CN114979105B - Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment - Google Patents

Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment Download PDF

Info

Publication number
CN114979105B
CN114979105B CN202210609377.1A CN202210609377A CN114979105B CN 114979105 B CN114979105 B CN 114979105B CN 202210609377 A CN202210609377 A CN 202210609377A CN 114979105 B CN114979105 B CN 114979105B
Authority
CN
China
Prior art keywords
ssl
message
client
national
load balancing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210609377.1A
Other languages
Chinese (zh)
Other versions
CN114979105A (en
Inventor
王佳林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202210609377.1A priority Critical patent/CN114979105B/en
Publication of CN114979105A publication Critical patent/CN114979105A/en
Application granted granted Critical
Publication of CN114979105B publication Critical patent/CN114979105B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The present disclosure relates to a method and apparatus for automatically identifying national and business security services through SSL load balancing devices, the method comprising: configuring a national-density SSL offloading policy, a commercial-density SSL offloading policy and a load balancing policy in the virtual service; receiving and analyzing an SSL request message of a client; when judging that the message is a client hello message, acquiring the SSL protocol version type of the client hello message; when the SSL protocol version type is judged to be a national-density SSL message, automatically implementing the national-density SSL uninstalling strategy to the SSL request of the client to carry out SSL uninstalling, and when the SSL protocol version type is judged to be a commercial-density SSL message, automatically implementing the commercial-density SSL uninstalling strategy to the SSL request of the client to carry out SSL uninstalling; performing load balancing on the HTTP message obtained after SSL unloading is performed on the SSL request of the client by implementing the load balancing strategy; and forwarding the HTTP message to a real server appointed after carrying out load balancing on the HTTP message so as to realize load balancing.

