CN111049789B - Domain name access method and device - Google Patents

Domain name access method and device Download PDF

Info

Publication number
CN111049789B
CN111049789B CN201811195485.9A CN201811195485A CN111049789B CN 111049789 B CN111049789 B CN 111049789B CN 201811195485 A CN201811195485 A CN 201811195485A CN 111049789 B CN111049789 B CN 111049789B
Authority
CN
China
Prior art keywords
domain name
server
certificate
domain
accessed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811195485.9A
Other languages
Chinese (zh)
Other versions
CN111049789A (en
Inventor
赵琪珲
王建平
孙达威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Jingdong Shangke Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN201811195485.9A priority Critical patent/CN111049789B/en
Publication of CN111049789A publication Critical patent/CN111049789A/en
Application granted granted Critical
Publication of CN111049789B publication Critical patent/CN111049789B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The invention discloses a domain name access method and device, and relates to the technical field of computers. One embodiment of the method comprises the following steps: when the configuration of the client supports loose authentication, a first request message based on HTTPS and used for requesting a domain name to be accessed is sent to the server, wherein the loose authentication refers to judging whether the authentication of the domain name to be accessed is passed or not according to a certificate associated with any domain name in a plurality of domain names; receiving a first response message of the server, wherein the first response message comprises a first certificate associated with any domain name in the plurality of domain names; determining the domain names configured by the server; and determining whether the domain name to be accessed is authenticated according to the determined multiple domain names and the first certificate. According to the embodiment, the technical problem that certificate verification in a single IP multi-domain name scene is not passed is solved by adding a first message to be sent and adding a service name indication for indicating a domain name to be accessed or configuring loose authentication.

