CN109413201A - SSL traffic method, apparatus and storage medium - Google Patents

SSL traffic method, apparatus and storage medium Download PDF

Info

Publication number
CN109413201A
CN109413201A CN201811423764.6A CN201811423764A CN109413201A CN 109413201 A CN109413201 A CN 109413201A CN 201811423764 A CN201811423764 A CN 201811423764A CN 109413201 A CN109413201 A CN 109413201A
Authority
CN
China
Prior art keywords
ssl
server
traffic data
client
ssl traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811423764.6A
Other languages
Chinese (zh)
Other versions
CN109413201B (en
Inventor
金健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201811423764.6A priority Critical patent/CN109413201B/en
Publication of CN109413201A publication Critical patent/CN109413201A/en
Application granted granted Critical
Publication of CN109413201B publication Critical patent/CN109413201B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of SSL traffic method, apparatus and storage medium, and wherein method includes: the target SSL traffic data obtained between client and server;Judge whether target SSL traffic data meet preset condition;If target SSL traffic data meet preset condition, the SSL traffic data between client and server are forwarded.SSL traffic method, apparatus provided by the invention and storage medium, when target SSL traffic data acquired in the SSL intermediate proxy server between client and server meet preset condition, safety detection is not carried out to the SSL traffic data between the client and server but directly forwarding;And safety detection is carried out to the SSL traffic data between the client and server again when target SSL traffic data are unsatisfactory for preset condition, to improve SLL intermediate proxy server to the efficiency of SSL traffic data processing.

Description

SSL traffic method, apparatus and storage medium
Technical field
The present invention relates to the communication technology more particularly to a kind of Secure Socket Layer (Secure Sockets Layer, SSL) are logical Believe method, apparatus and storage medium.
Background technique
Currently, in order to protect safety of the sensitive data in transmit process, more and more enterprises, government, bank start Deployment secure socket layer (Secure Sockets Layer, SSL) communication.SSL traffic can be on the basis of communication data transfer A kind of security protocol of the data privacy of guarantee transfers on network of upper offer.SSL traffic can guarantee client or server it Between communication data will not be eavesdropped by attacker when being swapped by SSL traffic mode.
In the prior art, in order to further ensure the safety of SSL traffic, meeting between client and server under some scenes There are SSL intermediate proxy servers, to be completed by SSL intermediate proxy server to the exchange number between client and server According to protection.Communication of the client with server is actually to be stringed together by two sections of SSL connections, and client and server is practical On be to establish SSL with SSL intermediate proxy server to connect, all, which are received and sent messages, all have passed through SSL intermediate proxy server Forwarding.Therefore, data or server that all communication datas, either client are sent are sent to the data of client, all Safety detection can be carried out in SSL intermediate proxy server.If SSL intermediate proxy server is thought after carrying out safety detection When transferring content is safe between client and server, client and server can just be allowed to transmit data.
Using the prior art, SSL intermediate proxy server can carry out safe inspection to each connection request that client issues It surveys, and maintenance is decrypted to the subsequent data transmission for establishing connection according to the connection request.But when client and server When carrying out the SSL traffic data used when SSL traffic using the processing of such as two-way authentication cipher mode, including SSL middle-agent Third party including server cannot be decrypted SSL traffic data, will cause SSL intermediate proxy server due to can not Decrypt SSL traffic data and client and server cannot realize SSL traffic by half-connection.Or work as client and server Between carry out SSL traffic when, used SSL traffic mode security level itself is higher, can guarantee the safety of its SSL traffic When, then it is nonsensical for carrying out safety detection to the SSL traffic data between those clients and server, and largely such as Such invalid safety detection also greatly reduces effect when SSL intermediate proxy server handles SSL traffic data Rate.
Summary of the invention
The present invention provides a kind of SSL traffic method, apparatus and storage medium, acquired in SSL intermediate proxy server When target SSL traffic data between client and server meet preset condition, not between the client and server SSL traffic data carry out safety detection but directly forward;And it is right again when target SSL traffic data are unsatisfactory for preset condition SSL traffic data carry out safety detection, to improve efficiency of the SLL intermediate proxy server to SSL traffic data processing when.
First aspect present invention provides a kind of SSL traffic method, comprising:
Obtain the target SSL traffic data between client and server;
Judge whether the target SSL traffic data meet preset condition;
If the target SSL traffic data meet preset condition, the SSL between the client and the server is forwarded Communication data.
In one embodiment of first aspect present invention, the target SSL traffic data are SSL connection request;
It is described to judge whether the target SSL traffic data meet preset condition, comprising:
Address by judging the corresponding server of the SSL connection request determines the SSL connection whether in list Whether request meets preset condition.
It is described by judging the corresponding server of the SSL connection request in one embodiment of first aspect present invention Address determines whether the SSL connection request meets preset condition whether in list, comprising:
The SSL connection request is determined in detection list according to the address of the corresponding server of the SSL connection request Meet preset condition;Wherein, the detection list includes that at least one and client adopt SSL traffic data in SSL traffic With the address for the server that target processing mode is handled.
It is described by judging the corresponding server of the SSL connection request in one embodiment of first aspect present invention Address determines whether the SSL connection request meets preset condition whether in list, comprising:
The SSL connection request is determined in prestige list according to the address of the corresponding server of the SSL connection request Meet preset condition;Wherein, the prestige list includes the server that at least one specified security level is greater than predetermined level Address.
In one embodiment of first aspect present invention, further includes:
If the target SSL traffic data are unsatisfactory for the preset condition, judge to whether there is in predefined list of cert The predefined certificate of the corresponding server of the target SSL traffic data;Wherein, the predefined list of cert includes at least one The corresponding predefined certificate of a server;
If there are the predefined cards of the corresponding server of the target SSL traffic data in the predefined list of cert Book establishes the first half-connection by the predefined certificate and the client, and initiates half-connection to the server and establish Request is to establish the second half-connection with the server;
The first SSL traffic data that the client is sent are obtained by first half-connection, the first SSL is led to Letter data is decrypted, by second half-connection is sent to the server after safe handling and encryption;It is logical Cross second half-connection and obtain the second SSL traffic data that the server is sent, and by the second SSL traffic data into The client is sent to by first half-connection after row decryption processing, safe handling and encryption.
In one embodiment of first aspect present invention, the target SSL traffic number obtained between client and server According to later, further includes:
If the occupation proportion of the resource for handling the target SSL traffic data is greater than preset threshold, the visitor is forwarded SSL traffic data between family end and the server.
Second aspect of the present invention provides a kind of condom stratum SSL traffic device, comprising:
Transceiver module, for obtaining the target SSL traffic data between client and server;
Processing module, for judging whether the target SSL traffic data meet preset condition;
The transceiver module is also used to, if the target SSL traffic data meet preset condition, forward the client and SSL traffic data between the server.
In one embodiment of second aspect of the present invention, the target SSL traffic data are SSL connection request;
The processing module is specifically used for, by judge the corresponding server of the SSL connection request address whether In list, determine whether the SSL connection request meets preset condition.
In one embodiment of second aspect of the present invention, the processing module is specifically used for, according to the SSL connection request pair The address for the server answered determines that the SSL connection request meets preset condition in detection list;Wherein, the detection list The server for using target processing mode to be handled SSL traffic data in SSL traffic including at least one and client Address.
In one embodiment of second aspect of the present invention, the processing module is specifically used for, according to the SSL connection request pair The address for the server answered determines that the SSL connection request meets preset condition in prestige list;Wherein, the prestige list It is greater than the address of the server of predetermined level including at least one specified security level.
In one embodiment of second aspect of the present invention, the processing module is specifically used for, if the target SSL traffic data It is unsatisfactory for the preset condition, is judged in predefined list of cert with the presence or absence of the corresponding service of the target SSL traffic data The predefined certificate of device;Wherein, the predefined list of cert includes the corresponding predefined certificate of at least one server;
If there are the predefined cards of the corresponding server of the target SSL traffic data in the predefined list of cert Book establishes the first half-connection by the predefined certificate and the client, and initiates half-connection to the server and establish Request is to establish the second half-connection with the server;
The transceiver module is also used to, and obtains the first SSL traffic that the client is sent by first half-connection Data, the first SSL traffic data are decrypted, after safe handling and encryption by second half-connection It is sent to the server;The second SSL traffic data that the server is sent are obtained by second half-connection, and by institute The second SSL traffic data are stated to be decrypted, by first half-connection be sent to institute after safe handling and encryption State client.
In one embodiment of second aspect of the present invention, the transceiver module is also used to, if logical for handling the target SSL The occupation proportion of the resource of letter data is greater than preset threshold, forwards the SSL traffic number between the client and the server According to.
Third aspect present invention provides a kind of SSL traffic device, comprising: processor, memory and computer program;Its In, the computer program is stored in the memory, and is configured as being executed by the processor, the computer Program includes for executing the instruction such as the described in any item SSL traffic methods of aforementioned first aspect.
Fourth aspect present invention provides a kind of computer readable storage medium, and the computer-readable recording medium storage has Computer program, the computer program make server execute such as the described in any item SSL traffic methods of aforementioned first aspect.
To sum up, the present invention provides a kind of SSL traffic method, apparatus and storage medium, and wherein method includes: acquisition client Target SSL traffic data between server;Judge whether target SSL traffic data meet preset condition;If target SSL is logical Letter data meets preset condition, forwards the SSL traffic data between client and server.SSL traffic side provided by the invention Method, device and storage medium, the target SSL traffic acquired in the SSL intermediate proxy server between client and server When data meet preset condition, safety detection is not carried out to the SSL traffic data between the client and server but direct Forwarding;And when target SSL traffic data are unsatisfactory for preset condition again to the SSL traffic data between the client and server Safety detection is carried out, to improve SLL intermediate proxy server to the efficiency of SSL traffic data processing.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art To obtain other drawings based on these drawings.
Fig. 1 is SSL traffic method application scenarios schematic diagram of the present invention;
Fig. 2 is the flow diagram of one embodiment of SSL traffic method of the present invention;
Fig. 3 is the flow diagram of one embodiment of SSL traffic method of the present invention;
Fig. 4 is the flow diagram of one embodiment of SSL traffic method of the present invention;
Fig. 5 is the structural schematic diagram of one embodiment of SSL traffic device of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Description and claims of this specification and term " first ", " second ", " third ", " in above-mentioned attached drawing The (if present)s such as four " are to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should manage The data that solution uses in this way are interchangeable under appropriate circumstances, so that the embodiment of the present invention described herein for example can be to remove Sequence other than those of illustrating or describe herein is implemented.In addition, term " includes " and " having " and theirs is any Deformation, it is intended that cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, production Product or equipment those of are not necessarily limited to be clearly listed step or unit, but may include be not clearly listed or for this A little process, methods, the other step or units of product or equipment inherently.
Before being illustrated to technical solution of the present invention, first combine Fig. 1 to SSL traffic method provided by the invention, dress Set and storage medium applied by scene be illustrated.
Wherein, Fig. 1 is SSL traffic method application scenarios schematic diagram of the present invention.As shown in Figure 1, the present invention is applied in client Scene between end 1 and server 3 when progress SSL traffic using SSL middle-agent 2.
Specifically, client 1, which can be, any have related communication function, can be carried out by internet and server 3 The electronic equipment of SSL traffic, such as: mobile phone, tablet computer or desktop computer etc..Server 3 can be for providing in network The server of appearance, such as Web server.
When client and server 3 carry out SSL traffic, under the communication scenes of no middle-agent 2, in order to guarantee number According to safety, according to secure hyper text transport (Hypertext Transfer Protocolover Secure Socket Layer, abbreviation HTTPS) agreement encrypts the data transmitted between client 1 and server 3 using symmetric encipherment algorithm, It is decrypted between client 1 and server 3 using identical key.Since key is by between client 1 and server 3 By exchanging common key come when realizing, therefore can guarantee the carry out SSL traffic transmitted between client 1 and server 3 SSL traffic data be not easy to intercept and capture and crack.
Also, between client 1 and server 3 before carrying out SSL traffic, client 1 needs to establish with server 3 The channel SSL of one encryption carries out SSL traffic by the channel SSL between client 1 and server 3 to realize.Such as: work as visitor When browser in family end 1 needs to access the Web content in server 3, client 1 can send SSL connection to server 3 and ask It asks, the channel SSL is established between client 1 and server 3 with request.Wherein, client 1 needs the SSL certificate to client 3 After being authenticated, the channel SSL can be established with it.Such as: in specific implementation, each offer Website server 3 can be deposited In the SSL certificate that one is signed and issued by CA certificate, and CA certificate can be stored in client 1.Client 1 is built with request server 3 Before the channel SSL of vertical encryption, client 1 needs the SSL certificate to server 3 to verify, in the SSL card for judging server 3 The title of book and the IP address of the server 3 or domain name be consistent and judge server SSL certificate it is not out of date after, just meeting The channel SSL between client 1 and server 3 is established, and then subsequent SSL traffic is carried out by the channel SSL.
In order to further ensure the safety of SSL traffic, in some scenes can be arranged between client 1 and server 3 Between act on behalf of 2, connect respectively with client 1 and server 3 by middle-agent 2, and by middle-agent 2 to client 1 and clothes The SSL traffic data that device 3 transmits of being engaged in carry out safety detection, the communication security of client 1 and server 3 when guaranteeing SSL traffic. Its structure as shown in Figure 1, when client 1 carries out SSL traffic using middle-agent 2, do not establish directly by client 1 and server 3 The SSL traffic connection connect, all SSL traffic data all pass through middle-agent 2 and are decrypted, pacify between client 1 and server 3 Full inspection is surveyed and is transmitted again after encrypting.Wherein, middle-agent 2 can be the electronics for having Correlation method for data processing function and set It is standby, for example, the middle-agent 2 in Fig. 2 is the SSL middle-agent service that can be regarded as between access client 1 and server 3 Device.The present invention is subsequent to indicate the SSL intermediate proxy server for realizing middle-agent's function with middle-agent 2.
Specifically, middle-agent 2 can the SSL traffic data between client 1 and server 3 detect, in the middle Between 2 pairs of SSL traffic data of agency carry out thinking the SSL traffic Environmental security between client 1 and server 2 after safety detections, When by carry may not kidnap or steal the danger of 1 information of client on server 3, it can just allow client 1 and server 3 SSL connection is established, and allows to transmit SSL traffic data by SSL connection between client 1 and server 3.
Such as: in one implementation, the detection method that middle-agent 2 uses is, with 3 identity of server, to client End 1 shows the SSL certificate of the server of the same name 3 of a reconstruct.It, can be in order to which this reconstruct certificate is by the inspection of client 1 By disposing the trusted list for allowing the root certificate for the CA for signing and issuing this reconstruct certificate to enter client 1 in advance.Then, client The 1 reconstruct CertPubKey that just will use middle-agent 2 encrypts the session key that is generated by middle-agent 2, by middle-agent 2 to Server 3 sends the session key of encryption.After middle-agent 2 receives the session key using the public key encryption of middle-agent 2, make With oneself private key can decryption restoration go out plaintext session key.Middle-agent 2 establishes with 3 identity of server and client 1 While SSL connection, a normal SSL can be established with true server 3 and connect.Each of sending adds after client 3 Close application layer request, such as HTTPS request, middle-agent 2 can first pass through ssl protocol and be decrypted into plain text, and then SSL adds again It is close to issue server 3.That is, the communication of client 1 and server 2 is actually to be pacified by two sections of SSL in the presence of in middle-agent 2 What full connection stringed together, client 1 is actually to establish SSL with middle-agent 2 to connect, all, which are received and sent messages, all have passed through Between the forwarding acted on behalf of.In some implementations, the connection that this middle-agent 2 establishes with client 1 and server 3 is otherwise known as partly Connection.Therefore, middle-agent 2 enables to all SSL traffic data, and the SSL that either client 1 is sent to server 3 leads to Letter data or server 3 are sent to the SSL traffic data of client 1, and safety detection can be carried out in middle-agent 2.
But in the prior art, in order to guarantee the safety of SSL traffic between client 1 and server 3, middle-agent 2 Safety detection can be carried out to each SSL connection request that client 1 issues, and to the client established according to the SSL connection request In SSL connection between end 1 and server 3 all SSL traffic data for transmitting be decrypted, safety detection and encryption Processing.However since there are the SSL traffic data of transmission when client 1 and server 3 carry out SSL traffic to use two-way authentication etc. When encryption mode is handled, third party including middle-agent 2 all cannot to the SSL traffic data that the two is transmitted into Row decryption processing, prevent middle-agent 2 carries out from the SSL traffic data between client 1 and server 3 are decrypted Safety detection, so that middle-agent 2 can not establish half-connection with server 3, eventually leading to client and server cannot SSL traffic is realized by half-connection.Or when due to carrying out SSL traffic between some clients 1 and server 3, made The processing mode of SSL traffic data security level itself is higher, such as government organs website will not usually be held as a hostage, client The safety that can guarantee its SSL traffic when SSL traffic is carried out between end 1 and the server of government organs website, middle-agent 2 is again It is nonsensical for carrying out safety detection to the SSL traffic data between those clients 1 and server 3.Therefore, because existing A large amount of such invalid safety detections, significantly reduce middle-agent 2 to client 1 and server present in technology Efficiency when SSL traffic data between 3 are handled.
Therefore, the present invention proposes a kind of SSL traffic method, apparatus and storage medium, when SSL intermediate proxy server is obtained When target SSL traffic data between the client taken and server meet preset condition, which is not pacified Full inspection is surveyed but is directly forwarded;And safety is carried out to SSL traffic data again when target SSL traffic data are unsatisfactory for preset condition Detection, to improve SLL intermediate proxy server to the efficiency of SSL traffic.
Technical solution of the present invention is described in detail with specifically embodiment below.These specific implementations below Example can be combined with each other, and the same or similar concept or process may be repeated no more in some embodiments.
Fig. 2 is the flow diagram of one embodiment of SSL traffic method of the present invention.Wherein, the executing subject of the present embodiment can To be the middle-agent 2 in scene as shown in Figure 1, alternatively, the present embodiment executing subject can also be that access carries out SSL traffic Between client 1 and server 3, the electronic equipment of middle-agent's function can be realized.Below with reference to Fig. 1 and Fig. 2 to this reality The SSL traffic method for applying example offer is illustrated.As shown in Fig. 2, SSL traffic method provided in this embodiment includes:
S101: the target SSL traffic data between client and server are obtained.
Specifically, it since there are middle-agents 2 between client 1 and server 3, is then passed between client 1 and server 3 Defeated SSL traffic data can all be sent to middle-agent 2.Alternatively, the SSL traffic data transmitted between client 1 and server 3 After will being intercepted and captured by middle-agent 2, middle-agent 2 gets the target between client 1 and server 3 by S101 first After SSL traffic data, target SSL traffic data are parsed, to determine that SSL connection request transmitted by client 1 is corresponding Server 3.
Optionally, target SSL traffic data described in the present embodiment can be the SSL that client 1 is sent to server 3 Connection request, the SSL connection request is for requesting to establish the channel SSL between client 1 and server 3 with logical by SSL Transmit SSL traffic data in road.Alternatively, target SSL traffic data can also be that setting up SSL between client 1 and server 3 leads to After road, SSL traffic data that client 1 or server 3 transmit in the channel SSL.
Optionally, in one possible implementation, target SSL traffic data are SSL connection requests, then SSL connection It include that client 1 requests to establish the address of the server 3 of SSL connection in request, then middle-agent 2 can connect according to the SSL The address that the address in request determines that client 1 to be requested and establish the server 3 of SSL connection is connect, with the address to server 3 Carry out the processing of subsequent the present embodiment.
It should be noted that a middle-agent 2 described in the present embodiment can handle different multiple clients 1 simultaneously From the SSL traffic data between different multiple servers 3, the present embodiment is example with a client 1 and a server 3 It is illustrated, the increase and decrease of the client 1 and server 3 connected to middle-agent 2 quantitatively is not specifically limited.Meanwhile In S101, if target SSL traffic data are SSL connection requests, client 1 may be by middle-agent 2 to different clothes Business device 3 sends SSL connection request, and therefore, the SSL connection request that middle-agent 2 needs to be initiated according to client 1 first is specifically right The server 3 answered.
S102: judge whether the target SSL traffic data meet preset condition.
Specifically, in S102, middle-agent 2 needs to judge whether identified target SSL traffic data are full in S101 Sufficient preset condition.Wherein, middle-agent 2 can determine that SSL is logical according to the address of the corresponding server 3 of target SSL traffic data Whether letter data meets preset condition.
Optionally, in a kind of possible implementation of S102, when target SSL traffic data are sent out for client 1 to server 3 When the SSL connection request sent, whether can be determined in list by judging the address of the corresponding server of SSL connection request Whether SSL connection request meets preset condition.
Wherein, it in a kind of concrete implementation mode of S102, is sent out for client 1 to server 3 in target SSL traffic data When the SSL connection request sent, whether middle-agent 2 can be decrypted according to the SSL connection request, determine the SSL Whether connection request meets preset condition.Specifically, before carrying out safety detection processing to SSL connection request due to middle-agent 2, It needs that SSL connection request is decrypted, to obtain the content of SSL connection request encryption.And if client 1 is to service Device 3 send SSL connection request using the mode such as two-way authentication encrypt when, middle-agent 2 can not to SSL connection request into Row decryption processing, therefore safety detection can not be carried out to SSL connection request, SSL connection request would not be also sent to service Device 3 finally makes SSL Path Setup between client 1 and server 3 fail, and subsequent client 1 cannot be carried out with server 3 SSL traffic, to influence the connection failure that can guarantee safe SSL connection request in itself.
For example, client 1 with server 3 carry out SSL traffic when, for the SSL traffic data transmitted therebetween, such as Fruit is encrypted by bi-directional authentication.Equally, client 1 also can be by double to SSL connection request transmitted by server 3 It is encrypted to authentication mode.And after being handled using the processing mode of such as two-way authentication SSL connection request, including in Between agency 2 including other relevant devices or user, even if by go-between decryption the methods of will not by SSL connection request at Function is decrypted.SSL connection request can not be decrypted to will cause middle-agent 2, client 1 is also with regard to nothing Method and server 3 establish half-connection, eventually lead to the SSL connection failure of client 1 and server 3.Therefore, in the present embodiment In, the SSL connection request that middle-agent 2 cannot decrypt those, without decryption processing or safety detection etc., other are handled, But it determines and is just forwarded directly to the corresponding server 3 of SSL connection request after SSL connection request can not be decrypted.
Optionally, middle-agent 2 can incite somebody to action to improve to whether SSL connection request can decrypt the efficiency detected The address for the corresponding server of SSL connection request that middle-agent 2 can not decrypt is added in detection list, that is, in detection list Including server the corresponding server in address with client carry out SSL traffic when, be all that can not be solved using middle-agent 2 Close mode carries out the processing of SSL traffic data.Therefore in S102, when obtain client 1 transmission SSL connection request, Determine that SSL connection request meets preset condition in detection list by the address of the corresponding server of SSL connection request.
In S102 another kind concrete implementation mode, sent for client 1 to server 3 in target SSL traffic data SSL connection request when, whether middle-agent 2 according to the address of the corresponding server of the SSL connection request in prestige list It is interior, determine whether the server meets preset condition;Wherein, the prestige list includes at least one specified security level Greater than the address of the server of predetermined level.For example, in the present embodiment, middle-agent 2 includes prestige list, in prestige list Address including at least one server.Then when judging the corresponding server of SSL connection request determined by S101 in S102 Address whether there is in prestige list.If the address of the server is present in prestige list, it is determined that SSL connection in S101 Request meets preset condition;If the address of the server 3 is not in prestige list, it is determined that the SSL connection determined in S101 is not Meet preset condition.
It specifically, include the address of at least one server in prestige list, which includes specified Security level is greater than the address of the server of security level.Wherein, the security level refer to server 3 be abnormal or A possibility that attack.Such as: in a kind of division mode of possible security level, such as government website, search website are visited Ask that a possibility that biggish website of flow mistake occurs or attacked is lower, security level is highest, even if middle-agent 2 SSL safety detection is carried out to it, can also obtain the result of SSL traffic safety.It therefore, can be by the clothes of these highest security levels The address of business device is added in prestige list, and client 1 sends SSL connection request to the higher server 3 of these security levels When, if the address of the server in prestige list, even if middle-agent 2 have received client 1 transmission the service The SSL connection request of device also without safety detection, but can will be examined in prestige list without safety by subsequent S103 The SSL connection request of survey is forwarded directly to server 3.
It should be noted that detection list provided in this embodiment and prestige list, can be a list, the list is same When include detection list and prestige list;Alternatively, detection list and prestige list can be passed sequentially through in the present embodiment S102 To judge whether target SSL traffic data meet preset condition.Optionally, the list in addition to may include above-mentioned detection list and Except the address of prestige list, this can also include the address of more multiserver.For example, including the use of client 1 in list The address of server specified by the user of family or server 3, when the target SSL traffic data for judging to determine in S101 are corresponding Server address in the list, it is determined that target SSL traffic data meet preset condition.Or the list is only wrapped Include the address of specified server.
S103: if the target SSL traffic data meet preset condition, forward the SSL between client and server logical Letter data.
Specifically, in S103, if by judging that target SSL traffic data meet preset condition, intermediate generation in S102 Manage 2 it is subsequent to institute's client 1 including target SSL traffic data and the SSL traffic data transmitted between server 3 not Safety detection is carried out, processing is directly forwarded.
Optionally, when target SSL traffic data are SSL connection requests, middle-agent 2 is judging that SSL connects by S102 It connects after request meets preset condition, the SSL connection request of client 1 is forwarded directly to by corresponding server 3 by S103, with Make to set up the channel SSL between server 3 and client 1., middle-agent 2 is also used to build between client 1 and server 3 After erecting the channel SSL, the first SSL traffic data that client 1 is sent to server 3 are received, and the first SSL traffic data are straight Switch through and be sent to the server 3, without the first SSL traffic data are decrypted, safety detection and encryption;In Between agency 2 be also used to set up the channel SSL between client 1 and server 3 after, receive server 3 be sent to client 1 Second SSL traffic data, and the second SSL traffic data are forwarded directly to the client 1, without to the second SSL traffic number According to be decrypted, safety detection and encryption.That is, SSL channel of the middle-agent 2 for client 1 and server 3 In SSL traffic data carry out maintenance process in, to the SSL traffic data between client 1 and server 3 without examining safely Survey relevant processing but directly forwarding.
To sum up, SSL connection request method provided in this embodiment, when middle-agent's judgement acquired client and service When target SSL traffic data between device meet preset condition, safety detection is not carried out to the target SSL traffic data but straight Switch through hair, and when target SSL traffic data are unsatisfactory for preset condition again to the SSL traffic data between client and server Carry out safety detection.So that whether middle-agent after meeting preset condition to target SSL traffic data and judging, Safety can not be will do it to the acquired SSL traffic data met between most client and servers of preset condition Detection, only SSL traffic data being unsatisfactory between a small number of clients of preset condition and server there are risk are pacified Full inspection is surveyed, to reduce middle-agent to the quantity of SSL traffic data processing, improve middle-agent to SSL traffic data at The performance of reason, and then improve the efficiency that middle-agent handles SSL traffic data.
Fig. 3 is the flow diagram of one embodiment of SSL traffic method of the present invention.As shown in figure 3, the present embodiment also provides one Kind SSL traffic method, on the basis of shown in Fig. 2, after S102, further includes:
S203: if target SSL traffic data are unsatisfactory for preset condition, judge in predefined list of cert with the presence or absence of target The predefined certificate of the corresponding server of SSL traffic data;Wherein, predefined list of cert includes that at least one server is corresponding Predefined certificate.
Specifically, in SSL traffic method provided in this embodiment, it is pre- to judge that target SSL traffic data are unsatisfactory in S102 If after condition, if target SSL traffic data are SSL connection requests, needing to judge whether identified server is deposited in S101 In predefined certificate, the predefined certificate is used for the half-connection established between middle-agent 2 and client 1, predefines It include the corresponding predefined certificate of at least one server in list of cert.In some embodiments, predefined list of cert It is referred to alternatively as static rule list again.Wherein, at least one described server does not need middle-agent 2 to server for some 3 SSL traffic carries out the scene of safety detection, for example, client 1 sends Inner email by local area network internal server 3, and Internal server 3 is can to guarantee that safety is not held as a hostage.
S204: if there are the predefined certificates of the corresponding server of target SSL traffic data in predefined list of cert, lead to It crosses predefined certificate and client establishes the first half-connection, and initiate half-connection to server and establish request to build with server Vertical second half-connection
Specifically, when determining the predetermined of the corresponding server of predefined list of cert target SSL traffic data by S203 It, can be by providing a predefined certificate to each server in list, so that intermediate in the present embodiment when adopted certificate Agency 2 can establish half-connection by predefined certificate with client 1, and then initiate half-connection request simultaneously to server 3 again Server 3 establishes half-connection.It is intermediate and during middle-agent 2 establishes half-connection respectively at client 1 and server 3 Agency 2 will not carry out safety detection to SSL connection request.
S205: the first SSL traffic data that client is sent are obtained by the first half-connection, by the first SSL traffic data It is decrypted, server is sent to by the second half-connection after safety detection and encryption;It is obtained by the second half-connection The the second SSL traffic data for taking server to send, and the second SSL traffic data are decrypted, safety detection and encryption Client is sent to by the first half-connection after processing.
Specifically, when the half-connection and middle-agent 2 and service for setting up client 1 and middle-agent 2 by S204 After the half-connection of device 3, middle-agent 2 is logical in the SSL for carrying out client 1 and server 3 subsequently through the half-connection established Letter.Wherein, middle-agent obtains the first SSL traffic data that client is sent especially by the first half-connection, and the first SSL is led to Letter data is decrypted, by the second half-connection is sent to server after safety detection and encryption;By the second half Connection obtains the second SSL traffic data that server is sent, and the second SSL traffic data is decrypted, safety detection Client is sent to by the first half-connection with after encryption.
Therefore, in SSL traffic method provided in this embodiment, if SSL connection request acquired in middle-agent is corresponding Server there are predefined certificates, then safety detection is not carried out to the SSL connection request, but directly according to predefined certificate Half-connection is established with client, then establishes half-connection with server, and middle-agent is also according to two half-connections established Safeguard the SSL traffic of subsequent client and server.With in the prior art, middle-agent needs to pacify SSL connection request After full verifying, then server certificate is carried out to construct intermediate certificate, could compared with client and server establishes half-connection, Middle-agent is greatly improved to the treatment effeciency of SSL connection request.
And optionally, if by the judgement of Fig. 2 and/or Fig. 3, if target SSL traffic data are SSL connection requests, and And the corresponding server of SSL connection request acquired in middle-agent is all unsatisfactory for above-mentioned condition, then middle-agent is to SSL connection Request carries out default treatment.Default treatment may include that middle-agent 2 first establishes half-connection with server 3, further according to server 3 certificate carries out certificate and constructs intermediate certificate, reuses intermediate certificate and receives client request, establishes middle-agent and client The half-connection at end, it is subsequent that SSL connection maintenance process is decrypted.Default treatment is same as the prior art, repeats no more.
Further, in the above embodiments, due to occupancy when middle-agent is to SSL connection request progress safety detection The resource of intermediate proxy server is more, therefore, the present embodiment also provide it is a kind of to intermediate proxy resources whether reach the upper limit into Row judges the method to further increase SSL traffic efficiency.Specifically, the target SSL traffic number that middle-agent obtains in S101 Sentence according to later, whether the occupation proportion for the resource for also being used to handle SSL traffic data to middle-agent is greater than preset threshold It is disconnected.If the occupation proportion of the resource for handling the SSL traffic data is greater than preset threshold, not to the SSL traffic data It is decrypted, safety detection and encryption, but is directly forwarded the SSL traffic data.In so that Between agency for SSL traffic data carry out safety detection total resources after reaching the upper limit, by subsequently received to examine safely The SSL traffic data of survey are using the maintenance strategy directly forwarded, to improve the communication efficiency of SSL traffic data.
Fig. 4 is the flow diagram of one embodiment of SSL traffic method of the present invention.It is shown in embodiment as shown in Figure 4 The schematic diagram of method in a kind of combination above-described embodiment.Virtual module as shown in Figure 4 is any in above-described embodiment for executing The SSL traffic method, wherein the target SSL traffic data are SSL connection request, then middle-agent 2 specifically wraps It includes:
SSL connection maintenance module is forwarded, for the direct forwarding of SSL connection request, and the peace without SSL connection request Full inspection surveys relevant operation.
SSL connection maintenance module is decrypted, for safeguarding two half-connections of middle-agent 2 Yu client 1 and server 3, When needing to carry out SSL connection request safety detection and decryption acts, either end adds in reception client 1 and server 3 Ciphertext data, and be decrypted and safety detection after, encryption is simultaneously sent to the other end.
Target certificate rule match module can be used for storing the detection list in above-mentioned Fig. 2 and embodiment illustrated in fig. 3, believe List and static rule are praised, and the requested server 3 of client 1 is matched.Successful match exclude detection list and With directly forwarding SSL connection request is carried out in the case of success prestige list list, without decryption processing;Successful match static state rule In the case of then, receive client half-connection with predefined certificate, it is subsequent that SSL connection maintenance process is decrypted.
Certificate constructing module, the certificate for being returned according to server 3 carry out intermediate certificate construction, pre- using ssl proxy The CA certificate set signs to the intermediate certificate of construction.
SSL connection receiving module is used to establish SSL half-connection with client 1.
SSL connection initiation module is used to establish SSL half-connection with server 3.
Fig. 5 is the structural schematic diagram of one embodiment of SSL traffic device of the present invention.As shown in figure 5, provided in this embodiment SSL traffic device includes: transceiver module 501 and processing module 502.Wherein, transceiver module 501 is for obtaining client and service Target SSL traffic data between device;Processing module 502 is for judging whether target SSL traffic data meet preset condition;It receives Hair module 501 is also used to, if target SSL traffic data meet preset condition, forwards the SSL traffic between client and server Data.
SSL traffic device provided in this embodiment can be used for executing SSL traffic method as shown in Figure 1, implementation It is identical as principle, it repeats no more.
Optionally, target SSL traffic data are SSL connection request;Processing module 502 is specifically used for, by judging that SSL connects It connects and requests the address of corresponding server whether in list, determine whether SSL connection request meets preset condition.
Optionally, processing module 502 is specifically used for, and is arranged according to the address of the corresponding server of SSL connection request in detection Determine that SSL connection request meets preset condition in table;Wherein, detection list includes at least one and client in SSL traffic To the address for the server that SSL traffic data are handled using target processing mode.
Optionally, processing module 502 is specifically used for, and is arranged according to the address of the corresponding server of SSL connection request in prestige Determine that SSL connection request meets preset condition in table;Wherein, prestige list includes that at least one specified security level is greater than in advance If the address of the server of grade.
Optionally, processing module 502 is specifically used for,
If target SSL traffic data are unsatisfactory for preset condition, judge logical with the presence or absence of target SSL in predefined list of cert The predefined certificate of the corresponding server of letter data;Wherein, predefined list of cert includes that at least one server is corresponding pre- Define certificate;
If there are the predefined certificates of the corresponding server of target SSL traffic data for list in predefined certificate, by pre- It defines certificate and client and establishes the first half-connection, and initiate half-connection to server and establish request to establish the with server Two half-connections;
Transceiver module 501 is also used to, and the first SSL traffic data that client is sent is obtained by the first half-connection, by the One SSL traffic data are decrypted, by the second half-connection are sent to server after safe handling and encryption;Pass through Second half-connection obtains the second SSL traffic data that server is sent, and the second SSL traffic data are decrypted, are pacified Client is sent to by the first half-connection after full processing and encryption.
Optionally, transceiver module 501 is also used to, if the occupation proportion of the resource for processing target SSL traffic data is big In preset threshold, the SSL traffic data between client and server are forwarded.
SSL traffic device provided in this embodiment can be used for executing SSL processing method as described above, implementation It is identical as principle, it repeats no more.
The present invention also provides a kind of SSL traffic devices, comprising: processor, memory and computer program;Wherein, institute It states computer program to be stored in the memory, and is configured as being executed by the processor, the computer program Including the instruction for executing the SSL traffic method as described in any one of previous embodiment.
The present invention also provides a kind of computer readable storage medium, the computer-readable recording medium storage has computer Program, the computer program make server execute the SSL traffic method as described in any one of previous embodiment.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above-mentioned each method embodiment can lead to The relevant hardware of program instruction is crossed to complete.Program above-mentioned can be stored in a computer readable storage medium.The journey When being executed, execution includes the steps that above-mentioned each method embodiment to sequence;And storage medium above-mentioned include: ROM, RAM, magnetic disk or The various media that can store program code such as person's CD.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims (10)

1. a kind of Secure Socket Layer SSL traffic method characterized by comprising
Obtain the target SSL traffic data between client and server;
Judge whether the target SSL traffic data meet preset condition;
If the target SSL traffic data meet preset condition, the SSL traffic between the client and the server is forwarded Data.
2. the method according to claim 1, wherein the target SSL traffic data are SSL connection request;
It is described to judge whether the target SSL traffic data meet preset condition, comprising:
Address by judging the corresponding server of the SSL connection request determines the SSL connection request whether in list Whether preset condition is met.
3. according to the method described in claim 2, it is characterized in that, described by judging the corresponding clothes of the SSL connection request The address of business device determines whether the SSL connection request meets preset condition whether in list, comprising:
Determine that the SSL connection request meets in detection list according to the address of the corresponding server of the SSL connection request Preset condition;Wherein, the detection list include at least one and client in SSL traffic to SSL traffic data using mesh The address for the server that mark processing mode is handled.
4. according to the method described in claim 2, it is characterized in that, described by judging the corresponding clothes of the SSL connection request The address of business device determines whether the SSL connection request meets preset condition whether in list, comprising:
Determine that the SSL connection request meets in prestige list according to the address of the corresponding server of the SSL connection request Preset condition;Wherein, the prestige list includes the ground that at least one specified security level is greater than the server of predetermined level Location.
5. the method according to claim 1, wherein further include:
If the target SSL traffic data are unsatisfactory for the preset condition, judge in predefined list of cert with the presence or absence of described The predefined certificate of the corresponding server of target SSL traffic data;Wherein, the predefined list of cert includes at least one clothes The corresponding predefined certificate of business device;
If there are the predefined certificates of the corresponding server of the target SSL traffic data in the predefined list of cert, lead to Cross the predefined certificate and the client establish the first half-connection, and to the server initiate half-connection establish request from And the second half-connection is established with the server;
The first SSL traffic data that the client is sent are obtained by first half-connection, by the first SSL traffic number According to being decrypted, by second half-connection be sent to the server after safety detection and encryption;Pass through institute It states the second half-connection and obtains the second SSL traffic data that the server is sent, and the second SSL traffic data are solved The client is sent to by first half-connection after close processing, safety detection and encryption.
6. method according to claim 1-5, which is characterized in that between the acquisition client and server After target SSL traffic data, further includes:
If the occupation proportion of the resource for handling the target SSL traffic data is greater than preset threshold, the client is forwarded SSL traffic data between the server.
7. a kind of condom stratum SSL traffic device characterized by comprising
Transceiver module, for obtaining the target SSL traffic data between client and server;
Processing module, for judging whether the target SSL traffic data meet preset condition;
The transceiver module is also used to, if the target SSL traffic data meet preset condition, forwards the client and described SSL traffic data between server.
8. device according to claim 7, which is characterized in that the target SSL traffic data are SSL connection request;
Whether the processing module is specifically used for, by judging the address of the corresponding server of the SSL connection request in list It is interior, determine whether the SSL connection request meets preset condition.
9. a kind of condom stratum SSL traffic device characterized by comprising processor, memory and computer program; Wherein, the computer program is stored in the memory, and is configured as being executed by the processor, the calculating Machine program includes the instruction for executing as the method according to claim 1 to 6.
10. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer journey Sequence, the computer program make server perform claim require the described in any item methods of 1-6.
CN201811423764.6A 2018-11-27 2018-11-27 SSL communication method, device and storage medium Active CN109413201B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811423764.6A CN109413201B (en) 2018-11-27 2018-11-27 SSL communication method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811423764.6A CN109413201B (en) 2018-11-27 2018-11-27 SSL communication method, device and storage medium

Publications (2)

Publication Number Publication Date
CN109413201A true CN109413201A (en) 2019-03-01
CN109413201B CN109413201B (en) 2021-06-29

Family

ID=65455710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811423764.6A Active CN109413201B (en) 2018-11-27 2018-11-27 SSL communication method, device and storage medium

Country Status (1)

Country Link
CN (1) CN109413201B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147256A (en) * 2019-12-26 2020-05-12 华为技术有限公司 Authentication method and device
CN111614660A (en) * 2020-05-19 2020-09-01 北京字节跳动网络技术有限公司 Method and device for detecting safety verification defects and electronic equipment
CN111711598A (en) * 2020-04-23 2020-09-25 中国电子科技网络信息安全有限公司 Sensitive data detection system for large-scale SSL/TLS encrypted session stream
CN112929359A (en) * 2021-02-01 2021-06-08 深信服科技股份有限公司 Proxy decryption method and device, terminal and storage medium
CN113810396A (en) * 2021-09-07 2021-12-17 北京明朝万达科技股份有限公司 Data management and control method and device, electronic equipment and storage medium
CN114091014A (en) * 2021-10-29 2022-02-25 珠海大横琴科技发展有限公司 Data processing method and device
CN114221799A (en) * 2021-12-10 2022-03-22 中国人民银行数字货币研究所 Communication monitoring method, device and system
CN114615309A (en) * 2022-01-18 2022-06-10 奇安信科技集团股份有限公司 Client access control method, device and system, electronic equipment and storage medium
CN115190175A (en) * 2022-07-18 2022-10-14 浪潮(北京)电子信息产业有限公司 Connection processing method, system, electronic device, server and readable storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230093942A1 (en) * 2021-09-24 2023-03-30 Cisco Technology, Inc. Providing connection data to network devices for content inspection and replay attack mitigation

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141243A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Device and method for carrying out security check and content filtering on communication data
CN101141244A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Network encrypted data virus detection and elimination system, proxy server and method
KR20100018022A (en) * 2010-01-27 2010-02-16 임차성 Secure sockets layer comunication recoding method of proxy server
CN104270379A (en) * 2014-10-14 2015-01-07 北京蓝汛通信技术有限责任公司 HTTPS proxy forwarding method and device based on transmission control protocol
US9391979B1 (en) * 2013-01-11 2016-07-12 Google Inc. Managing secure connections at a proxy server
CN107135233A (en) * 2017-06-28 2017-09-05 百度在线网络技术(北京)有限公司 Safe transmission method and device, the server and storage medium of information
CN108011888A (en) * 2017-12-15 2018-05-08 东软集团股份有限公司 A kind of method, apparatus and storage medium, program product for realizing certificate reconstruct

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141243A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Device and method for carrying out security check and content filtering on communication data
CN101141244A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Network encrypted data virus detection and elimination system, proxy server and method
KR20100018022A (en) * 2010-01-27 2010-02-16 임차성 Secure sockets layer comunication recoding method of proxy server
US9391979B1 (en) * 2013-01-11 2016-07-12 Google Inc. Managing secure connections at a proxy server
CN104270379A (en) * 2014-10-14 2015-01-07 北京蓝汛通信技术有限责任公司 HTTPS proxy forwarding method and device based on transmission control protocol
CN107135233A (en) * 2017-06-28 2017-09-05 百度在线网络技术(北京)有限公司 Safe transmission method and device, the server and storage medium of information
CN108011888A (en) * 2017-12-15 2018-05-08 东软集团股份有限公司 A kind of method, apparatus and storage medium, program product for realizing certificate reconstruct

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
W. CHOU: ""Inside SSL: the secure sockets layer protocol"", 《IT PROFESSIONAL》 *
佘冉君: ""SSL安全研究及实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147256A (en) * 2019-12-26 2020-05-12 华为技术有限公司 Authentication method and device
CN111711598A (en) * 2020-04-23 2020-09-25 中国电子科技网络信息安全有限公司 Sensitive data detection system for large-scale SSL/TLS encrypted session stream
CN111711598B (en) * 2020-04-23 2022-07-05 中国电子科技网络信息安全有限公司 Sensitive data detection system for large-scale SSL/TLS encrypted session stream
CN111614660B (en) * 2020-05-19 2022-01-18 北京字节跳动网络技术有限公司 Method and device for detecting safety verification defects and electronic equipment
CN111614660A (en) * 2020-05-19 2020-09-01 北京字节跳动网络技术有限公司 Method and device for detecting safety verification defects and electronic equipment
CN112929359A (en) * 2021-02-01 2021-06-08 深信服科技股份有限公司 Proxy decryption method and device, terminal and storage medium
CN113810396A (en) * 2021-09-07 2021-12-17 北京明朝万达科技股份有限公司 Data management and control method and device, electronic equipment and storage medium
CN114091014A (en) * 2021-10-29 2022-02-25 珠海大横琴科技发展有限公司 Data processing method and device
CN114221799A (en) * 2021-12-10 2022-03-22 中国人民银行数字货币研究所 Communication monitoring method, device and system
CN114221799B (en) * 2021-12-10 2024-03-22 中国人民银行数字货币研究所 Communication monitoring method, device and system
CN114615309A (en) * 2022-01-18 2022-06-10 奇安信科技集团股份有限公司 Client access control method, device and system, electronic equipment and storage medium
CN114615309B (en) * 2022-01-18 2024-03-15 奇安信科技集团股份有限公司 Client access control method, device, system, electronic equipment and storage medium
CN115190175A (en) * 2022-07-18 2022-10-14 浪潮(北京)电子信息产业有限公司 Connection processing method, system, electronic device, server and readable storage medium
CN115190175B (en) * 2022-07-18 2023-07-14 浪潮(北京)电子信息产业有限公司 Connection processing method, system, electronic device, server and readable storage medium

Also Published As

Publication number Publication date
CN109413201B (en) 2021-06-29

Similar Documents

Publication Publication Date Title
CN109413201A (en) SSL traffic method, apparatus and storage medium
CA3008705C (en) System for issuing public certificate on basis of block chain, and method for issuing public certificate on basis of block chain by using same
CN110708170B (en) Data processing method and device and computer readable storage medium
US8275984B2 (en) TLS key and CGI session ID pairing
CN107666383A (en) Message processing method and device based on HTTPS agreements
CN107493162A (en) The implementation method and device of block chain node
CN108243176B (en) Data transmission method and device
CN104378379B (en) A kind of digital content encrypted transmission method, equipment and system
CN101292496A (en) Method and devices for carrying out cryptographic operations in a client-server network
CN111818196B (en) Domain name resolution method and device, computer equipment and storage medium
US20170070486A1 (en) Server public key pinning by url
CN108306872B (en) Network request processing method and device, computer equipment and storage medium
CN106685983A (en) Data recovery method and device based on SSL protocol
CN113473458B (en) Device access method, data transmission method and computer readable storage medium
CN109492424A (en) Data assets management method, data assets managing device and computer-readable medium
WO2011037226A1 (en) Access control system, authentication server system, and access control program
CN108701308A (en) System for issuing public certificate based on block chain and the method for issuing public certificate based on block chain using the system
Srikanth et al. An efficient Key Agreement and Authentication Scheme (KAAS) with enhanced security control for IIoT systems
CN109272314A (en) A kind of safety communicating method and system cooperateing with signature calculation based on two sides
Puthal et al. Decision tree based user-centric security solution for critical IoT infrastructure
JP2018026631A (en) SSL communication system, client, server, SSL communication method, computer program
CN106657002A (en) Novel crash-proof base correlation time multi-password identity authentication method
CN107276996A (en) The transmission method and system of a kind of journal file
CN106031097A (en) Service processing method and device
CN106230840A (en) A kind of command identifying method of high security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant