One, background
Participated in a Sofa-RPC open source project, claimed the task TLS, the next record this valuable experience, and thanks to the trust of chapter brother and helping me throughout the process.
Responsible for the part is not difficult, mainly using h2 (HTTP 2 encryption) protocol to complete the RPC, the client requests a service call to the end.
Second, the process
New to completely no contact in this regard. Scratch, query SSL, TLS, digital certificates, TLS handshake, etc., have some understanding.
1.SSL vs TLS
Transport Layer Security (TLS), which mainly provides data privacy (encryption, not be cracked) and integrity (not to be tampered with, not pretending).
The following is a list of SSL and TLS protocol version, the predecessor of TLS is SSL, SSL has become obsolete now, although not, but still retained its name, the use of TLS, in fact, is to use SSL. (I was confused for a long time)
Protocol | Published | Status |
---|---|---|
SSL 1.0 | Unpublished | Unpublished |
SSL 2.0 | 1995 | Deprecated in 2011 (RFC 6176) |
SSL 3.0 | 1996 | Deprecated in 2015 (RFC 7568) |
TLS 1.0 | 1999 | Deprecation planned in 2020[11] |
TLS 1.1 | 2006 | Deprecation planned in 2020[11] |
TLS 1.2 | 2008 | |
TLS 1.3 | 2018 |
Recommended links are footprints at the time of learning (in the previous section, the teacher is Ruan Yifeng article written easy to understand, can be read on transport security protocol, have a general understanding):
http://www.ruanyifeng.com/blog/2014/02/ssl_tls.html
http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html
http://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html
https://en.wikipedia.org/wiki/Transport_Layer_Security
2.OpenSSL vs JdkSSL
OpenSSL advantages:
(1) Encryption faster
(2) encryption technology to support broader
(3) supports APLN (protocol negotiation) and NPN
(4) is not limited to the Java version
In order to use OpenSSL, recommended to see the following URL, which third-party binaries compiled for OpenSSL (OpenSSL installation package) explained in great detail.
https://wiki.openssl.org/index.php/Binaries
(Because the official website is provided by OpenSSL source code, so you need to download and install many programs in order to compile successfully, in order to save unnecessary time, it is recommended to use a third-party installation.)
Netty said about the open pit in OpenSSL, encounter.
https://netty.io/wiki/forked-tomcat-native.html
OpenSSL is on top of the official documents given, according to the document Various attempts were unsuccessful. Finally, issue the netty project, the result is the need to upgrade some of the netty jar package, put the latest netty jar package ,problem solved.
3.debug
Start parameters -Djavax.net.debug = all
4. how to determine the version with SSL