CN102811225A - Method and switch for security socket layer (SSL) intermediate agent to access web resource - Google Patents
Method and switch for security socket layer (SSL) intermediate agent to access web resource Download PDFInfo
- Publication number
- CN102811225A CN102811225A CN2012103017289A CN201210301728A CN102811225A CN 102811225 A CN102811225 A CN 102811225A CN 2012103017289 A CN2012103017289 A CN 2012103017289A CN 201210301728 A CN201210301728 A CN 201210301728A CN 102811225 A CN102811225 A CN 102811225A
- Authority
- CN
- China
- Prior art keywords
- ssl
- switch
- server
- web server
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method and a switch for a security socket layer (SSL) intermediate agent to access a web resource. The method comprises the following steps that a web server and an SSL server are set on the switch, the SSL connection is directly established between a client side and the web server through an SSL intermediate agent way, and data is transmitted after being encrypted, so that the security, confidentiality and the reliability of the data can be greatly improved; and in addition, under the situation that original web server is not changed, the SSL secure connection and the transmission control protocol (TCP) connection are simultaneously supported to access the web resource, so that the access flexibility is improved.
Description
Technical field
The present invention relates to field of computer network communication, relate in particular to method and switch that a kind of SSL middle-agent visits the WEB resource.
Background technology
SSL (Secure Sockets Layer is called for short SSL) is a kind of security protocol that guarantees the data privacy of online transmission that on the Internet basis, provides.It can make the not victim eavesdropping of communication between the client-server application, and all the time server is carried out authenticity verification, also can select client is carried out the true identity authentication.
Ssl protocol requires (for example: TCP) to be based upon reliable transport layer protocol.The advantage of ssl protocol is that it and application layer protocol are independently irrelevant.(for example: HTTP, FTP TELNET) can transparent building on the ssl protocol for high-rise application layer protocol.Ssl protocol had just been accomplished the negotiation and the server authentication work of AES, communication key before application layer protocol communication.The data that application layer protocol transmitted after this all can be encrypted, thereby guarantee the privacy of communication.
Switch in the network is generally all supported to conduct interviews, manage through the WEB mode at present.When operation WEB server capability on switch; The client user carries out reading and disposing of exchange data after using HTTP mode and switch to set up TCP to be connected through browser, and this access mode is based on common TCP connection; Data are plaintext transmission; There is certain hidden danger in fail safe, if in transmission course, there is malicious user to carry out stealing of data, then is easy to obtain significant data and attacks.
SSL middle-agent's effect is exactly for the communication between the computer escape way that security intensity is high to be provided.The SSL middle-agent overlaps independently software, can co-exist on the computer with client and server; If independently be installed on the computer, then can become the SSL server.The SSL middle-agent is the agency of WEB server, also is the agency of client.
SSL middle-agent security mechanism needs between the server and client side user to confirm own authenticity to the other side each other in the network service.The real method of SSL middle-agent authentication the other side's identity realizes through checking the other side's digital certificate, and client, SSL middle-agent, server all need be to certificate granting center application digital certificates separately.A corresponding password can be sent out simultaneously in the certificate granting center when issuing digital certificate, be used for verifying digital certificate, and this corresponding password is the corresponding private key of digital certificate.
In order to improve fail safe, need a kind of SSL middle-agent to visit the method, system and device of WEB resource through the WEB access switch.
Summary of the invention
In order to overcome defective of the prior art and deficiency; The present invention proposes the method, system and device that a kind of SSL middle-agent visits the WEB resource; Directly setting up SSL through SSL middle-agent's mode at client and switch is connected; Data are transmitted after encrypting, and have improved safety of data, confidentiality and reliability greatly.