Description

Domain name access method and device
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for domain name access.
Background
For convenience of memorization, a domain name is generally used to replace a network protocol address (Internet Protocol, abbreviated as IP) to identify a site address, when a client needs to access a network, the domain name is input into a browser, and after the domain name is resolved, the client realizes access to a server corresponding to the IP address. The process of access is generally as follows: the client initiates a request packet (such as HTTPS request, HTTPS refers to Hyper Text Transfer Protocol over Secure Socket Layer, secure socket layer hypertext transfer protocol) containing a domain name to be resolved, if the client does not have an IP address corresponding to the domain name in the cache, the client initiates a DNS query request to a domain name server (Domain Name System, DNS for short), the domain name server returns the IP address corresponding to the domain name to the client, and the client initiates a request to the IP address to realize access to a server corresponding to the IP address.
Before the HTTPS request is sent, SSL/TLS handshake (SSL: secure sockets layer, secure socket layer; TLS: transport layer security, transport layer security) is performed, and in the handshake process, the client needs to verify the certificate issued by the server, and if the verification passes, the client can access the server. In the process of issuing the certificate by the verification server, whether the certificate contains the domain name of the current request needs to be checked.
If the verification is passed, the current server is proved to be trusted, otherwise, the current connection is not trusted and the current connection is interrupted.
In the process of implementing the present invention, the inventor finds that at least the following problems exist in the prior art:
in the single-IP multi-domain scenario, when the client side uses the domain name server to resolve the domain name, the domain name in the request is replaced by IP, so that the situation of mismatching of the domain name can occur when checking the certificate, and SSL/TLS handshake is unsuccessful.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a method and an apparatus for domain name access, which can send a first request message based on HTTPS to a server when a client supports loose authentication, and determine whether authentication of a domain name to be accessed is passed according to a domain name associated with a first certificate included in a first response message from the server and a plurality of domain names configured by the server; and when the client does not support loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message to be sent to the server, and determining whether the authentication of the domain name to be accessed is passed or not according to a second certificate contained in a second response message from the server, thereby realizing access to any domain name in the server configured with a plurality of domain names and solving the technical problem that certificate verification in a single IP multi-domain name scene is not passed.
To achieve the above object, according to an aspect of the embodiments of the present invention, there is provided a domain name accessing method, where a domain name to be accessed is one domain name of a plurality of domain names configured by a server, the method including: when the configuration of the client supports loose authentication, a first request message for requesting the domain name to be accessed based on a hypertext transfer protocol (HTTPS) of a secure socket layer is sent to the server, wherein the loose authentication refers to whether authentication of the domain name to be accessed is passed or not is judged according to a certificate associated with any domain name in a plurality of domain names; receiving a first response message of the server, wherein the first response message comprises a first certificate associated with any domain name in the plurality of domain names; determining the plurality of domain names configured by the server; and determining whether the domain name to be accessed is authenticated according to the determined domain names and the first certificate.
Optionally, the determining the plurality of domain names of the server configuration includes: determining the domain name to be accessed; according to the domain name to be accessed, a third request message for inquiring the network protocol address of the server is sent to a domain name resolution server; receiving a third response message containing the network protocol address returned by the domain name server; sending a fourth request message for inquiring the multiple domain names of the server to a domain name resolution server according to the network protocol address contained in the third response message; and receiving a fourth response message containing the plurality of domain names returned by the domain name server so as to determine the plurality of domain names configured by the server.
Optionally, the determining whether the domain name to be accessed is authenticated according to the determined multiple domain names and the first certificate includes: determining a domain name associated with a first certificate contained in the first response message; matching the domain name associated with the first certificate with the determined multiple domain names of the server side; and if the domain name matched with the domain name associated with the first certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
Optionally, the method further comprises: and when the domain name associated with the first certificate supports a wildcard certificate, if a domain name matched with the subdomain name supported by the wildcard certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
Optionally, the method further comprises: when the configuration of the client does not support the loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message based on HTTPS to be sent to the server; sending the second request message to the server; receiving a second response message of the server, wherein the second response message comprises a second certificate returned according to the SNI; and determining whether the domain name to be accessed passes authentication according to the second certificate.
To achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an apparatus for domain name access, wherein a domain name to be accessed is one domain name of a plurality of domain names configured by a server, the apparatus comprising: a request message sending module, configured to send a first request message for requesting the domain name to be accessed based on hypertext transfer protocol HTTPS of a secure socket layer to the server when the configuration of the client supports loose authentication, where the loose authentication is to determine whether to pass authentication on the domain name to be accessed according to a certificate associated with any domain name of a plurality of domain names; a response message receiving module, configured to receive a first response message of the server, where the first response message includes a first certificate associated with any domain name of the plurality of domain names; the server side domain name determining module is used for determining the plurality of domain names configured by the server side; and the authentication module is used for determining whether the domain name to be accessed passes authentication according to the determined domain names and the first certificate.