Description

Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment
Technical Field
The disclosure relates to the technical field of network security, in particular to a method and a device for automatically identifying national and business security services through SSL load balancing equipment.
Background
SSL (Secure Sockets Layer, secure socket protocol) and its successor TLS (Transport Layer Security, transport layer security protocol) are security protocols that provide security and data integrity for network communications, with the purpose of providing security and data integrity guarantees for internet communications. When the Netscape company (Netscape) introduced the first version of the web browser Netscape navigator in 1994, the HTTPS protocol was introduced to encrypt with SSL, which is the origin of SSL.
By means of SSL encryption mechanism, the security of the internet service related to sensitive information can be enhanced by utilizing data transmission encryption, such as electronic commerce, bill payment, tax declaration, stock and securities trade and other online business disputes, so that the safe delivery can be realized through the internet. However, the processing performance of the server is inevitably consumed by the on-line encryption operation of SSL, and the time consumed for processing SSL encrypted data is 5 times longer than that for processing plaintext data under the same hardware performance. After one server starts SSL encryption, the performance of the server only reaches 20% of the original performance, and the rest 80% of the computing performance is consumed in SSL encryption operation. The increasing SSL traffic will place a severe burden on the web server.
In this case, SSL encryption and decryption may be done by the load balancing device. In particular, SSL encryption is used for data transfer from the client to the load balancing device, and plaintext is used for data transfer from the load balancing device to the backend server. The function of encrypting and decrypting the certificate on the server is transferred to the load balancing equipment, so that the resource consumption of the server is greatly reduced.
The load balancing equipment is deployed in the enterprise network, when a client user accesses the server resource through the load balancing equipment, a provider-secret SSL unloading strategy is required to be configured for the client user with secret, and a country-secret SSL unloading strategy is configured for the client user with secret, so that the client user with secret and the client user with secret can normally access the server resource after SSL unloading is completed through the load balancing equipment.
Because in the existing scheme, one virtual service of the load balancing device can only provide SSL offloading of national density or commercial density at the same time, if the client has both national density protocol-based and commercial density protocol, one virtual service cannot negotiate with the two clients at the same time, and at this time, one virtual service supporting national density and one virtual service supporting commercial density need to be configured. In practical use, if the client has both a national browser and a common browser, different virtual services VIP need to be accessed. In this context, a virtual service requiring load balancing automatically recognizes both private and national secrets for SSL offloading. The visual effect is that clients, whether national or commercial, can access the background server through a virtual service VIP.
Therefore, there is a need for a method and apparatus for automatically identifying private and commercial transactions through SSL load balancing devices, where both the private and commercial clients can access a background server through only one virtual service VIP.
Disclosure of Invention
In view of this, the present disclosure provides a method and apparatus for automatically identifying private and business services through SSL load balancing devices. According to an aspect of the present disclosure, a method for automatically identifying private and business services by SSL load balancing device is provided, the method comprising: configuring a national-density SSL offloading policy, a commercial-density SSL offloading policy and a load balancing policy in the virtual service; receiving and analyzing an SSL request message of a client; when judging that the message is a client hello message, acquiring the SSL protocol version type of the client hello message; when the SSL protocol version type is judged to be a national-density SSL message, automatically implementing the national-density SSL uninstalling strategy to the SSL request of the client to carry out SSL uninstalling, and when the SSL protocol version type is judged to be a commercial-density SSL message, automatically implementing the commercial-density SSL uninstalling strategy to the SSL request of the client to carry out SSL uninstalling; performing load balancing on the HTTP message obtained after SSL unloading is performed on the SSL request of the client by implementing the load balancing strategy; and forwarding the HTTP message to a real server appointed after carrying out load balancing on the HTTP message so as to realize load balancing.
According to the method for automatically identifying the national security and business security services through the SSL load balancing equipment, the national security SSL unloading strategy comprises national security negotiation, national security handshake and appointed national security encryption suite and a national security certificate corresponding to the international encryption suite for the national security SSL message; the business secret SSL unloading strategy comprises business secret negotiation, business secret handshake and appointed business secret encryption suite aiming at business secret SSL messages and business secret certificates corresponding to the business secret encryption suite.
According to the method for automatically identifying the national security and the business security by the SSL load balancing equipment, when the message is judged to be a client hello message, the 5 th byte and the 6 th byte of the client hello message are acquired; when the 5 th and 6 th bytes of the client hello message are 0101 in hexadecimal, judging that the SSL protocol version type of the client hello message is national security SSL.
According to the method for automatically identifying the national security and the business security by the SSL load balancing equipment, when the message is judged to be a client hello message, the 5 th byte and the 6 th byte of the client hello message are acquired; when the 5 th byte and the 6 th byte of the client hello message are 0301 in hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.1; when the 5 th byte and the 6 th byte of the client hello message are 0302 in hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.2; when the 5 th and 6 th bytes of the client hello message are 0303 hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.3.
The method for automatically identifying the national cipher and the commercial cipher business through the SSL load balancing equipment according to the present disclosure further comprises: when judging that the message is a client hello message, acquiring the 1 st byte of the client hello message, and when the 1 st byte of the client hello message is 01 in hexadecimal, or acquiring the 5 th and 6 th bytes of the client hello message, and when the 5 th and 6 th bytes of the client hello message are not equal to 0301, 0302 or 0303 in hexadecimal, replying a RST message to a client and disconnecting the connection with the client.
According to another aspect of the present disclosure, there is provided an SSL load balancing apparatus for automatically identifying national and commercial traffic, the apparatus comprising: a policy configuration component for configuring a national dense SSL offload policy, a commercial dense SSL offload policy, and a load balancing policy in the virtual service; the SSL request message receiving and analyzing component receives and analyzes the SSL request message sent by the client; the SSL protocol version type acquisition component is used for acquiring the SSL protocol version type of the client hello message when judging that the message is the client hello message; the SSL unloading component is used for automatically implementing the national security SSL unloading strategy to the SSL request of the client to carry out SSL unloading when the SSL protocol version type is judged to be the national security SSL message, and automatically implementing the commercial security SSL unloading strategy to the SSL request of the client to carry out SSL unloading when the SSL protocol version type is judged to be the commercial security SSL message; the load balancing component is used for implementing the load balancing strategy to the HTTP message obtained after SSL unloading is carried out on the SSL request of the client side so as to carry out load balancing; and the message forwarding component is used for forwarding the HTTP message to a real server appointed after carrying out load balancing on the HTTP message so as to realize load balancing.
The device for automatically identifying the national security and business security services through the SSL load balancing equipment comprises a national security negotiation for the national security SSL message, a national security handshake, a designated national security encryption suite and a national security certificate corresponding to the international encryption suite; the business secret SSL unloading strategy comprises business secret negotiation, business secret handshake and appointed business secret encryption suite aiming at business secret SSL messages and business secret certificates corresponding to the business secret encryption suite.
An apparatus for automatically identifying national and business traffic through SSL load balancing device according to the present disclosure, wherein the SSL protocol version type obtaining component is further configured to: when judging that the message is a client hello message, acquiring the 5 th byte and the 6 th byte of the client hello message; when the 5 th and 6 th bytes of the client hello message are 0101 in hexadecimal, judging that the SSL protocol version type of the client hello message is national security SSL.
The device for automatically identifying the national security and the business security by the SSL load balancing equipment according to the present disclosure, wherein the SSL protocol version type obtaining component is further configured to: when judging that the message is a client hello message, acquiring the 5 th byte and the 6 th byte of the client hello message; when the 5 th byte and the 6 th byte of the client hello message are 0301 in hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.1; when the 5 th byte and the 6 th byte of the client hello message are 0302 in hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.2; when the 5 th and 6 th bytes of the client hello message are 0303 hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.3.
An apparatus for automatically identifying national and business traffic through SSL load balancing devices according to the present disclosure, further comprises an abort component: and the method is used for acquiring the 1 st byte of the client hello message when the message is judged to be the client hello message, and replying a RST message to a client and disconnecting the client when the 1 st byte of the client hello message is hexadecimal 01, or acquiring the 5 th and 6 th bytes of the client hello message and when the 5 th and 6 th bytes of the client hello message are not equal to hexadecimal 0301, 0302 or 0303.
In summary, by adopting the method and the device for automatically identifying the national security and the business security services through the SSL load balancing equipment, the load balancing equipment can automatically identify the national security SSL and the business security SSL, so that the national security and the business security SSL can be simultaneously supported to be unloaded through one virtual service VIP. Specifically, after the SSL request sent by the client is sent to the load balancing equipment, virtual service is matched, the equipment automatically identifies the SSL request as a national-density SSL request or a commercial-density SSL request according to a protocol field in the client request, and performs corresponding national-density SSL negotiation or commercial-density SSL negotiation with the client, so that the client can normally access a back-end server through a virtual service VIP after being unloaded through the national-density SSL or commercial-density SSL according to requirements, and the problem that the national-density client and the commercial-density client need to access different virtual service IP to access server resources is avoided.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The above and other objects, features and advantages of the present application will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are only some embodiments of the present application and other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a flow diagram illustrating a method for automatically identifying private and business traffic by an SSL load balancing device according to an embodiment of the present disclosure.
Fig. 2 is an expanded flow diagram illustrating a method for automatically identifying private and business traffic by an SSL load balancing device according to an embodiment of the present disclosure.
Fig. 3 is a schematic diagram illustrating an apparatus for automatically identifying private and business services through an SSL load balancing device according to an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments can be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, systems, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
Those skilled in the art will appreciate that the drawings are schematic representations of example embodiments and that the modules or flows in the drawings are not necessarily required to practice the present disclosure, and therefore, should not be taken to limit the scope of the present disclosure.
According to the method and the device for automatically identifying the national security and the business security through the SSL load balancing equipment, after the load balancing equipment receives the SSL request sent by the client, the type of the client hello is firstly judged, SSL unloading is carried out according to the negotiation flow of the national security or the business security of the type of the client hello, and after the SSL unloading is finished, data are polled on different servers.
Fig. 1 is a flow diagram illustrating a method for automatically identifying private and business traffic by an SSL load balancing device according to an embodiment of the present disclosure.
As shown in fig. 1, in step S102, a national SSL offload policy, a commercial SSL offload policy, and a load balancing policy are configured in the virtual service;
in step S104, a message of the SSL request of the client is received and parsed.
In step S106, when the message is determined to be a client hello message, an SSL protocol version type of the client hello message is obtained.
In step S108, when the SSL protocol version type is determined to be a national-density SSL packet, the SSL offloading policy is automatically implemented for SSL offloading of the SSL request of the client, and when the SSL protocol version type is determined to be a commercial-density SSL packet, the SSL offloading policy is automatically implemented for SSL offloading of the SSL request of the client.
In step S110, the load balancing policy is implemented to load balance the HTTP packet obtained after the SSL load is removed from the SSL request of the client.
In step S112, the HTTP packet is forwarded to the real server specified after load balancing for the HTTP packet, so as to implement load balancing.
According to the method for automatically identifying the national security and business security services through the SSL load balancing equipment, the national security SSL unloading strategy comprises national security negotiation, national security handshake and appointed national security encryption suite and a national security certificate corresponding to the international encryption suite for the national security SSL message; the business secret SSL unloading strategy comprises business secret negotiation, business secret handshake and appointed business secret encryption suite aiming at business secret SSL messages and business secret certificates corresponding to the business secret encryption suite.
According to the method for automatically identifying the national security and business security services through the SSL load balancing equipment, when the message is judged to be a client hello message, the 5 th byte and the 6 th byte of the client hello message are acquired; when the 5 th and 6 th bytes of the client hello message are 0101 in hexadecimal, judging that the SSL protocol version type of the client hello message is national security SSL.
According to the method for automatically identifying the national security and business security services through the SSL load balancing equipment, when the message is judged to be a client hello message, the 5 th byte and the 6 th byte of the client hello message are acquired; when the 5 th byte and the 6 th byte of the client hello message are 0301 in hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.1; when the 5 th byte and the 6 th byte of the client hello message are 0302 in hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.2; when the 5 th and 6 th bytes of the client hello message are 0303 hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.3.
The method for automatically identifying the national cipher and the commercial cipher business through the SSL load balancing equipment according to the embodiment of the disclosure further comprises the following steps: when judging that the message is a client hello message, acquiring the 1 st byte of the client hello message, and when the 1 st byte of the client hello message is 01 in hexadecimal, or acquiring the 5 th and 6 th bytes of the client hello message, and when the 5 th and 6 th bytes of the client hello message are not equal to 0301, 0302 or 0303 in hexadecimal, replying a RST message to a client and disconnecting the connection with the client.
More specifically, the following configuration is first created on the load balancing device:
s1, configuring a real server1 and a real server2, wherein the real server1 and the real server2 respectively bear different types of services;
s2, configuring a real service group, referring to the two real servers configured in the step S1, and setting a load balancing scheduling algorithm as a polling scheduling algorithm;
s3, configuring IP and ports of virtual service, wherein the mode is seven layers, the protocol selects TCP protocol, and the default real service group is the real service group configured in the step S2;
s4, configuring an SSL unloading strategy as follows:
name: SSL offloading policy 1
Certificate type: simultaneously configuring national cryptographic certificate and RSA certificate
Encryption suite: check ECC-SM4-SM3 and TLS_RSA_WITH_AES_256_CBC_SHA
The virtual service refers to the byte SSL offload policy 1 configured in step S4, enables the virtual service, and clicks the commit button.
It should be noted that, the steps described above are to configure an SSL offload policy for a private SSL request, and configure an encryption and decryption suite and a related certificate corresponding to private SSL offload when configuring an SSL offload policy for a private SSL request, which are not described herein.
After the virtual service is started, the load balancing equipment analyzes the request message sent by the client after receiving the request message. According to the method for automatically identifying the national cipher and the commercial cipher business through the SSL load balancing equipment, hexadecimal data in a client hello in a message sent by a client is as follows:
01 00 00 59 01 01......
first, the first byte 01 represents the client hello,00, 5d represents the client hello length is 89, 01 represents gmsl, the device receives the client hello message, analyzes that the 5 th byte and the 6 th byte in the client hello are 01, matches with the national cipher negotiation flow, carries out the national cipher handshake, and the device selects the national cipher suite and the corresponding national cipher certificate.
01 00 00 59 0303 (or 0302 or 03 01).
0301 or 0302 or 0303 respectively represents TLS1.1, TLS1.2 and TLS1.3, and the device receives the client hello message, analyzes that the 5 th byte and the 6 th byte in the client hello are 03 (or 0302 or 03 01), matches the business secret negotiation flow, performs business secret handshake, and selects a business secret encryption suite and a corresponding business secret certificate.
If the message received by the equipment is not a client hello message, namely the first non-01; or the client hello is received, but the 5 th byte and the 6 th byte are not the values, namely the SSL protocol version is not supported, and in this case, the device directly replies a RST message to the client and disconnects the connection.
Fig. 2 is an expanded flow diagram illustrating a method for automatically identifying private and business traffic by an SSL load balancing device according to an embodiment of the present disclosure.
As shown in fig. 2, in step S202, a client request is received.
In step S204, it is determined whether the client request is an SSL request.
If the result of determining in step S204 whether the client request is the SSL request is yes, the flow proceeds to step S206. In step S206, it is determined whether the SSL request is a foreign SSL request.
If it is determined in step S206 whether or not the SSL request is a foreign dense SSL request, the process proceeds to step S208. In step S208, SSL offloading for the national security SSL request is performed. In step S210, the load is balanced to the application server 1. It should be noted that, it is also possible that the data obtained after offloading the national security SSL request is loaded to the application server1 based on a load balancing result specified by a load balancing policy currently configured by the load balancing device, and the data obtained after offloading the national security SSL request is loaded to the application server 2.
If it is determined in step S206 whether or not the SSL request is a foreign dense SSL request, the process proceeds to step S212. In step S212, SSL offloading for the commercial SSL request is performed. In step S214, the load is balanced to the application server 2. Similarly, it is also possible to load data obtained after offloading the commercial SSL request to the application server 1.
If the result of determining in step S204 whether the client request is the SSL request is no, the flow proceeds to step S216. In step S216, the connection with the client is disconnected.
Fig. 3 is a schematic diagram illustrating an apparatus for automatically identifying private and business services through an SSL load balancing device according to an embodiment of the present disclosure.
As shown in fig. 3, the apparatus includes: a policy configuration component 302 configured to configure a national dense SSL offload policy, a commercial dense SSL offload policy, and a load balancing policy in the virtual service; the SSL request message receiving and analyzing component 304 receives and analyzes the SSL request message sent by the client; an SSL protocol version type obtaining component 306, configured to obtain an SSL protocol version type of a client hello packet when determining that the packet is the client hello packet; the SSL offload component 308 is configured to automatically perform SSL offload on the SSL request of the client by implementing the national SSL offload policy when the SSL protocol version type is determined to be a national SSL message, and automatically perform SSL offload on the SSL request of the client by implementing the national SSL offload policy when the SSL protocol version type is determined to be a commercial SSL message; the load balancing component 310 is configured to implement the load balancing policy to perform load balancing on an HTTP packet obtained after SSL offloading an SSL request of a client; and a message forwarding component 312, configured to forward the HTTP message to a real server specified after load balancing for the HTTP message, so as to implement load balancing.
According to the device for automatically identifying the national security and business security services through the SSL load balancing equipment, the national security SSL unloading strategy comprises national security negotiation, national security handshake and appointed national security encryption suite for the national security SSL message and a national security certificate corresponding to the international encryption suite; the business secret SSL unloading strategy comprises business secret negotiation, business secret handshake and appointed business secret encryption suite aiming at business secret SSL messages and business secret certificates corresponding to the business secret encryption suite.
An apparatus for automatically identifying national and business traffic through SSL load balancing device according to an embodiment of the present disclosure, wherein the SSL protocol version type obtaining component 306 is further configured to: when judging that the message is a client hello message, acquiring the 5 th byte and the 6 th byte of the client hello message; when the 5 th and 6 th bytes of the client hello message are 0101 in hexadecimal, judging that the SSL protocol version type of the client hello message is national security SSL.
An apparatus for automatically identifying national and business traffic through SSL load balancing device according to an embodiment of the present disclosure, wherein the SSL protocol version type obtaining component 306 is further configured to: when judging that the message is a client hello message, acquiring the 5 th byte and the 6 th byte of the client hello message; when the 5 th byte and the 6 th byte of the client hello message are 0301 in hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.1; when the 5 th byte and the 6 th byte of the client hello message are 0302 in hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.2; when the 5 th and 6 th bytes of the client hello message are 0303 hexadecimal, judging that the SSL protocol version type of the client hello message is commercial secret TSL1.3.
An apparatus for automatically identifying national and business traffic through SSL load balancing devices according to embodiments of the present disclosure, further includes an abort component 314: and the method is used for acquiring the 1 st byte of the client hello message when the message is judged to be the client hello message, and replying a RST message to a client and disconnecting the client when the 1 st byte of the client hello message is hexadecimal 01, or acquiring the 5 th and 6 th bytes of the client hello message and when the 5 th and 6 th bytes of the client hello message are not equal to hexadecimal 0301, 0302 or 0303.