The present invention discloses the method that a kind of SSL middle-agent visits the WEB resource, and this method comprises:
S1: the logging request message of switch monitoring users client is provided with WEB server and SSL server in advance on the said switch;
S2: the logging request mode of judges client, as be HTTPS secure log mode, then execution in step S3; As be the HTTP login mode, execution in step S4 then;
S3: subscription client carries out SSL with the WEB server that is provided with in advance and is connected the data transfer of going forward side by side;
S4: subscription client carries out TCP with the WEB server that is provided with in advance and is connected the data transfer of going forward side by side.
Correspondingly; The present invention also discloses the switch that a kind of SSL middle-agent visits the WEB resource; WEB server and SSL server are set on the said switch in advance, realize the transfer of data between subscription client and WEB server through middle-agent's mode, said switch comprises that message monitoring module, login mode judge module, SSL connect Executive Module, TCP connects Executive Module; Wherein
Said message monitoring module is used for the logging request message of monitoring users client;
Said login mode judge module is used for the type of the login mode of judges client, as is HTTPS secure log mode, then connects Executive Module through SSL and carries out transfer of data; As be the HTTP login mode, then connect Executive Module and carry out transfer of data through TCP;
Said SSL connection Executive Module is used for that subscription client is carried out SSL with pre-configured WEB server and is connected the data transfer of going forward side by side;
Said TCP connection Executive Module is used for that subscription client is carried out TCP with pre-configured WEB server and is connected the data transfer of going forward side by side.
Technical scheme of the present invention; WEB server and SSL server are set on switch in advance; Between client and switch, directly set up SSL through SSL middle-agent's mode and connect, data are transmitted after encrypting, and have improved safety of data, confidentiality and reliability greatly; In addition, technical scheme of the present invention is not done under the situation of any change at original WEB server, supports SSL safety to connect and TCP connected reference WEB resource simultaneously, has improved the flexibility of visit.
Description of drawings
Fig. 1 visits the method flow diagram of WEB resource for the SSL middle-agent of the embodiment of the invention;
Fig. 2 visits the particular flow sheet of the method for WEB resource for the SSL middle-agent of the embodiment of the invention;
Fig. 3 visits the system schematic of WEB resource for the SSL middle-agent of the embodiment of the invention;
Fig. 4 visits the structured flowchart of the switch of WEB resource for the SSL middle-agent of the embodiment of the invention.
Embodiment
By specifying technology contents of the present invention, being realized purpose and effect, specify below in conjunction with execution mode and conjunction with figs..
Fig. 1 visits the method flow diagram of WEB resource for the SSL middle-agent of the embodiment of the invention.As shown in Figure 1, this method comprises the steps,
S1: the logging request message of switch monitoring users client is provided with WEB server and SSL server in advance on the said switch;
Wherein, switch is through the logging request message of pre-configured port monitoring users client, and wherein, WEB server listening port number is 80, and SSL server listening port is defaulted as 443.
The all right manual configuration of said SSL server listening port, the listening port scope of said manual configuration is 1025~65535.
S2: the logging request mode of judges client, as be HTTPS secure log mode, then execution in step S3; As be the HTTP login mode, execution in step S4 then;
HTTP (Hypertext Transfer Protocol, HTTP) is a kind of communication protocol, and HTTP is operated on the Transmission Control Protocol in the ICP/IP protocol system.Client-server must all be supported HTTP, could on the World Wide Web (WWW), send and receive html document and carry out mutual.
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer); Be to be the HTTP passage (the safety version of HTTP) of target with safety; Be that HTTP adds the SSL layer down, the foundation for security of HTTPS is SSL, and encrypted process is accomplished through SSL.
S3: subscription client carries out SSL with the WEB server that is provided with in advance and is connected the data transfer of going forward side by side;
This step specifically comprises; The key that the subscription client use is obtained is in advance encrypted with the back of signing the logging request message with certificate and is connected with the SSL server that is provided with in advance; After the successful connection, said SSL server is connected the data transfer of going forward side by side with said WEB server.
Said SSL server uses fixing IP (127.0.0.1) to be connected go forward side by side data transfer through the inner TCP connected mode of switch with said WEB server with fixed port (80).