Optionally, the server domain name determining module is further configured to: determining the domain name to be accessed; according to the domain name to be accessed, a third request message for inquiring the network protocol address of the server is sent to a domain name resolution server; receiving a third response message containing the network protocol address returned by the domain name server; sending a fourth request message for inquiring the multiple domain names of the server to a domain name resolution server according to the network protocol address contained in the third response message; and receiving a fourth response message containing the plurality of domain names returned by the domain name server so as to determine the plurality of domain names configured by the server.
Optionally, the authentication module is further configured to: determining a domain name associated with a first certificate contained in the first response message; matching the domain name associated with the first certificate with the determined multiple domain names of the server side; and if the domain name matched with the domain name associated with the first certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
Optionally, the authentication module is further configured to: and when the domain name associated with the first certificate supports a wildcard certificate, if a domain name matched with the subdomain name supported by the wildcard certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
Optionally, the request message sending module is further configured to: when the configuration of the client does not support the loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message based on HTTPS to be sent to the server; sending the second request message to the server; the response message receiving module is further configured to: receiving a second response message of the server, wherein the second response message comprises a second certificate returned according to the SNI; the authentication module is further configured to: and determining whether the domain name to be accessed passes authentication according to the second certificate.
To achieve the above object, according to still another aspect of the embodiments of the present invention, there is provided an electronic device including: one or more processors; and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the domain name access method according to the embodiment of the invention.
To achieve the above object, according to still another aspect of the embodiments of the present invention, there is provided a computer readable medium having stored thereon a computer program, wherein the program when executed by a processor implements a method for domain name access according to the embodiments of the present invention.
One embodiment of the above invention has the following advantages or benefits: the method of the embodiment of the invention can send the first request message based on HTTPS to the server when the client supports loose authentication, and determine whether the authentication of the domain name to be accessed is passed or not according to the domain name associated with the first certificate and a plurality of domain names configured by the server, wherein the domain name is contained in the first response message from the server; and when the client does not support loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message to be sent to the server, and determining whether the authentication of the domain name to be accessed is passed or not according to a second certificate contained in a second response message from the server, thereby realizing access to any domain name in the server configured with a plurality of domain names and solving the technical problem that certificate verification in a single IP multi-domain name scene is not passed.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main flow of establishing an HTTPS connection;
FIG. 2 is a schematic diagram of the main flow of a method of domain name access according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a certificate;
FIG. 4 is a schematic diagram of a main flow of determining a pair of domain names of a server in a domain name access method according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of a method for providing certificates by a server according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of the major modules of an apparatus for domain name access according to an embodiment of the present invention;
FIG. 7 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 8 is a schematic diagram of a computer system suitable for use in implementing a terminal device or server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
For convenience in describing the method according to the embodiment of the present invention, the process of establishing the HTTPS connection will be described first. As shown in fig. 1, the process includes:
1. the client sends a client hello (client hello message) and transmits request information in a plaintext, wherein the request information comprises version information, an encryption suite candidate list, a compression algorithm candidate list, a random number, an expansion field and the like;
2. the server side returns a server-hello message, and the server-hello returns a negotiated information result for the server side, wherein the negotiated information result comprises a protocol version used in selection, a encryption suite cipher suite selected, a compression algorithm compression method selected and a random number random_S selected, and the server side configures a corresponding certificate chain server_identifiers for identity verification.
3. Verifying the validity of the certificate. The client side checks whether the domain name in the certificate is the same as the domain name to be accessed, if the verification is passed, the subsequent communication is continued, otherwise, different prompts and operations are shown according to different error conditions. In this step, it is also necessary to check the authenticity, whether to revoke, and the validity period of the certificate.
4. After the certificate passes verification, the client generates a random symmetric key and sends the random symmetric key to the server. After the client-key-exchange indicates that the validity verification is passed, the client calculates and generates a random number Pre-master, encrypts the random number Pre-master by using a certificate public key and sends the random number Pre-master to the server; the change_cipher_spec indicates that the client informs the server that the subsequent communication is encrypted by adopting the negotiated communication key and encryption algorithm; the encrypted_handleshake_message is combined with the hash value (hash value) of all the previous communication parameters and other related information to generate a piece of data, and the data is encrypted by adopting a negotiation key session secret and algorithm and then sent to a server for data and handshake verification.
5. Decrypting the encrypted_handlemessage sent by the client, and verifying the correctness of the data and the key. After the data and the secret key pass verification, the server side also sends the change_cipher_spec to inform the client side that the subsequent communication adopts the negotiated secret key and algorithm for encryption communication; the encrypted_handleshake_message indicates that the server side also generates a piece of data by combining all the current communication parameter information, encrypts and sends the data to the client side by adopting the negotiation key session secret and algorithm.
6. The handshake ends. The client calculates the hash value (hash value) of all the received information, decrypts the encrypted_handleshake_message by adopting the negotiation key, verifies the data and the key sent by the server, and completes the handshake after verification.
7. The client and the server start encrypted communications.
Fig. 2 is a schematic diagram of a main flow of a method for domain name access according to an embodiment of the present invention, where a server configures one of a plurality of domain names when a domain name is to be accessed. A domain name is the name of a computer or group of computers on the Internet consisting of a string of electrically separated names that are used to identify the electronic orientation (sometimes also referred to as geographic location) of the computer during data transmission. The method can be applied to clients. As shown in fig. 2, the method includes:
Step S201: it is determined whether the client supports loose authentication.
The loose authentication refers to judging whether the domain name to be accessed passes authentication according to a certificate associated with any domain name in a plurality of domain names configured by a server side. In this embodiment, whether the client supports loose authentication may be set in the configuration file of the client in advance, and further whether the client supports loose authentication may be determined according to the configuration file of the client.
Step S202-1: and when the configuration of the client supports loose authentication, a first request message for requesting the domain name to be accessed based on a hypertext transfer protocol (HTTPS) of a secure socket layer is sent to the server.
The first request message refers to a client hello message sent by the client to the server.
Step S203-1: and receiving a first response message of the server, wherein the first response message comprises a first certificate associated with any domain name in the plurality of domain names.
The first response message refers to a server hello message returned from the server to the client. The first certificate is issued by a trusted digital certificate issuing organization after verifying the identity of the server, and has the functions of server identity verification and data transmission encryption. The client can verify through the first certificate whether the accessed website (i.e., the domain name to be accessed) is authentic. In general, a certificate may include information of a certificate version, a validity period, an issuer, and a user. The domain name associated with the certificate may be determined based on the user information.
As a specific example, as shown in fig. 3, from the certificate, it can be known that the certificate is associated with a domain name m.xyz.com.
Step S204-1: and determining the domain names configured by the server.
For example, the client may query a local cache or database for a record of multiple domain names configured by the server. If so, a plurality of domain names configured by the server side can be obtained from the cache or the database. If not, the multiple domain names of the server configuration may be determined through a process as shown in fig. 4.
As shown in fig. 4, the process includes:
determining the domain name to be accessed;
according to the domain name to be accessed, a third request message for inquiring the network protocol address of the server is sent to a domain name resolution server;
receiving a third response message containing the network protocol address returned by the domain name server;
sending a fourth request message for inquiring the multiple domain names of the server to a domain name resolution server according to the network protocol address contained in the third response message;
and receiving a fourth response message containing the plurality of domain names returned by the domain name server so as to determine the plurality of domain names configured by the server.
The domain name resolution server (Domain Name System, DNS) refers to a server that converts a domain name (domain name) and a corresponding network protocol address (IP). There are two areas in the domain name resolution server, namely a "forward lookup area" in which the a record is stored and a "reverse lookup area" in which the PTR record is stored. The record a, also called host record, is the most widely used record, and its basic role is that what IP corresponds to a domain name, which is the correspondence between the domain name and IP, and the expression "m.xyz.com 192.168.1.1". PTR records, also known as pointer records, are reverse records of a records, which function to resolve IP into domain names. The process of querying a network protocol address according to a domain name may be referred to as DNS forward resolution (or DNS forward query), and the process of querying a domain name according to a network protocol address may be referred to as DNS reverse resolution (or reverse query).
As a specific example, according to writing the domain name membrane, sample, com to be accessed into a third request message for querying the network protocol address of the server, and sending the third request message to a domain name resolution server, the domain name resolution server performs DNS forward resolution according to the a record of the forward lookup area, so as to determine the IP corresponding to the domain name membrane, sample, com to be accessed, and the domain name resolution server sends the determined IP, i.e. 444.333.222.111, to the client. The client writes the IP into a fourth request message and sends the fourth request message to a domain name server, and the domain name server carries out DNS reverse resolution according to the PRT record of the reverse search area so as to determine a plurality of domain names corresponding to the IP. Assume that the plurality of domain names corresponding to the IP are: images, samples, modules, samples, and security. The domain name resolution server returns the 3 domain names to the client.
Step S205-1: and determining whether the domain name to be accessed is authenticated according to the determined domain names and the first certificate.
Illustratively, this step may include:
determining a domain name associated with a first certificate contained in the first response message;
matching the domain name associated with the first certificate with the determined multiple domain names of the server side;
and if the domain name matched with the domain name associated with the first certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
If the domain name matched with the domain name associated with the first certificate does not exist in the plurality of domain names, authentication of the domain name to be accessed fails.
In an alternative embodiment, when the domain name associated with the first certificate supports a wild card certificate, if there is a domain name matching the subdomain name supported by the wild card certificate in the plurality of domain names, the domain name to be accessed is authenticated.
The wildcard certificate is one of certificates, and is mainly characterized by being capable of enabling domains to be more flexible, having expandability and using ". Xx.xx". Wherein "×" is a wildcard. Wild cards are a special sentence, mainly asterisks (x) and question marks (x), used to obscure search files. When looking up a folder, it can be used instead of one or more real characters; when the actual character is not known, wild cards are often used instead of one or more of the actual characters. For example, when a domain name in a certificate is ". Example.com", the domain name includes a wild card ". X", in this case, a subdomain corresponding to a subdomain where the wild card exists in a plurality of domain names obtained according to an IP address of a service side may be converted into a wild card, that is, "images.example.com" is converted into ". Example.com", "modules.example.com" is converted into ". Example.com", "security.example 3.com". And then, matching the domain name included in the certificate with the converted multiple domain names, and if the domain names matched with the subdomain names supported by the wildcard certificate exist in the converted multiple domain names, authenticating the domain name to be accessed.
Step S202-2: and when the configuration of the client does not support the loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message based on HTTPS to be sent to the server.
Wherein the second request message refers to a client hello message. SNI (Server Name Indication, service name indication) allows clients to submit domain names to be accessed when an SSL handshake request is initiated (in client hello messages sent by the clients) so that the server can get the correct domain name and return the corresponding credentials for improving one extension of the server and clients SSL (Secure Socket Layer) and TLS (Transport Layer Security). The client hello (client hello message) transmitted by the client includes version information, an encryption suite candidate list, a compression algorithm candidate list, a random number, an extension field, and the like, so that the service indication name SNI can be added to the extension field.
In an alternative embodiment, when the configuration of the client supports loose authentication, the first request message to be sent to the server may or may not add the service name indication SNI for indicating the domain name to be accessed, and the invention is not limited herein. When the configuration of the client supports loose authentication, but multiple domain names of the server cannot be obtained (for example, the domain name resolution server is not connected to the domain name resolution server, the domain name resolution server has no reverse resolution function or information on the domain name resolution server is imperfect, etc.), a service name indication SNI for indicating the domain name to be accessed may be added to the first request message to be sent to the server.
Step S203-2: and sending the second request message to the server.
Step S204-2: and receiving a second response message of the server, wherein the second response message comprises a second certificate returned according to the SNI.
The server side can determine the domain name to be accessed by the client side according to the SNI indicated by the service name of the extension field in the received client hello message, and can determine the certificate returned to the client side according to the domain name to be accessed.
Step S205-2: and determining whether the domain name to be accessed passes authentication according to the second certificate.
Specifically, the domain name associated with the second certificate is matched with the domain name to be accessed, and if the domain name associated with the second certificate is the same as the domain name to be accessed, the domain name to be accessed is authenticated.
In this embodiment, authentication of a domain name may also be understood as authentication of an entity associated with the domain name.
According to the domain name access method provided by the embodiment of the invention, when the client supports loose authentication, a first request message based on HTTPS is sent to the server, and whether the authentication of the domain name to be accessed is passed or not is determined according to the domain name associated with the first certificate and a plurality of domain names configured by the server, wherein the domain name is contained in the first response message from the server; and when the client does not support loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message to be sent to the server, and determining whether the authentication of the domain name to be accessed is passed or not according to a second certificate contained in a second response message from the server, thereby realizing access to any domain name in the server configured with a plurality of domain names and solving the technical problem that certificate verification in a single IP multi-domain name scene is not passed.
Fig. 5 is a flow diagram of the main steps of a method for providing credentials, according to an embodiment of the invention, as shown in fig. 5, the method comprising:
step S501: receiving a request message from a client;
step S502: determining whether a received request message from a client contains a service name indication SNI for indicating a domain name to be accessed by the client;
step S503: if yes, the response message to be sent to the client contains a certificate associated with the domain name to be accessed;
step S504: if not, the response message to be sent to the client contains a certificate selected from a plurality of certificates associated with the domain names.
The method can be used for a server side with a plurality of domain names, the plurality of domain names are associated with a plurality of certificates, and in the case that a received request message from a client side contains a service name indication for indicating that the client side is to access a domain name, the method contains the certificate associated with the domain name to be accessed in a response message to be sent to the client side; and when the received request message from the client does not contain the service name indication, a response message to be sent to the client contains a certificate selected from a plurality of certificates associated with the domain names.
Fig. 6 is a schematic diagram of main modules of an apparatus 600 for domain name access according to an embodiment of the present invention, as shown in fig. 6, the apparatus 600 includes:
a request message sending module 601, configured to send, to the server, a first request message for requesting the domain name to be accessed based on a hypertext transfer protocol HTTPS of a secure socket layer when the configuration of the client supports loose authentication, where the loose authentication is to determine whether to pass authentication on the domain name to be accessed according to a certificate associated with any domain name of a plurality of domain names;
a response message receiving module 602, configured to receive a first response message of the server, where the first response message includes a first certificate associated with any domain name of the plurality of domain names;
a server domain name determining module 603, configured to determine the plurality of domain names configured by the server;
an authentication module 604, configured to determine whether authentication of the domain name to be accessed is passed according to the determined multiple domain names and the first certificate.
Optionally, the server domain name determining module 603 is further configured to: determining the domain name to be accessed; according to the domain name to be accessed, a third request message for inquiring the network protocol address of the server is sent to a domain name resolution server; receiving a third response message containing the network protocol address returned by the domain name server; sending a fourth request message for inquiring the multiple domain names of the server to a domain name resolution server according to the network protocol address contained in the third response message; and receiving a fourth response message containing the plurality of domain names returned by the domain name server so as to determine the plurality of domain names configured by the server.
Optionally, the authentication module 604 is further configured to: determining a domain name associated with a first certificate contained in the first response message; matching the domain name associated with the first certificate with the determined multiple domain names of the server side; and if the domain name matched with the domain name associated with the first certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
Optionally, the authentication module 604 is further configured to: and when the domain name associated with the first certificate supports a wildcard certificate, if a domain name matched with the subdomain name supported by the wildcard certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
Optionally, the request message sending module 601 is further configured to: when the configuration of the client does not support the loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message based on HTTPS to be sent to the server; sending the second request message to the server;
the response message receiving module 602 is further configured to: receiving a second response message of the server, wherein the second response message comprises a second certificate returned according to the SNI;
The authentication module 604 is further configured to: and determining whether the domain name to be accessed passes authentication according to the second certificate.
The device can execute the method provided by the embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. Technical details not described in detail in this embodiment may be found in the methods provided in the embodiments of the present invention.
Fig. 7 illustrates an exemplary system architecture 700 of a method of accessing a server having multiple domain names or a device of accessing a server having multiple domain names to which embodiments of the present invention may be applied.
As shown in fig. 7, a system architecture 700 may include terminal devices 701, 702, 703, a network 704, and a server 705. The network 704 is used as a medium to provide communication links between the terminal devices 701, 702, 703 and the server 705. The network 704 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with a server 705 via a network 704 using terminal devices 701, 702, 703 to receive or send messages, etc. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc., may be installed on the terminal devices 701, 702, 703.
The terminal devices 701, 702, 703 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 705 may be a server providing various services, for example, a background management server providing support for shopping websites browsed by the user using the terminal devices 701, 702, 703. The background management server side can analyze and other processing on the received data such as the product information inquiry request and the like, and feed back processing results (such as target push information and product information) to the terminal equipment.
It should be noted that, the method for accessing a server having multiple domain names according to the embodiment of the present invention is generally executed by the server 705, and accordingly, a device for accessing a server having multiple domain names is generally disposed in the server 705.
It should be understood that the number of terminal devices, networks and servers in fig. 7 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 8, there is illustrated a schematic diagram of a computer system 800 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 8 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 8, the computer system 800 includes a Central Processing Unit (CPU) 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 807 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 807 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 801.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described modules may also be provided in a processor, for example, as: a processor includes a sending module, an obtaining module, a determining module, and a first processing module. The names of these modules do not constitute a limitation on the unit itself in some cases, and for example, the transmitting module may also be described as "a module that transmits a picture acquisition request to a connected server".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include:
when the configuration of the client supports loose authentication, a first request message for requesting the domain name to be accessed based on a hypertext transfer protocol (HTTPS) of a secure socket layer is sent to the server, wherein the loose authentication refers to whether authentication of the domain name to be accessed is passed or not is judged according to a certificate associated with any domain name in a plurality of domain names;
receiving a first response message of the server, wherein the first response message comprises a first certificate associated with any domain name in the plurality of domain names;
determining the plurality of domain names configured by the server;
and determining whether the domain name to be accessed is authenticated according to the determined domain names and the first certificate.
According to the technical scheme, under the condition that loose authentication is not supported, a service name indication for indicating the domain name to be accessed is added to a first message to be sent to the service end, and whether authentication on the domain name to be accessed is passed is judged according to whether a first certificate contained in a second message from the service end is related to the domain name to be accessed; and under the condition of supporting the loose authentication, maintaining a plurality of domain names of the server, judging whether the second certificate contained in the fourth message from the server is related to any domain name of the maintained plurality of domain names of the server or not, and authenticating the domain name to be accessed or not, thereby realizing access to any domain name of the server configured with the plurality of domain names, and solving the technical problem that certificate verification in a single IP multi-domain name scene is not passed.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (10)

1. A method for accessing a domain name, wherein the domain name to be accessed is one domain name of a plurality of domain names configured by a server side, comprising:
when the configuration of the client supports loose authentication, a first request message for requesting the domain name to be accessed based on a hypertext transfer protocol (HTTPS) of a secure socket layer is sent to the server, wherein the loose authentication refers to whether authentication of the domain name to be accessed is passed or not is judged according to a certificate associated with any domain name in a plurality of domain names;
receiving a first response message of the server, wherein the first response message comprises a first certificate associated with any domain name in the plurality of domain names;
determining the plurality of domain names configured by the server;
Determining whether the domain name to be accessed passes authentication according to the determined domain names and the first certificate, including: and determining a domain name associated with a first certificate included in the first response message, matching the domain name associated with the first certificate with the determined multiple domain names of the service end, and if the domain name matched with the domain name associated with the first certificate exists in the multiple domain names, passing the authentication of the domain name to be accessed.
2. The method of claim 1, wherein the determining the plurality of domain names of the server configuration comprises:
determining the domain name to be accessed;
according to the domain name to be accessed, a third request message for inquiring the network protocol address of the server is sent to a domain name resolution server;
receiving a third response message containing the network protocol address returned by the domain name resolution server;
sending a fourth request message for inquiring the multiple domain names of the server to a domain name resolution server according to the network protocol address contained in the third response message;
and receiving a fourth response message containing the plurality of domain names returned by the domain name resolution server so as to determine the plurality of domain names configured by the server.
3. The method according to claim 1, wherein the method further comprises:
and when the domain name associated with the first certificate supports a wildcard certificate, if a domain name matched with the subdomain name supported by the wildcard certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
4. The method according to claim 1, wherein the method further comprises:
when the configuration of the client does not support the loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message based on HTTPS to be sent to the server;
sending the second request message to the server;
receiving a second response message of the server, wherein the second response message comprises a second certificate returned according to the SNI;
and determining whether the domain name to be accessed passes authentication according to the second certificate.
5. A domain name accessing apparatus, wherein a domain name to be accessed is one domain name of a plurality of domain names configured by a server side, comprising:
a request message sending module, configured to send a first request message for requesting the domain name to be accessed based on hypertext transfer protocol HTTPS of a secure socket layer to the server when the configuration of the client supports loose authentication, where the loose authentication is to determine whether to pass authentication on the domain name to be accessed according to a certificate associated with any domain name of a plurality of domain names;
A response message receiving module, configured to receive a first response message of the server, where the first response message includes a first certificate associated with any domain name of the plurality of domain names;
the server side domain name determining module is used for determining the plurality of domain names configured by the server side;
an authentication module, configured to determine whether authentication of the domain name to be accessed is passed according to the determined multiple domain names and the first certificate, including: and determining a domain name associated with a first certificate included in the first response message, matching the domain name associated with the first certificate with the determined multiple domain names of the service end, and if the domain name matched with the domain name associated with the first certificate exists in the multiple domain names, passing the authentication of the domain name to be accessed.
6. The apparatus of claim 5, wherein the server domain name determination module is further configured to:
determining the domain name to be accessed;
according to the domain name to be accessed, a third request message for inquiring the network protocol address of the server is sent to a domain name resolution server;
receiving a third response message containing the network protocol address returned by the domain name resolution server;
Sending a fourth request message for inquiring the multiple domain names of the server to a domain name resolution server according to the network protocol address contained in the third response message;
and receiving a fourth response message containing the plurality of domain names returned by the domain name resolution server so as to determine the plurality of domain names configured by the server.
7. The apparatus of claim 5, wherein the authentication module is further to:
and when the domain name associated with the first certificate supports a wildcard certificate, if a domain name matched with the subdomain name supported by the wildcard certificate exists in the plurality of domain names, passing the authentication of the domain name to be accessed.
8. The apparatus of claim 5, wherein the device comprises a plurality of sensors,
the request message sending module is further configured to: when the configuration of the client does not support the loose authentication, adding a service name indication SNI for indicating the domain name to be accessed to a second request message based on HTTPS to be sent to the server; sending the second request message to the server;
the response message receiving module is further configured to: receiving a second response message of the server, wherein the second response message comprises a second certificate returned according to the SNI;
The authentication module is further configured to: and determining whether the domain name to be accessed passes authentication according to the second certificate.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-4.
10. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-4.
CN201811195485.9A 2018-10-15 2018-10-15 Domain name access method and device Active CN111049789B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811195485.9A CN111049789B (en) 2018-10-15 2018-10-15 Domain name access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811195485.9A CN111049789B (en) 2018-10-15 2018-10-15 Domain name access method and device

Publications (2)

Publication Number Publication Date
CN111049789A CN111049789A (en) 2020-04-21
CN111049789B true CN111049789B (en) 2023-05-12

Family

ID=70230049

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811195485.9A Active CN111049789B (en) 2018-10-15 2018-10-15 Domain name access method and device

Country Status (1)

Country Link
CN (1) CN111049789B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112202785B (en) * 2020-09-30 2023-03-21 深信服科技股份有限公司 Uploaded file processing method, device and equipment and computer storage medium
CN112261047B (en) * 2020-10-22 2023-11-03 上海擎感智能科技有限公司 Gateway access method, mobile terminal and computer storage medium
CN115333927B (en) * 2022-07-29 2023-10-27 上海浦东发展银行股份有限公司 Client domain name switching method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078877A (en) * 2013-01-31 2013-05-01 中国科学院计算机网络信息中心 User authentication and domain name access control method and system based on DNS (domain name system)
CN105915582A (en) * 2016-03-28 2016-08-31 深圳市双赢伟业科技股份有限公司 Method for router to access webpage, and router
CN107493174A (en) * 2017-09-05 2017-12-19 成都知道创宇信息技术有限公司 SSL certificate based on CDN is intelligently bound and management method
CN108011888A (en) * 2017-12-15 2018-05-08 东软集团股份有限公司 A kind of method, apparatus and storage medium, program product for realizing certificate reconstruct
CN108390955A (en) * 2018-05-09 2018-08-10 网宿科技股份有限公司 Domain Name acquisition method, Website access method and server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10411902B2 (en) * 2016-12-13 2019-09-10 Zixcorp Systems, Inc. Authenticating a system based on a certificate

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078877A (en) * 2013-01-31 2013-05-01 中国科学院计算机网络信息中心 User authentication and domain name access control method and system based on DNS (domain name system)
CN105915582A (en) * 2016-03-28 2016-08-31 深圳市双赢伟业科技股份有限公司 Method for router to access webpage, and router
CN107493174A (en) * 2017-09-05 2017-12-19 成都知道创宇信息技术有限公司 SSL certificate based on CDN is intelligently bound and management method
CN108011888A (en) * 2017-12-15 2018-05-08 东软集团股份有限公司 A kind of method, apparatus and storage medium, program product for realizing certificate reconstruct
CN108390955A (en) * 2018-05-09 2018-08-10 网宿科技股份有限公司 Domain Name acquisition method, Website access method and server

Also Published As

Publication number Publication date
CN111049789A (en) 2020-04-21

Similar Documents

Publication Publication Date Title
US11683187B2 (en) User authentication with self-signed certificate and identity verification and migration
US10880732B2 (en) Authentication of phone caller identity
WO2021136290A1 (en) Identity authentication method and apparatus, and related device
US10554420B2 (en) Wireless connections to a wireless access point
US11196561B2 (en) Authorized data sharing using smart contracts
US11829502B2 (en) Data sharing via distributed ledgers
CN111049789B (en) Domain name access method and device
KR101974062B1 (en) Electronic Signature Method Based on Cloud HSM
CN113472790B (en) Information transmission method, client and server based on HTTPS protocol
US11290283B2 (en) Automated replacement of self-signed server certificates
CN114500054B (en) Service access method, service access device, electronic device, and storage medium
CN112131599A (en) Method, device, equipment and computer readable medium for checking data
CN114584381A (en) Security authentication method and device based on gateway, electronic equipment and storage medium
US20220029982A1 (en) Automatically obtaining a signed digital certificate from a trusted certificate authority
CN111787044A (en) Internet of things terminal platform
CN109150898A (en) Method and apparatus for handling information
CN112565156B (en) Information registration method, device and system
CN114598549B (en) Customer SSL certificate verification method and device
CN113420331B (en) Method and device for managing file downloading permission
US10033744B2 (en) System and method for certifying information
CN112541199A (en) Block chain-based electronic storage certificate integrity verification method and electronic equipment
CN114428967A (en) Data transmission method, device, equipment and storage medium
CN114629708A (en) Client request encryption transmission method, data decryption method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant