string msg) => Console.WriteLine(msg);//断开连接会触发该方法public override void ExceptionCaught(IChannelHandlerContext contex, Exception e){Console.WriteLine(DateTime.Now.Millisecond);Console.WriteLine(e.StackTrace);contex.CloseAsync();}}
}
3.3 连接到服务端
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.namespace SecureChat.Client
{using System;using System.IO;using System.Net;using System.Net.Security;using System.Security.Cryptography.X509Certificates;using System.Threading.Tasks;using DotNetty.Codecs;using DotNetty.Handlers.Tls;using DotNetty.Transport.Bootstrapping;using DotNetty.Transport.Channels;using DotNetty.Transport.Channels.Sockets;
// using Examples.Common;class Program{static async Task RunClientAsync(){ExampleHelper.SetConsoleLogger();var group = new MultithreadEventLoopGroup();X509Certificate2 cert = null;string targetHost = null;//注释 示例代码的依赖//if (ClientSettings.IsSsl)//{//cert = new X509Certificate2(Path.Combine(ExampleHelper.ProcessDirectory, "dotnetty.com.pfx"), "password");//改为 dotnetty.linux.pfx证书为第一步生成,yangyiquan证书密码cert = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "dotnetty.linux.pfx"), "yangyiquan");targetHost = cert.GetNameInfo(X509NameType.DnsName, false);//}try{var bootstrap = new Bootstrap();bootstrap.Group(group).Channel<TcpSocketChannel>().Option(ChannelOption.TcpNodelay, true).Handler(new ActionChannelInitializer<ISocketChannel>(channel =>{IChannelPipeline pipeline = channel.Pipeline;if (cert != null){pipeline.AddLast(new TlsHandler(stream => new SslStream(stream, true, (sender, certificate, chain, errors) => true), new ClientTlsSettings(targetHost)));}pipeline.AddLast(new DelimiterBasedFrameDecoder(8192, Delimiters.LineDelimiter()));//注册 接收服务端数据,并处理pipeline.AddLast(new StringEncoder(), new StringDecoder(), new SecureChatClientHandler());}));IChannel bootstrapChannel = await bootstrap.ConnectAsync(new IPEndPoint(ClientSettings.Host, ClientSettings.Port));//模拟发送消息到服务端for (;;){string line = Console.ReadLine();if (string.IsNullOrEmpty(line)){continue;}try{//发送数据给服务端,即发起一次RPCawait bootstrapChannel.WriteAndFlushAsync(line + "\r\n");}catch{}//断开与服务器的连接,并结束当前程序if (string.Equals(line, "bye", StringComparison.OrdinalIgnoreCase)){await bootstrapChannel.CloseAsync();break;}}await bootstrapChannel.CloseAsync();}finally{group.ShutdownGracefullyAsync().Wait(1000);}}static void Main() => RunClientAsync().Wait();}
}
以上为DotNetty使用的完整过程,如果不用TLS将相关的代码删除即可。
DotNetty项目地址:
https://github.com/Azure/DotNetty
DotNetty TLS 开启双向认证加密传输数据相关推荐
- 使用自签发CA证书为EMQX开启双向认证
文章目录 背景信息 1.CA证书信任模型 2.创建证书 2.1 Root CA 证书创建 2.2 emqx 服务端证书签发 2.3 中间CA证书签发 2.4 设备证书签发 3.配置EMQX服务端证书 ...
- TLS/SSL双向认证
相关文章: openssl genrsa 命令详解 一.PKI.CA.TLS/SSL.OpenSSL等概念及原理 CA 证书签发机构,自己持有私钥,创建根证书,并把根证书发送给操作系统厂商,内置于操作 ...
- golang加载双向认证加密的证书key文件
证书的key是可以加密保存的,我们需要进行解密加载 func MyLoadX509KeyPair(certFile, keyFile, password string) (tls.Certificat ...
- SSL双向认证加密技术图解
前言 无论是单.双向加密的方式,对文件的加密最根源都是用的"对称密钥"加密(即一个"密码") 因为"对称密钥"加密解密的速度.性能.资源损耗 ...
- HTTPS双向认证(Mutual TLS authentication)
HTTPS双向认证(Mutual TLS authentication) 双向认证,顾名思义,客户端和服务器端都需要验证对方的身份,在建立Https连接的过程中,握手的流程比单向认证多了几步.单向认证 ...
- 加密之SSL和单双向认证
文章目录 1 SSL 1.1 SSL了解 1.2 导入证书 1.3 tomcat配置SSL 1.4 具体操作 2 单向认证 2.1 第三方签名 3 双向认证 3.1 引言 3.2 使用openssl脚 ...
- GCDAsyncSOcket使用及其SSL/TLS双向认证的实现
GCDAsyncSoceket使用及其SSL/TLS的实现 关于GCDAsyncSocket:首先我们得知道GCDAsnyc是由第三方开发的一个苹果系统的socket库,功能强大,而且简单易用.当然关 ...
- 浅谈基于openssl的多级证书,Multi-level CA的签发和管理,以及双向认证
最近在研究openssl签发证书,在网上搜索关于openssl的用法.资料等等,总觉得非常分散,而且讲得比较浅,文章虽然不少,但是缺少真正能给你讲的明白得,仅停留在"能用"上,感慨 ...
- 【ssl认证、证书】SSL双向认证java实战、keytool创建证书
文章目录 概述 keytool示例 参考 相关文章: //-----------Java SSL begin---------------------- [ssl认证.证书]SSL双向认证和SSL单向 ...
最新文章
- 2018-3-10 kKNN与K-mean的区别以及各自的Python代码(别人写的好的文章)
- 斯坦福大学:极限工况下的无人驾驶路径跟踪|厚势汽车
- Linux性能分析和调整的基本原则
- python三层装饰器-python3装饰器
- CLR运行时细节 - Method Descriptor
- 12018.LTC2631电压调节芯片
- 内存和显存_小科普 |“内存”和“显存”有啥关系?
- 杨辉三角形(C语言)(使用一维数组的版本)
- 4.1 选择IDC机房 4.2 硬件服务器选型 4.3 上架服务器 4.4/4.5 装系统
- 从 C10K 到 DPDK
- 华为升级鸿蒙系统教程,华为升级鸿蒙系统方法汇总 华为手机各型号升级鸿蒙系统教程...
- Router入门0x205: react-route + redux + react 集成
- JavaScript 内存溢出,内存泄漏
- 双向长短期记忆网络(BiLSTM)详解
- ucos-III前言
- android ios 重力感应器,iOS实时获取当前的屏幕方向之重力感应
- matlab考试华师,18秋华师《Matlab基础与应用》在线作业【标准答案】
- 【OpenCV】在没有安装OpenCV的电脑运行OpenCV程序
- 3dmax 8.0 简体中文免安装版
- 使用clipboard.js实现移动端页面一键复制功能 + 弹出复制成功提示