S4: subscription client carries out TCP with the WEB server that is provided with in advance and is connected the data transfer of going forward side by side.
Switch carries out TCP through fixed port and WEB server and is connected, and the port numbers of said WEB server is 80.
Fig. 2 visits the particular flow sheet of the method for WEB resource for the SSL middle-agent of the embodiment of the invention.As shown in Figure 2, the practical implementation step does,
Step S201: SSL server and WEB server are set on switch, and configuration SSL connects AES and the certificate that uses, the logging request message of switch monitoring users client;
Step S202: whether the login mode of judges client is the HTTPS login mode, if, execution in step S203 then, if not, execution in step S209 then;
Step S203: subscription client and SSL server carry out SSL and shake hands and be connected authentication secret;
Step S204: judge that SSL safety connects whether success, if, execution in step S205 then, if not, execution in step S210 then;
Step S205: said SSL server connects said WEB server;
Step S206:WEB server judges whether it is that the inner SSL of switch connects, if, execution in step S207 then, if not, execution in step S211 then;
The connect transmission of laggard line data of step S207:WEB server and SSL server;
Step S208:SSL server sends back subscription client with data;
Step S209: subscription client carries out TCP with the WEB server that is provided with in advance and is connected the data transfer of going forward side by side;
Step S210: refusal connects;
Step S211: carry out the handling process that common HTTP connects.
Fig. 3 visits the system schematic of WEB resource for the SSL middle-agent of the embodiment of the invention.As shown in Figure 3, said system comprises subscription client and switch, and said subscription client is connected with switch, and WEB server and SSL server are set on the said switch in advance;
Said subscription client is used to produce the logging request message;
Said switch is used for the logging request message of monitoring users client and according to the logging request mode of the logging request message judges client of subscription client; As be HTTPS secure log mode, subscription client carries out SSL with pre-configured WEB server and is connected the data transfer of going forward side by side; As be the HTTP login mode, subscription client carries out TCP with pre-configured WEB server and is connected the data transfer of going forward side by side.
Switch is monitored the logging request message of client and the response message that server returns through pre-configured port, and wherein, WEB server listening port number is 80, and SSL server listening port is defaulted as 443.
The all right manual configuration of said SSL server listening port, the listening port scope of said manual configuration is 1025~65535.
In the present embodiment, the port Ethernet of Ethernet access device switch connects three users (user A, user B, user C) 1/1 time, starts WEB server and ssl proxy server capability on the switch simultaneously.The SSL connected reference switch of user A through the HTTPS mode, to switch manage, the visit of WEB resource.Simultaneously, user B is through the WEB resource of the general T CP connected reference switch of HTTP mode.
User C is connected on the switch simultaneously; If user C is through Malware intercepting and the user A of switch communication and the data message of user B; Because what user B used is the TCP connection of HTTP mode; All data contents all are to transmit with mode expressly, and information such as the user name that user B uses, password all can be obtained by user C.And the SSL of the HTTPS mode that user A uses connects, and all transmission data all are that the AES of use is more complicated through encryption, and just difficulty cracks more, and fail safe is just higher.Also be difficult to crack even user C has obtained data message, can't further attack, effectively protected user's network security.Switch is supported the SSL connected reference of user A and the HTTP connected reference of user B simultaneously, and the WEB access mode can provide more selection to the user flexibly, has made things convenient for user's network management.
Fig. 4 visits the structured flowchart of the switch of WEB resource for the SSL middle-agent of the embodiment of the invention.As shown in Figure 4; WEB server and SSL server are set on the said switch in advance; Realize the transfer of data between subscription client and WEB server through middle-agent's mode; Said switch comprises that message monitoring module, login mode judge module, SSL connect Executive Module, TCP connects Executive Module, wherein
Said message monitoring module is used for the logging request message of monitoring users client;
Said login mode judge module is used for the type of the login mode of judges client, as is HTTPS secure log mode, then connects Executive Module through SSL and carries out transfer of data; As be the HTTP login mode, then connect Executive Module and carry out transfer of data through TCP;
Said SSL connection Executive Module is used for that subscription client is carried out SSL with pre-configured WEB server and is connected the data transfer of going forward side by side;
Said TCP connection Executive Module is used for that subscription client is carried out TCP with pre-configured WEB server and is connected the data transfer of going forward side by side.
Said switch is through the logging request message of pre-configured port monitoring users client, and wherein, WEB server listening port number is 80, and SSL server listening port is defaulted as 443.
The all right manual configuration of said SSL server listening port, the listening port scope of said manual configuration is 1025~65535.
Technical scheme of the present invention; WEB server and SSL server are set on switch in advance; Between client and server, directly set up SSL through SSL middle-agent's mode and connect, data are transmitted after encrypting, and have improved safety of data, confidentiality and reliability greatly; In addition, technical scheme of the present invention is not done under the situation of any change at original WEB server, supports SSL safety to connect and TCP connected reference WEB resource simultaneously, has improved the flexibility of visit.
Above-mentioned preferred embodiment of the present invention and the institute's application technology principle of being merely, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses, and the variation that can expect easily or replacement all should be encompassed in protection scope of the present invention.
Claims (8)
1. a SSL middle-agent visits the method for WEB resource, it is characterized in that this method comprises:
S1: the logging request message of switch monitoring users client is provided with WEB server and SSL server in advance on the said switch;
S2: the logging request mode of judges client, as be HTTPS secure log mode, then execution in step S3; As be the HTTP login mode, execution in step S4 then;
S3: subscription client carries out SSL with the WEB server that is provided with in advance and is connected the data transfer of going forward side by side;
S4: subscription client carries out TCP with the WEB server that is provided with in advance and is connected the data transfer of going forward side by side.
2. SSL middle-agent according to claim 1 visits the method for WEB resource; It is characterized in that; Said step S3 further comprises; Subscription client uses the key obtain in advance and certificate that the logging request message is encrypted to carry out SSL with the back of signing with the SSL server of setting in advance and be connected, and after the successful connection, said SSL server is connected the data transfer of going forward side by side with said WEB server.
3. SSL middle-agent according to claim 2 visits the method for WEB resource, it is characterized in that, said SSL server uses fixing IP to be connected go forward side by side data transfer through the inner TCP connected mode of switch with said WEB server with fixed port.
4. SSL middle-agent according to claim 1 visits the method for WEB resource; It is characterized in that; Among the said step S1, switch is through the logging request message of pre-configured port monitoring client, wherein; WEB server listening port number is 80, and SSL server listening port is defaulted as 443.
5. SSL middle-agent according to claim 4 visits the method for WEB resource, it is characterized in that, said SSL server listening port also comprises the port of manual configuration, and the listening port scope of said manual configuration is 1025~65535.
6. a SSL middle-agent visits the switch of WEB resource; It is characterized in that; WEB server and SSL server are set on the said switch in advance, realize the transfer of data between subscription client and WEB server through middle-agent's mode, said switch comprises that message monitoring module, login mode judge module, SSL connect Executive Module, TCP connects Executive Module; Wherein
Said message monitoring module is used for the logging request message of monitoring users client;
Said login mode judge module is used for the type of the login mode of judges client, as is HTTPS secure log mode, then connects Executive Module through SSL and carries out transfer of data; As be the HTTP login mode, then connect Executive Module and carry out transfer of data through TCP;
Said SSL connection Executive Module is used for that subscription client is carried out SSL with pre-configured WEB server and is connected the data transfer of going forward side by side;
Said TCP connection Executive Module is used for that subscription client is carried out TCP with pre-configured WEB server and is connected the data transfer of going forward side by side.
7. SSL middle-agent according to claim 6 visits the switch of WEB resource; It is characterized in that said switch is through the logging request message of pre-configured port monitoring users client, wherein; WEB server listening port number is 80, and SSL server listening port is defaulted as 443.