In summary, by adopting the method and the device for automatically identifying the national security and the business security services through the SSL load balancing equipment, the load balancing equipment can automatically identify the national security SSL and the business security SSL, so that the national security and the business security SSL can be simultaneously supported to be unloaded through one virtual service VIP. Specifically, after the SSL request sent by the client is sent to the load balancing equipment, virtual service is matched, the equipment automatically identifies the SSL request as a national-density SSL request or a commercial-density SSL request according to a protocol field in the client request, and performs corresponding national-density SSL negotiation or commercial-density SSL negotiation with the client, so that the client can normally access a back-end server through a virtual service VIP after being unloaded through the national-density SSL or commercial-density SSL according to requirements, and the problem that the national-density client and the commercial-density client need to access different virtual service IP to access server resources is avoided.
Generally, since in the existing scheme, one virtual service of the load balancing device can only provide SSL offload of national or commercial security at the same time, if the client has both national and commercial security protocols, one virtual service cannot negotiate with both clients at the same time, and this time, one virtual service supporting national security needs to be configured, and one virtual service supporting commercial security needs to be configured. The visual effect is that clients, whether national or commercial, can access the background server through a virtual service VIP. Therefore, the invention provides an SSL load balancing implementation method for automatically identifying business and country secret services through improving the existing SSL load balancing, and the business secret or country secret flow can be automatically matched according to the client hello field in the SSL request of the client, so that one virtual service can simultaneously support business secret and country secret SSL unloading. In summary, the load balancing device receives an SSL request sent from a client, first determines a type of client hello, performs SSL offloading according to a negotiation procedure of a client hello type entering a national secret or a commercial secret, and polls different servers for data after SSL offloading is completed. Specifically, firstly, newly building configuration load balancing equipment, and configuring a real server1 and a real server2 so as to respectively bear different types of services; the real service group is also configured, two real servers in the step one are referenced, and a polling scheduling algorithm is selected by a scheduling algorithm; the IP and the port of the virtual service are also configured, the mode is seven layers, the protocol selects the TCP protocol, and the default real service group is the real service group in the second step; an SSL offload policy is also configured, such as the name: SSL offload policy 1, certificate type: simultaneously configuring a national cryptographic certificate, an RSA certificate and an encryption suite: the ECC-SM4-SM3 and TLS_RSA_WITH_AES_256_CBC_SHA are checked; finally, the virtual service refers to the configured byte SSL offload policy 1, enables the virtual service, and clicks the submit button. The hexadecimal data in the client side hello may be 01 00 00 59 01 01.A., wherein the first byte 01 represents the client side hello,00 00 59 represents the client side hello length is 89, 01 represents GMSSL, the device receives the client side hello message, and the 5 th and 6 th bytes in the client side hello are 01, which are analyzed, and then the device matches with the national secret negotiation flow, performs the national secret handshake, and selects the national secret encryption suite and the corresponding national secret certificate. The message may be 01 00 00 59 0303 (or 0302 or 03 01.). Wherein 0301 or 0302 or 0303 respectively represents TLS1.1, TLS1.2, TLS1.3, and the device receives the client hello message, analyzes that the 5 th and 6 th bytes in the client hello are 03 (or 0302 or 03 01), matches the vendor negotiation flow, performs a vendor handshake, and selects a vendor encryption suite and a corresponding vendor certificate. If the message received by the device is not a client hello message, namely the first non-01 message, or if the client hello message is received but the 5 th and 6 th bytes are not the above values, namely the version of SSL protocol is not supported, the device directly returns to RST to disconnect the connection. Therefore, the method and the device for automatically identifying the national cipher and the commercial cipher business through the SSL load balancing equipment enable the SSL request sent by the client to be matched with the virtual service after the SSL request sent by the client is sent to the load balancing equipment, the equipment automatically identifies the request as the national cipher or the commercial cipher according to the protocol field in the request of the client, the equipment carries out negotiation of the national cipher or the commercial cipher with the client, and the client can access the back-end server through the SSL uninstallation of the national cipher or the commercial cipher according to the requirement through one virtual service VIP, so that the national cipher and the commercial cipher can be simultaneously supported by one virtual service VIP.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Those skilled in the art will appreciate that the modules may be distributed throughout several devices as described in the embodiments, and that corresponding variations may be implemented in one or more devices that are unique to the embodiments. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solutions according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and include several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the methods according to the embodiments of the present application.
Exemplary embodiments of the present application are specifically illustrated and described above. It is to be understood that this application is not limited to the details of construction, arrangement or method of implementation described herein; on the contrary, the application is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (6)

1. A method for automatically identifying national and business security services through SSL load balancing devices, comprising:
configuring a national-density SSL offloading policy, a commercial-density SSL offloading policy and a load balancing policy in the virtual service;
receiving and analyzing an SSL request message of a client;
when judging that the message is a client hello message, acquiring the 5 th and 6 th bytes of the client hello message, judging that the SSL protocol version type of the client hello message is national security SSL when the 5 th and 6 th bytes of the client hello message are hexadecimal 0101, judging that the SSL protocol version type of the client hello message is quotient TSL1.1 when the 5 th and 6 th bytes of the client hello message are hexadecimal 0301, judging that the SSL protocol version type of the client hello message is quotient TSL1.2 when the 5 th and 6 th bytes of the client hello message are hexadecimal 0302, and judging that the SSL protocol version type of the client hello message is quotient TSL1.2 when the 5 th and 6 th bytes of the client hello message are hexadecimal 0303, or judging that the SSL protocol version type of the client hello message is hexadecimal TSL1.3;
when the SSL protocol version type is judged to be the national security SSL message, automatically implementing the national security SSL uninstalling strategy to the SSL request of the client to carry out SSL uninstalling, and
when the SSL protocol version type is judged to be a business-secret SSL message, automatically implementing the business-secret SSL uninstalling strategy to the SSL request of the client to carry out SSL uninstalling;
performing load balancing on the HTTP message obtained after SSL unloading is performed on the SSL request of the client by implementing the load balancing strategy;
and forwarding the HTTP message to a real server appointed after carrying out load balancing on the HTTP message so as to realize load balancing.
2. The method for automatically identifying national and business security services through an SSL load balancing device according to claim 1, wherein,
the national cipher SSL unloading strategy comprises a national cipher negotiation for a national cipher SSL message, a national cipher handshake, a designated national cipher suite and a national cipher certificate corresponding to the international cipher suite;
the business secret SSL unloading strategy comprises business secret negotiation, business secret handshake and appointed business secret encryption suite aiming at business secret SSL messages and business secret certificates corresponding to the business secret encryption suite.
3. The method for automatically identifying national and business traffic through an SSL load balancing device according to claim 1, further comprising: when judging that the message is a client hello message,
obtain the 1 st byte of the client hello message and when the 1 st byte of the client hello message is hexadecimal 01, or
And acquiring the 5 th byte and the 6 th byte of the client hello message, and replying a RST message to the client and disconnecting the client when the 5 th byte and the 6 th byte of the client hello message are not equal to 0301, 0302 or 0303 of hexadecimal.
4. An apparatus for automatically identifying national and business security services through SSL load balancing devices, comprising:
a policy configuration component for configuring a national dense SSL offloading policy, a commercial dense SSL offloading policy and a load balancing policy in the virtual service;
the SSL request message receiving and analyzing component receives and analyzes the SSL request message sent by the client;
the SSL protocol version type acquisition component is used for acquiring the 5 th and 6 th bytes of the client hello message when judging that the message is the client hello message, judging that the SSL protocol version type of the client hello message is national secret SSL when the 5 th and 6 th bytes of the client hello message are hexadecimal 0101, judging that the SSL protocol version type of the client hello message is quotient TSL1.1 when the 5 th and 6 th bytes of the client hello message are hexadecimal 0301, judging that the SSL protocol version type of the client hello message is quotient TSL1.2 when the 5 th and 6 th bytes of the client hello message are hexadecimal 0302, or judging that the SSL protocol version type of the client hello message is hexadecimal TSL1.2 when the 5 th and 6 th bytes of the client hello message are hexadecimal 0303;
the SSL unloading component is used for automatically implementing the national security SSL unloading strategy to the SSL request of the client to carry out SSL unloading when the SSL protocol version type is judged to be the national security SSL message, and automatically implementing the commercial security SSL unloading strategy to the SSL request of the client to carry out SSL unloading when the SSL protocol version type is judged to be the commercial security SSL message;
the load balancing component is used for implementing the load balancing strategy to the HTTP message obtained after SSL unloading is carried out on the SSL request of the client side so as to carry out load balancing;
and the message forwarding component is used for forwarding the HTTP message to a real server appointed after carrying out load balancing on the HTTP message so as to realize load balancing.
5. The apparatus for automatically identifying national and commercial traffic through SSL load balancing devices according to claim 4, wherein,
the national cipher SSL unloading strategy comprises a national cipher negotiation for a national cipher SSL message, a national cipher handshake, a designated national cipher suite and a national cipher certificate corresponding to the international cipher suite;
the business secret SSL unloading strategy comprises business secret negotiation, business secret handshake and appointed business secret encryption suite aiming at business secret SSL messages and business secret certificates corresponding to the business secret encryption suite.
6. The apparatus for automatically identifying national and business traffic through an SSL load balancing device of claim 4, further comprising an abort component: when judging that the message is a client hello message,
obtain the 1 st byte of the client hello message and when the 1 st byte of the client hello message is hexadecimal 01, or
And acquiring the 5 th byte and the 6 th byte of the client hello message, and replying a RST message to the client and disconnecting the client when the 5 th byte and the 6 th byte of the client hello message are not equal to 0301, 0302 or 0303 of hexadecimal.
CN202210609377.1A 2022-05-31 2022-05-31 Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment Active CN114979105B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210609377.1A CN114979105B (en) 2022-05-31 2022-05-31 Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210609377.1A CN114979105B (en) 2022-05-31 2022-05-31 Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment

Publications (2)

Publication Number Publication Date
CN114979105A CN114979105A (en) 2022-08-30
CN114979105B true CN114979105B (en) 2023-06-27

Family

ID=82958673

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210609377.1A Active CN114979105B (en) 2022-05-31 2022-05-31 Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment

Country Status (1)

Country Link
CN (1) CN114979105B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529186A (en) * 2022-09-29 2022-12-27 中国农业银行股份有限公司 SSL certificate unloading method, device and system based on soft load balancing

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104378374A (en) * 2014-11-14 2015-02-25 国家超级计算深圳中心(深圳云计算中心) SSL-based method and system for establishing communication
CN104639534A (en) * 2014-12-30 2015-05-20 北京奇虎科技有限公司 Website safety information uploading method and browser device
CN106101007A (en) * 2016-05-24 2016-11-09 杭州迪普科技有限公司 Process the method and device of message
CN112714053A (en) * 2020-12-25 2021-04-27 北京天融信网络安全技术有限公司 Communication connection method and device
CN113572740A (en) * 2021-06-30 2021-10-29 长沙证通云计算有限公司 Cloud management platform authentication encryption method based on state password
CN114531272A (en) * 2022-01-10 2022-05-24 网宿科技股份有限公司 HTTPS request processing method and device based on national password and international algorithm

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9419942B1 (en) * 2013-06-05 2016-08-16 Palo Alto Networks, Inc. Destination domain extraction for secure protocols
US10567348B2 (en) * 2017-07-06 2020-02-18 Citrix Systems, Inc. Method for SSL optimization for an SSL proxy

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104378374A (en) * 2014-11-14 2015-02-25 国家超级计算深圳中心(深圳云计算中心) SSL-based method and system for establishing communication
CN104639534A (en) * 2014-12-30 2015-05-20 北京奇虎科技有限公司 Website safety information uploading method and browser device
CN106101007A (en) * 2016-05-24 2016-11-09 杭州迪普科技有限公司 Process the method and device of message
CN112714053A (en) * 2020-12-25 2021-04-27 北京天融信网络安全技术有限公司 Communication connection method and device
CN113572740A (en) * 2021-06-30 2021-10-29 长沙证通云计算有限公司 Cloud management platform authentication encryption method based on state password
CN114531272A (en) * 2022-01-10 2022-05-24 网宿科技股份有限公司 HTTPS request processing method and device based on national password and international algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SSL协议应用中安全技术问题探究;陈庆;《信息网络安全》;全文 *

Also Published As

Publication number Publication date
CN114979105A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
EP1730925B1 (en) Method and apparatus for providing transaction-level security
US7657737B2 (en) Method for mapping an encrypted https network packet to a specific url name and other data without decryption outside of a secure web server
CN104618108B (en) Safe communication system
US9264235B2 (en) Apparatus, system and method for verifying server certificates
US20040249892A1 (en) Secure header information for multi-content e-mail
US20010016907A1 (en) Security protocol structure in application layer
US20080288778A1 (en) Method for Generating and Verifying an Electronic Signature
JP2007089199A (en) Third party access gateway for communication service
JP2007089200A (en) Third party access gateway for communication service
EP1403839A1 (en) Data originality validating method and system
CN111369236B (en) Data management method and device applied to blockchain
CN108156178A (en) A kind of SSL/TLS data monitoring systems and method
US10834131B2 (en) Proactive transport layer security identity verification
CN106101007B (en) Handle the method and device of message
CN110719265B (en) Method, device and equipment for realizing network security communication
CN111917825A (en) Heterogeneous system data interaction method and device
US20240146767A1 (en) Secure electronic transactions using transport layer security (setutls)
CN114979105B (en) Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment
CN114049122A (en) Service processing method and system
CN113438256A (en) Data transmission method, system and proxy server based on double-layer SSL
US20070226484A1 (en) Apparatus and method for managing and protecting information during use of semi-trusted interfaces
CN113259436B (en) Network request processing method and device
CN115348082A (en) Data desensitization method and device, computer equipment and storage medium
CN111049798B (en) Information processing method and device and computer readable storage medium
CN114039723A (en) Method and device for generating shared key, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant