CN106656939A - State cryptography SSL protocol and standard SSL protocol forwarding system and method - Google Patents
State cryptography SSL protocol and standard SSL protocol forwarding system and method Download PDFInfo
- Publication number
- CN106656939A CN106656939A CN201510738444.XA CN201510738444A CN106656939A CN 106656939 A CN106656939 A CN 106656939A CN 201510738444 A CN201510738444 A CN 201510738444A CN 106656939 A CN106656939 A CN 106656939A
- Authority
- CN
- China
- Prior art keywords
- protocol
- ssl
- https
- ssl protocol
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Abstract
The invention provides a state cryptography SSL (Secure Sockets Layer) protocol and standard SSL protocol forwarding system and method. The system is formed in a way that a protocol transponder is connected with an https site device and also connected with a server supporting standard SSL protocol information and a server supporting a state cryptography SSL protocol. Only one SSL protocol transponder is needed, and the servers that support the standard SSL protocol and the state cryptography SSL protocol are configured on a background. In this way, an https site can support the standard SSL protocol and the state cryptography SSL protocol at the same time. Meanwhile, the SSL protocol forwarding servers have the advantages of fast processing speed, good expansibility, etc.
Description
Technical field
The present invention relates to control field, the close ssl protocol of more particularly to a kind of state and standard SSL are paid in network application
Protocol-intelligent repeater system.
Background technology
SSL (Secure Sockets Layer SSLs), and its successor Transport Layer Security (Transport
Layer Security, TLS) it is a kind of security protocol for providing safety and data integrity for network service.Its
Middle S SL, are researched and developed by Netscape, to ensure the safety of data transfer on internet, using data
Encryption technology, it can be ensured that data will not be intercepted and eavesdrop in the transmitting procedure on network.Current version is
TLSv1.2.It is widely used for the authentication between Web browser and server and encryption data is passed
It is defeated, standard ssl protocol is referred to as in the present invention program.Https agreements are by SSL+http protocol constructions
The procotol of transmission, authentication can be encrypted, than http protocol security.
State Commercial Cryptography Administration promulgated GB GM/T 0024-2014 in 2014, and the GB defines a kind of new
Ssl protocol (the hereinafter referred to as close ssl protocol of state).The close ssl protocol of state defines new protocol number, new
Cipher suite, and have modified the form of some message in standard ssl protocol so that the close ssl protocol of state and mark
Quasi- ssl protocol is incompatible.
At present many existing SSL service devices can only support standard ssl protocol, such as SSLv3, TLSv1,
TLSv1.1, TLSv1.2 etc., do not support the close ssl protocol of state.When simultaneously a https website needs to support
The close ssl protocol of state and standard ssl protocol, then need the buying can be while supporting the close ssl protocol of state and standard SSL
The server of agreement.The server of large quantities of support standard ssl protocols will so be caused because not supporting the close SSL of state
Agreement and cause superseded, this is substantially increased the cost for causing to carry out the close ssl protocol of state.Chinese patent application
A kind of " secure socket layer protocol extension side of the close algorithm of support state is disclosed in file CN201410796479
Method ", including:State is supported in the addition in the source code that the safe socket character of the secure socket layer protocol extends
The cipher suite of close algorithm;Corresponding parameter is set with another name for the cipher suite;The state is realized in foundation
The algorithm supplier of close algorithm;Set up the class of realizing of the another name of the cipher suite and the algorithm supplier
Corresponding relation.The method only supports the close ssl protocol of old state, may be uncomfortable for the new close ssl protocol of state
With in addition the autgmentability of the method is bad, when the performance of single device is inadequate, then needs purchase new
Equipment and load-balancing device, and also need to reconfigure the service of https on load-balancing device,
Inconvenience is brought to user.
The content of the invention
To overcome problem present in prior art, the present invention seeks to propose a kind of easy to use and low cost
The close ssl protocol of state and standard ssl protocol intelligence repeater system and method.
For this purpose, a kind of close ssl protocol of state and standard ssl protocol intelligence repeater system, including:
Protocol forward device, for receiving all link informations of https, in parsing all https information
Ssl protocol mark data, and forwarded the information to accordingly according to the ssl protocol mark data after parsing
Https site devices, it includes receiving https information modules, parses ssl protocol mark data module, and
Https information forwarding modules;
Https site devices, for receiving the corresponding https information from the forwarding of protocol forward device;
Standard ssl protocol data server, for processing standard SSL from the forwarding of https site devices
The https information of agreement;
The close ssl protocol data server of state, for processing the close SSL of state from the forwarding of https site devices
The https information of agreement.
Further, described reception https information modules are used to receive all link informations of https;
Further, described parsing ssl protocol mark data module is used to parse in all https information
Ssl protocol mark data;
Further, described https information forwarding modules are used for will according to above-mentioned ssl protocol mark data
Information is transmitted to corresponding ssl protocol server.
On the basis of standard ssl protocol information server has been supported, some support states are added as needed on
The server of close ssl protocol, the method for the present invention is realized by following steps:
Step 1, disposes protocol forward device before https websites;
Step 2, the protocol forward device receives all link informations of https, and parses in https information
Ssl protocol mark data;
Information correspondence is transmitted to corresponding SSL by step 3, the protocol forward device according to ssl protocol mark data
The server of agreement.
Described ssl protocol mark data can be SSL version numbers.
The inventive method has the advantage that compared with prior art:Only need to dispose a ssl protocol transponder,
And the server of the close ssl protocol of support standard ssl protocol and state is disposed respectively on backstage, can just allow https
Website can simultaneously support the close ssl protocol of standard ssl protocol and state;Ssl protocol transponder need not process SSL
Handshake information, without encryption and decryption application data, it is only necessary to parse ssl protocol version number, so SSL associations
The processing speed of view Distributor can be quickly;Simultaneously present system behavior extension is good, as the SSL on backstage
When performance is inadequate, only need to simply add SSL service device.
Description of the drawings
Fig. 1 is the system schematic of one embodiment of the present invention;
Fig. 2 is the method flow diagram of one embodiment of the present invention;
Fig. 3 is a kind of preferred embodiment schematic diagram of the invention.
Specific embodiment
In the following description, in order that reader more fully understands the application and to propose many technologies thin
Section.But, even if it will be understood by those skilled in the art that without these ins and outs and being based on
The many variations of following embodiment and modification, are also that the application items claim is required for protection
Technical scheme.
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to this
Bright embodiment is described in further detail.
As shown in figure 1, a kind of close ssl protocol of state of the invention and standard ssl protocol intelligence repeater system bag
Include following part:The close ssl protocol client 1 of state and the difference connection protocol of standard ssl protocol client 2
Correspondence connection after transponder 3 supports the close ssl protocol server 4 of state and supports standard ssl protocol information clothes
Business device 5.
The protocol forward device is used to receive all link informations of https, parses all https information
In ssl protocol mark data, and phase is forwarded the information to according to the ssl protocol mark data after parsing
The https site devices answered, it includes receiving https information modules, SSL in parsing https information
Protocol-identifier data module, and HTTPSHTTPS information forwarding modules.
Described https site devices, for receiving the corresponding https letters from the forwarding of protocol forward device
Breath, the close ssl protocol server of the support state described in the present embodiment and support standard ssl protocol information clothes
Corresponding https site devices are separately installed with business device.
Described standard ssl protocol data server, for processing from the forwarding of https site devices
The https information of standard ssl protocol;The close ssl protocol data server of described state, comes for processing
From the https information of the close ssl protocol of state of https site devices forwarding.
As shown in Fig. 2 on the basis of standard ssl protocol information server has been supported, adding as needed
Plus some servers for supporting the close ssl protocol of state, the method for the present invention realized by following steps:
Step 1, disposes protocol forward device before https websites;
Step 2, the protocol forward device receives all link informations of https, and parses in https information
Ssl protocol mark data, for example, can be ssl protocol version number, or ssl protocol information
The value of the cipher suite in clienthello message;
Step 3, the protocol forward device turns the information of the close ssl protocol of state according to ssl protocol mark data
Issue the support mark that the server of the close ssl protocol of back-office support state, standard ssl protocol information are transmitted to backstage
The server of quasi- ssl protocol.
As shown in figure 3, providing a preferred embodiment of present invention deployment protocol forward device.In this example
Flow management apparatus are a 30Gbps flow management apparatus, and one of its performance is that to be integrated with TCP connections multiple
With, high speed HTTP process, SSL accelerates, and the application such as dynamic buffering and self-adapting compressing adds with data center
Fast function, now for disposing the protocol forward device of the present embodiment, the protocol forward device provides https services
Domain name is:https:Standard SSL association is supported in //www.test.com, the https services described in the present embodiment simultaneously
The ssl protocol of the close definition of negotiation state.Intranet behind flow management apparatus has 2 SSL service devices, and one
Platform is the server for only supporting standard ssl protocol, in addition a server for being only to support the close ssl protocol of state,
Described https site devices are built in respectively only to be supported the server of standard ssl protocol and only supports that state is close
In the server of ssl protocol.
The following is the concrete steps of deployment protocol forward device:
1. virtual server are configured on flow management apparatus:
slb virtual tcp"vs"30.1.1.30443
2. group and 2 ssl server is configured on flow management apparatus, and ssl server are added to
group:
slb group method ssl_group ssl_protocol
slb reall tcp"rs1"192.168.1.10443
slb reall tcp"rs2"192.168.1.20443
slb group member ssl_group rs1
slb group member ssl_group rs2
3. virtual server and group are bound:
slb policy default“vs”“ssl_group”
It should be noted that each unit mentioned in each equipment embodiment of the invention is all logical block,
Physically, a logical block can be the one of a physical location, or a physical location
Part, can be with the combination of multiple physical locations realization, these logical block physics realization sides of itself
Formula is not most important, and the combination of the function that these logical blocks are realized is only the solution present invention and is carried
The key of the technical problem for going out.Additionally, the innovative part in order to project the present invention, the present invention is without introducing
Above-mentioned each equipment embodiment and the list less close with technical problem relation proposed by the invention is solved
Unit, but this be not intended that do not exist the said equipment embodiment and other about implementation unit.
Although by referring to some of the preferred embodiment of the invention, the present invention is shown and
Description, but it will be understood by those skilled in the art that it can be made respectively in the form and details
Plant and change, without departing from the spirit and scope of the present invention.
Claims (5)
1. a kind of close ssl protocol of state and standard ssl protocol intelligence repeater system, it is characterised in that include:
Protocol forward device, for receiving all link informations of https, parses the SSL in all https information
Protocol-identifier data, and corresponding https is forwarded the information to according to the ssl protocol mark data after parsing
Site device;
Https site devices, for receiving the corresponding https information from the forwarding of protocol forward device;
Standard ssl protocol data server, for processing standard SSL from the forwarding of https site devices
The https information of agreement;
The close ssl protocol data server of state, for processing the close SSL of state from the forwarding of https site devices
The https information of agreement.
2. intelligently forwarding is for a kind of close ssl protocol of state according to claim 1 and standard ssl protocol
System, it is characterised in that the protocol forward device includes receiving https information modules, parses ssl protocol
Mark data module, and https information forwarding modules;
Described reception https information modules are used to receive all link informations of https;
Described parsing ssl protocol mark data module is used to parse the SSL associations in all https information
View mark data;
Described https information forwarding modules are used to be forwarded the information to according to above-mentioned ssl protocol mark data
Corresponding ssl protocol server.
3. a kind of close ssl protocol of state and standard ssl protocol intelligent transmitting method, it is characterised in that include with
Lower step:
Protocol forward device is disposed before https websites;
The protocol forward device receives all link informations of https, and parses the SSL in https information
Protocol-identifier data;
Information correspondence is transmitted to corresponding SSL associations by the protocol forward device according to ssl protocol mark data
The server of view.
4. a kind of close ssl protocol of state according to claim 3 and standard ssl protocol are intelligently forwarded
Method, it is characterised in that described ssl protocol mark data is SSL version numbers.
5. a kind of close ssl protocol of state according to claim 3 and standard ssl protocol are intelligently forwarded
Method, it is characterised in that described ssl protocol mark data is ssl protocol marking data information
The value of the cipher suite in clienthello message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510738444.XA CN106656939A (en) | 2015-11-03 | 2015-11-03 | State cryptography SSL protocol and standard SSL protocol forwarding system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510738444.XA CN106656939A (en) | 2015-11-03 | 2015-11-03 | State cryptography SSL protocol and standard SSL protocol forwarding system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106656939A true CN106656939A (en) | 2017-05-10 |
Family
ID=58810295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510738444.XA Pending CN106656939A (en) | 2015-11-03 | 2015-11-03 | State cryptography SSL protocol and standard SSL protocol forwarding system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106656939A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106572109A (en) * | 2016-11-08 | 2017-04-19 | 广东信鉴信息科技有限公司 | Method for realizing encrypted communication based on TLS protocol and device |
| CN109040318A (en) * | 2018-09-25 | 2018-12-18 | 网宿科技股份有限公司 | The HTTPS connection method of CDN network and CDN node server |
| CN112202739A (en) * | 2020-09-17 | 2021-01-08 | 腾讯科技(深圳)有限公司 | Flow monitoring method and device |
| CN114338844A (en) * | 2021-12-31 | 2022-04-12 | 北京升明科技有限公司 | Cross-protocol communication method and device between client servers |
| CN115208635A (en) * | 2022-06-17 | 2022-10-18 | 北京启明星辰信息安全技术有限公司 | State secret SSL communication agent module and non-invasive system reconstruction method thereof |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101656736A (en) * | 2009-08-28 | 2010-02-24 | 深圳市茁壮网络股份有限公司 | Device and method for processing service data, and service processing system |
| CN103150514A (en) * | 2013-03-07 | 2013-06-12 | 中国科学院软件研究所 | Mobile equipment-based credible module and credible service method thereof |
| CN103685187A (en) * | 2012-09-14 | 2014-03-26 | 华耀(中国)科技有限公司 | Method for switching SSL (Secure Sockets Layer) authentication mode on demands to achieve resource access control |
| CN104394179A (en) * | 2014-12-18 | 2015-03-04 | 山东中创软件工程股份有限公司 | Secure socket layer protocol extension method supporting domestic cipher algorithm |
-
2015
- 2015-11-03 CN CN201510738444.XA patent/CN106656939A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101656736A (en) * | 2009-08-28 | 2010-02-24 | 深圳市茁壮网络股份有限公司 | Device and method for processing service data, and service processing system |
| CN103685187A (en) * | 2012-09-14 | 2014-03-26 | 华耀(中国)科技有限公司 | Method for switching SSL (Secure Sockets Layer) authentication mode on demands to achieve resource access control |
| CN103150514A (en) * | 2013-03-07 | 2013-06-12 | 中国科学院软件研究所 | Mobile equipment-based credible module and credible service method thereof |
| CN104394179A (en) * | 2014-12-18 | 2015-03-04 | 山东中创软件工程股份有限公司 | Secure socket layer protocol extension method supporting domestic cipher algorithm |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106572109A (en) * | 2016-11-08 | 2017-04-19 | 广东信鉴信息科技有限公司 | Method for realizing encrypted communication based on TLS protocol and device |
| CN106572109B (en) * | 2016-11-08 | 2019-11-08 | 广东信鉴信息科技有限公司 | The method and device of coded communication is realized based on tls protocol |
| CN109040318A (en) * | 2018-09-25 | 2018-12-18 | 网宿科技股份有限公司 | The HTTPS connection method of CDN network and CDN node server |
| CN109040318B (en) * | 2018-09-25 | 2021-05-04 | 网宿科技股份有限公司 | HTTPS connection method of CDN (content delivery network) and CDN node server |
| CN112202739A (en) * | 2020-09-17 | 2021-01-08 | 腾讯科技(深圳)有限公司 | Flow monitoring method and device |
| CN112202739B (en) * | 2020-09-17 | 2021-12-14 | 腾讯科技(深圳)有限公司 | Flow monitoring method and device |
| CN114338844A (en) * | 2021-12-31 | 2022-04-12 | 北京升明科技有限公司 | Cross-protocol communication method and device between client servers |
| CN114338844B (en) * | 2021-12-31 | 2024-04-05 | 北京升明科技有限公司 | Cross-protocol communication method and device between client servers |
| CN115208635A (en) * | 2022-06-17 | 2022-10-18 | 北京启明星辰信息安全技术有限公司 | State secret SSL communication agent module and non-invasive system reconstruction method thereof |
| CN115208635B (en) * | 2022-06-17 | 2023-05-16 | 北京启明星辰信息安全技术有限公司 | National security SSL communication proxy module and method for non-invasively modifying system thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2912608C (en) | Selectively performing man in the middle decryption | |
| CN109067803A (en) | A kind of SSL/TLS encryption and decryption communication means, device and equipment | |
| US8179818B2 (en) | Proxy terminal, server apparatus, proxy terminal communication path setting method, and server apparatus communication path setting method | |
| CN106656939A (en) | State cryptography SSL protocol and standard SSL protocol forwarding system and method | |
| CN104217173B (en) | A kind of data and file encrypting method for browser | |
| KR101275708B1 (en) | Network-based data loss prevention system using information of ssl/tls handshaking packet and https access selection block method thereof | |
| CN107666383A (en) | Message processing method and device based on HTTPS agreements | |
| CN104322001A (en) | Transport layer security traffic control using service name identification | |
| RU2422893C2 (en) | Method, system and device for encrypted https access | |
| CN110020955B (en) | Online medical insurance information processing method and device, server and user terminal | |
| CN103763308A (en) | Method and device for having access to webpage safely and downloading data through intelligent terminal | |
| CN104767742A (en) | Safe communication method, gateway, network side server and system | |
| CN107172001B (en) | Control method and device of website proxy server and key proxy server | |
| CN113141365B (en) | Distributed micro-service data transmission method, device, system and electronic equipment | |
| CN102916948A (en) | Data safety processing method and device, and terminal | |
| CN103166996A (en) | Self-adaptation method, device and system of hyper text transport protocol (HTTP) connection and hypertext transfer protocol secure (HTTPS) connection | |
| US11240202B2 (en) | Message processing method, electronic device, and readable storage medium | |
| EP3242444A1 (en) | Service processing method and device | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| CN105049448A (en) | Single sign-on device and method | |
| CN110858834A (en) | User information transmission method, device, system and computer readable storage medium | |
| CN110213346B (en) | Encrypted information transmission method and device | |
| CN108306970A (en) | A kind of download of firmware safety and calibration equipment and method based on safety chip | |
| Hallgren et al. | Glasstube: A lightweight approach to web application integrity | |
| CN113645193B (en) | Network security protection method, service management system and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001, twenty-first Century Applicant after: Beijing Huayao Technology Co., Ltd Address before: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001, twenty-first Century Applicant before: Huayao (China) Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170510 |