8. SSL middle-agent according to claim 7 visits the switch of WEB resource, it is characterized in that, said SSL server listening port also comprises the port of manual configuration, and the listening port scope of said manual configuration is 1025~65535.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210301728.9A CN102811225B (en) | 2012-08-22 | 2012-08-22 | A kind of SSL middle-agent accesses method and the switch of WEB resource |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210301728.9A CN102811225B (en) | 2012-08-22 | 2012-08-22 | A kind of SSL middle-agent accesses method and the switch of WEB resource |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102811225A true CN102811225A (en) | 2012-12-05 |
| CN102811225B CN102811225B (en) | 2016-08-17 |
Family
ID=47234800
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210301728.9A Active CN102811225B (en) | 2012-08-22 | 2012-08-22 | A kind of SSL middle-agent accesses method and the switch of WEB resource |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102811225B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254355A (en) * | 2016-08-10 | 2016-12-21 | 武汉信安珞珈科技有限公司 | The security processing of a kind of the Internet protocol data bag and system |
| CN106856468A (en) * | 2015-12-08 | 2017-06-16 | 中国科学院声学研究所 | A kind of TSM Security Agent device for being deployed in cloud storage service end and TSM Security Agent method |
| CN109510801A (en) * | 2017-09-15 | 2019-03-22 | 华耀(中国)科技有限公司 | Explicit positive supply and SSL listen to integrated system and its operation method |
| WO2019062666A1 (en) * | 2017-09-29 | 2019-04-04 | 阿里巴巴集团控股有限公司 | System, method, and apparatus for securely accessing internal network |
| CN111800402A (en) * | 2020-06-28 | 2020-10-20 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
| CN112035851A (en) * | 2020-07-22 | 2020-12-04 | 北京中安星云软件技术有限公司 | MYSQL database auditing method based on SSL |
| CN112261068A (en) * | 2020-12-22 | 2021-01-22 | 北京翼辉信息技术有限公司 | Dynamic TLS authentication method, device and storage medium in local area network |
| CN112511530A (en) * | 2020-11-26 | 2021-03-16 | 浪潮金融信息技术有限公司 | Method, device and medium for butt joint SSLSocket communication |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1359074A (en) * | 2001-11-29 | 2002-07-17 | 上海格尔软件股份有限公司 | SSLL proxy method with MIME data type filter technology |
| US20040015725A1 (en) * | 2000-08-07 | 2004-01-22 | Dan Boneh | Client-side inspection and processing of secure content |
| CN1852273A (en) * | 2006-04-10 | 2006-10-25 | 杭州华为三康技术有限公司 | Method and system for communication between gateway device |
| CN101436933A (en) * | 2007-11-16 | 2009-05-20 | 华为技术有限公司 | HTTPS encipher access method, system and apparatus |
| CN101515896A (en) * | 2009-03-20 | 2009-08-26 | 成都市华为赛门铁克科技有限公司 | Safe socket character layer protocol message forwarding method, device, system and exchange |
-
2012
- 2012-08-22 CN CN201210301728.9A patent/CN102811225B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040015725A1 (en) * | 2000-08-07 | 2004-01-22 | Dan Boneh | Client-side inspection and processing of secure content |
| CN1359074A (en) * | 2001-11-29 | 2002-07-17 | 上海格尔软件股份有限公司 | SSLL proxy method with MIME data type filter technology |
| CN1852273A (en) * | 2006-04-10 | 2006-10-25 | 杭州华为三康技术有限公司 | Method and system for communication between gateway device |
| CN101436933A (en) * | 2007-11-16 | 2009-05-20 | 华为技术有限公司 | HTTPS encipher access method, system and apparatus |
| CN101515896A (en) * | 2009-03-20 | 2009-08-26 | 成都市华为赛门铁克科技有限公司 | Safe socket character layer protocol message forwarding method, device, system and exchange |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106856468A (en) * | 2015-12-08 | 2017-06-16 | 中国科学院声学研究所 | A kind of TSM Security Agent device for being deployed in cloud storage service end and TSM Security Agent method |
| CN106254355A (en) * | 2016-08-10 | 2016-12-21 | 武汉信安珞珈科技有限公司 | The security processing of a kind of the Internet protocol data bag and system |
| CN106254355B (en) * | 2016-08-10 | 2019-04-05 | 武汉信安珞珈科技有限公司 | A kind of security processing and system of the Internet protocol data packet |
| CN109510801A (en) * | 2017-09-15 | 2019-03-22 | 华耀(中国)科技有限公司 | Explicit positive supply and SSL listen to integrated system and its operation method |
| CN109510801B (en) * | 2017-09-15 | 2021-08-31 | 北京华耀科技有限公司 | Explicit forward proxy and SSL interception integrated system and operation method thereof |
| WO2019062666A1 (en) * | 2017-09-29 | 2019-04-04 | 阿里巴巴集团控股有限公司 | System, method, and apparatus for securely accessing internal network |
| CN111800402A (en) * | 2020-06-28 | 2020-10-20 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
| CN111800402B (en) * | 2020-06-28 | 2022-08-09 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
| CN112035851A (en) * | 2020-07-22 | 2020-12-04 | 北京中安星云软件技术有限公司 | MYSQL database auditing method based on SSL |
| CN112511530A (en) * | 2020-11-26 | 2021-03-16 | 浪潮金融信息技术有限公司 | Method, device and medium for butt joint SSLSocket communication |
| CN112511530B (en) * | 2020-11-26 | 2023-10-31 | 浪潮金融信息技术有限公司 | Method, device and medium for docking SSLSocket communication |
| CN112261068A (en) * | 2020-12-22 | 2021-01-22 | 北京翼辉信息技术有限公司 | Dynamic TLS authentication method, device and storage medium in local area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102811225B (en) | 2016-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3641266B1 (en) | Data processing method and apparatus, terminal, and access point computer | |
| US10326756B2 (en) | Management of certificate authority (CA) certificates | |
| Pereira et al. | An authentication and access control framework for CoAP-based Internet of Things | |
| CN102811225A (en) | Method and switch for security socket layer (SSL) intermediate agent to access web resource | |
| US8838965B2 (en) | Secure remote support automation process | |
| US20120295587A1 (en) | Trusted mobile device based security | |
| US20150082025A1 (en) | Authentication and secured information exchange system, and method therefor | |
| US20090307486A1 (en) | System and method for secured network access utilizing a client .net software component | |
| US20140359741A1 (en) | Mutually Authenticated Communication | |
| CN103391292A (en) | Mobile-application-oriented safe login method, system and device | |
| US20100031337A1 (en) | Methods and systems for distributed security processing | |
| Samociuk | Secure communication between OpenFlow switches and controllers | |
| CN105119894A (en) | Communication system and communication method based on hardware safety module | |
| CN111277607A (en) | Communication tunnel module, application monitoring module and mobile terminal security access system | |
| Ranjan et al. | Security analysis of TLS authentication | |
| CN103716280B (en) | data transmission method, server and system | |
| CN110855561A (en) | Intelligent gateway of Internet of things | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| CN113411187A (en) | Identity authentication method and system, storage medium and processor | |
| KR101572598B1 (en) | Secure User Authentication Scheme against Credential Replay Attack | |
| JP4720576B2 (en) | Network security management system, encrypted communication remote monitoring method and communication terminal. | |
| WO2008037144A1 (en) | Method and system for communication of application fingerprint based on the credit verification | |
| CN113612790B (en) | Data security transmission method and device based on equipment identity pre-authentication | |
| CN113347004A (en) | Encryption method for power industry | |
| CN113539523A (en) | Internet of things equipment identity authentication method based on domestic commercial cryptographic algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |