CN111490985A - SS L VPN multi-service address sharing system and sharing method - Google Patents
SS L VPN multi-service address sharing system and sharing method Download PDFInfo
- Publication number
- CN111490985A CN111490985A CN202010260442.5A CN202010260442A CN111490985A CN 111490985 A CN111490985 A CN 111490985A CN 202010260442 A CN202010260442 A CN 202010260442A CN 111490985 A CN111490985 A CN 111490985A
- Authority
- CN
- China
- Prior art keywords
- service
- vpn
- sni
- https
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an SS L VPN multi-service address sharing system and a sharing method, which comprises an SS L VPN client provided with an SNI setting module, an SS L VPN server provided with an SNI agent module and connected with the SS L0 VPN client, a browser and HTTPS services respectively connected with the SNI agent module, wherein the SNI setting module is connected with the SNI agent module, the address sharing method is that the SS L VPN multi-service address sharing method is adopted, the browser client or the SS L VPN client is connected with the SS L VPN server, the SNI agent module selects a server certificate and a service to be used, and the SS L VPN server realizes TCP connection distribution based on SNI fields through the SNI agent module, so that the VPN sharing between a plurality of SS L services and the SS L VPN service and the HTTPS service and the connection between the browser and the HTTPS service are realized, the VPN sharing of ports and the connection between the HTTPS services are realized effectively, the communication is realized by using the same port of the HTTPS L, the occupation of network address is reduced, the complexity of the TCP deployment is reduced, and the complexity of the management is reduced.
Description
Technical Field
The invention relates to the technical field of computer networks, in particular to an SS L VPN multi-service address sharing system and a sharing method.
Background
In a network environment where security requirements are stringent, it is often necessary to configure different firewall security policies and routing policies for different ports.A scarcity of service ports makes different network applications have a need to share ports.A particular SS L VPN may use different T L S certificates for different organizations but requires the same IP address and TCP port as the Internet Exit is desirable to use the same TCP port for both HTTPS and L VPNs even for the same organization.
HTTPS uses SNI to distinguish different sites:
when the HTTPS service receives the T L S message, the SNI field of the HTTPS service is checked first to determine which certificate is used for carrying out the T L S handshake, and after connection establishment is completed, the service also determines which station the user visits according to the SNI field in the message.
Multiple addresses provide multiple SS L VPN services:
the service starts a plurality of completely independent processes, each process monitors an IP + port, the network protocol stack is used for distinguishing the flow sent to different processes, the target addresses used by the client when accessing different SS L VPN services are different, and the service sends messages to different service processes according to different addresses when receiving SS L messages of the client.
However, the browser cannot be used as a client of an SS L VPN, and the SS L VPN service is also different from the HTTPS site.
The method comprises the steps of providing a plurality of SS L VPN services on addresses, wherein the method has the disadvantage of occupying more network address resources, setting different firewall rules for different IP or ports of a network where the services are located, and possibly setting different NAT rules and route forwarding rules.
Description of terms:
SS L Secure Sockets L layer provides a security protocol for network communication;
t L S newer version of Transport L eye Security SS L protocol;
SNI an extension of the Server Name Indication SS L protocol, refer to RFC6066
Disclosure of Invention
The invention aims to provide an SS L VPN multi-service address sharing system and a sharing method, which effectively realize that HTTPS and SS L VPN use the same TCP port for communication, reduce the occupied network address resources, effectively reduce the management difficulty and reduce the complexity of application deployment.
The invention is realized by the following technical scheme:
an SS L VPN multi-service address sharing system comprises an SS L VPN client provided with an SNI setting module, an SS L VPN server provided with an SNI agent module and connected with the SS L VPN client, a browser and HTTPS services respectively connected with the SNI agent module, wherein the SNI setting module is connected with the SNI agent module.
Furthermore, in order to better realize the invention, the SS L VPN service end also comprises a plurality of SS L VPN services connected with the SNI agent module, and the SNI agent module agent SS L VPN services and HTTPS services are provided with ports for intercepting SS L requests.
An SS L VPN multi-service address sharing method comprises the following steps:
the method includes the steps that a Service Name field in an SS L protocol SNI extension is divided into a class A Service Name and a class B Service Name, an SS L VPN client uses the class A Service Name or a browser uses the class B Service Name to establish connection with an SNI proxy module of an SS L VPN Service end, the SNI proxy module selects a Service end certificate and Service to be used, the SS L VPN Service end achieves TCP connection distribution based on the SNI field through the SNI proxy module, and therefore port sharing among a plurality of SS L VPN services and between the SS L VPN Service and the HTTPS Service is achieved.
Further, in order to better implement the invention, the method specifically comprises the following steps:
the SS L VPN client establishes connection with an SS L VPN server, specifically, a user sets an SNI field through an SNI configuration module in the SS L VPN client and establishes connection with an SNI agent module, and the method specifically comprises the following steps:
a1, setting the domain Name or IP, port to be connected and the A-type Service Name of SS L VPN Service;
step A2, calling an SS L library function API to set SNI, and setting a Service Name to be served to an SS L to be initiated for connection;
and step A3, the SS L VPN client initiates SS L connection carrying class A Service Name to inform the SS L of the certificate and Service requested by the VPN Service terminal.
Further, in order to better implement the present invention, the browser establishes a connection with an SS L VPN server, specifically:
when the browser accesses HTTPS service, filling the domain name into the SNI field; the method comprises the steps that a domain Name is used as a class B Service Name in an SNI agent configuration table of an SNI agent module to fill in an SNI field, and connection routing of the SNI agent module is achieved through the corresponding relation of the Service names;
further, in order to better implement the present invention, the SS L VPN server implements TCP connection distribution based on the SNI field through the SNI proxy module, and specifically includes the following steps:
step C1, configuring one or more SS L certificates at the SS L VPN Service end, and setting an A-type Service Name for one SS L certificate, wherein the A-type Service Name is a character string conforming to the DNS domain Name format;
setting a class B Service Name in the HTTPS Service; the class B Service Name is a registered real domain Name, and is convenient for a browser to access through the Internet;
step C2: setting the corresponding relation of 'SN < - > Service' between class A Service Name and class B Service Name and certificate, setting the corresponding relation of 'SN < - > Service' in the corresponding table of 'SN < - > Service' of SNI agent module,
the corresponding relation is as follows:
class A Service Name < - > Cert ID, wherein Cert ID represents SS L certificate ID;
class B Service Name < - > IP + TCP Port; wherein the IP + TCP Port represents the address monitored by the HTTPS service;
step C3, when the SS L VPN service end receives the handshake message sent by the S L client or browser, firstly searching the 'SN < - > service' corresponding relation table to obtain the ID of the SS L certificate to be used or an 'IP + TCP Port' binary group;
step C31, if the certificate ID is found, the SS L session connection is established;
step C32: otherwise, establishing a communication connection with the HTTPS service is performed.
Further, for better implementing the present invention, the SS L session connection in step C3 specifically means that the SNI proxy module reads the certificate according to the certificate ID, and then uses the read certificate to handshake with the SS L client to establish the SS L session connection and start data communication.
Further, in order to better implement the present invention, the step C32 of executing to establish a communication connection with the HTTPS service specifically includes the following steps:
step C321: according to the searched HTTPS service monitoring address, the SNI agent module is used as a connection initiated by a TCP agent reverse agent browser client;
step C322: and changing the destination address of the message into the searched monitoring address of the HTTPS service to establish connection with the HTTPS service. And after the connection is established, the browser communicates with the HTTPS service through the SNI agent module.
Furthermore, in order to better realize the invention, one class A Service Name corresponds to one SS L Service certificate, and the class A Service Name is issued by the SS L VPN Service according to the used SS L Service certificate.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) the HTTPS and the SS L VPN service use the same TCP port to communicate;
(2) the invention reduces the occupation of network address resources through the sharing of the ports, effectively reduces the management difficulty and reduces the complexity of application deployment.
Drawings
FIG. 1 is a block diagram of the connection of an address sharing system according to the present invention;
FIG. 2 is a flow diagram of the operation of the SNI agent module of the present invention;
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1:
the invention is realized by the following technical scheme that as shown in figure 1, the SS L VPN multi-service address sharing system comprises an SS L VPN client provided with an SNI setting module, an SS L VPN server provided with an SNI agent module and connected with the SS L VPN client, a browser and HTTPS services respectively connected with the SNI agent module, wherein the SNI setting module is connected with the SNI agent module.
It should be noted that, with the above improvements, in a network environment, IP addresses and TCP ports are important resources, different firewall security policies and routing policies are often configured for different ports, in a network environment with strict security requirements, even other ports than the well-known port (e.g., 443) are not allowed to be opened.
The method comprises the steps that a browser sets domain name information to an SNI field of T L S, an SS L VPN client sets the SNI field through user configuration, and therefore HTTPS service certificates and services to be used are selected actively, and an SS L VPN server achieves SNI-based TCP connection distribution through an SNI agent, and therefore services among a plurality of SS L VPN services and service sharing among an SS L VPN service and the HTTPS service are achieved.
Compared with traditional VPN technologies of types such as PPTP, <tTtranslation = L "&tttL <t/T >t2TP, IPSEC and the like, the SS L VPN has the advantages of light weight, convenience in NAT penetration and the like, and the SS L VPN implementation generally uses a server certificate as a credential to indicate identity to a client and prevents an intermediary from impersonating service and stealing client data, which has the same function as an HTTPS certificate widely used at present.
However, the introduction of T L S certificates poses a challenge for multiple T L S services to share addresses and ports in the case of service IP and multiple SS L services with a port before SNI extensions emerged, the handshake phase service had no way of determining with which SS L service to handshake a client, and hence which certificate to use.
Through this protocol, at the SS L handshake process, the client informs the service of the hostname to be requested by setting the SNI, while the service can know the service to be requested by the client by looking at the SNI field.
The SNI setting module is added into the open source SS L VPN client OPENCONNECT, the SNI agent module is added into the open source SS L VPN service OCSERV, and a plurality of certificate services and HTTPS service sharing ports in the OCSERV are realized.
Example 2:
in this embodiment, a further optimization is performed on the basis of the above embodiment, as shown in fig. 2, the SS L VPN service end further includes a plurality of SS L VPN services connected to the SNI proxy module, and the SNI proxy module is provided with a plurality of ports for connection of the SS L VPN services and/or the HTTPS services.
Furthermore, in order to better implement the invention, the SS L VPN service end also comprises a plurality of SS L VPN services connected with the SNI agent module, and the SNI agent module is provided with ports for intercepting the SS L VPN services and the HTTPS services.
It should be noted that, through the above improvement and port sharing, the HTTPS and the SS L VPN are effectively communicated using the same TCP port, which reduces the occupation of network address resources, effectively reduces the management difficulty, and reduces the complexity of application deployment.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 3:
this embodiment is further optimized on the basis of the above embodiments, and as shown in fig. 1, a method for sharing an SS L VPN multi-Service address divides a Service Name field in an SS L protocol SNI extension into an a-class Service Name and a B-class Service Name, an SS L VPN client establishes a connection with an SNI proxy module of an SS L VPN server using the a-class Service Name or a browser using the B-class Service Name, the SNI proxy module selects a server certificate and a Service to be used, and the SS L VPN server realizes TCP connection distribution based on the SNI field through the SNI proxy module, thereby realizing port sharing between a plurality of SS L VPN services and between an SS L VPN Service and an HTTPS Service.
The method comprises the steps that a browser client or an SS L VPN client is connected with an SS L VPN server, an SNI agent module selects a server certificate and a service to be used, and the SS L VPN server realizes TCP connection distribution based on an SNI field through the SNI agent module, so that port sharing among a plurality of SS L VPN services, SS L VPN services and HTTPS services and connection among a browser and the HTTPS services are realized.
And the SNI agent module is responsible for judging whether the browser client requests connection or the SS L VPN client requests connection in the communication process, and realizing the connection between the browser client and the service end.
An SNI setting module:
before introducing the SNI setting module, the SS L VPN client was a standard SS L VPN client, such as an open source Openconnect client.
1. The user sets a domain name or IP to be connected and a port.
SS L VPN client invokes SS L library functions to initiate SS L connection to SS L VPN service with SNI field not set.
And 3, the SS L VPN client successfully handshakes with the server to establish an SS L session, and the server uses a unique certificate issued aiming at the domain name or the IP in the first step.
The process of SS L VPN client connection service changes after introducing the SNI setup module, which modifies the process of SS L VPN client connection to SS L VPN service as follows:
1. in addition to setting a Service domain Name or IP and a port to be connected, a user also sets a Service Name of a Service, which is issued by the SS L VPN Service according to a certificate used.
2. Before calling the SS L library function to initiate the SS L connection, calling the SS L library function to perform SNI setting, and setting the Service Name set by the user in the previous step to the SS L connection to be initiated.
And 3, the SS L VPN client initiates SS L connection, and the SNI field of the ClientHello handshake message carries a ServiceName for notifying the certificate and the service of the service request.
And 4, the SS L VPN client successfully handshakes with the server and establishes an SS L session, and the server uses the certificate configured aiming at the ServiceName and the unique certificate bound with the domain name and the IP.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 4:
the embodiment is further optimized on the basis of the above embodiment, as shown in fig. 1 and fig. 2, and further, to better implement the present invention, the method specifically includes the following steps:
the SS L VPN client establishes connection with an SS L VPN server, specifically, a user sets an SNI field through an SNI configuration module in the SS L VPN client and establishes connection with an SNI agent module, and the method specifically comprises the following steps:
a1, setting the domain Name or IP, port to be connected and the A-type Service Name of SS L VPN Service;
step A2, calling an SS L library function API to set SNI, and setting a Service Name to be served to an SS L to be initiated for connection;
it should be noted that, through the above improvement, this embodiment mainly describes how to implement the connection between the SS L VPN client and an SNI proxy module set in the SS L VPN Service end after the SNI configuration module is set in the SS L VPN client, thereby implementing the connection communication between the SS L VPN client and the SS L VPN Service end.
Through this protocol, at the SS L handshake process, the client informs the service of the hostname to be requested by setting the SNI, while the service can know the service to be requested by the client by looking at the SNI field.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 5:
the present embodiment is further optimized based on the above embodiment, as shown in fig. 1, further, in order to better implement the present invention, the connection between the browser and the SS L VPN server is established, specifically:
the browser establishes connection with an SS L VPN server, specifically:
when the browser accesses HTTPS service, filling the domain name into the SNI field; the method comprises the steps that a domain Name is used as a class B Service Name in an SNI agent configuration table of an SNI agent module to fill in an SNI field, and connection routing of the SNI agent module is achieved through the corresponding relation of the Service names;
the connection between the browser and the SNI agent module is realized through a relationship, which specifically includes: after intercepting the handshake message of the HTTPS request, the SNI agent module searches an SNI agent configuration table in the SNI agent module according to the class B Service Name filled in by the browser, thereby obtaining the real Service address monitored by the HTTPS Service.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 6:
in this embodiment, a further optimization is performed on the basis of the above embodiment, as shown in fig. 2, the SS L VPN server implements TCP connection distribution based on an SNI field through an SNI proxy module, and specifically includes the following steps:
step C1, configuring one or more SS L certificates at the SS L VPN Service end, and setting an A-type Service Name for one SS L certificate, wherein the A-type Service Name is a character string conforming to the DNS domain Name format;
setting a class B Service Name in the HTTPS Service; the class B Service Name is a registered real domain Name, and is convenient for a browser to access through the Internet;
step C2: setting the corresponding relation of 'SN < - > Service' between class A Service Name and class B Service Name and certificate, setting the corresponding relation of 'SN < - > Service' in the corresponding table of 'SN < - > Service' of SNI agent module,
the corresponding relation is as follows:
class A Service Name < - > Cert ID, wherein Cert ID represents SS L certificate ID;
class B Service Name < - > IP + TCP Port; wherein the IP + TCP Port represents the address monitored by the HTTPS service;
step C3, when the SS L VPN service end receives the handshake message sent by the S L client or browser, firstly searching the 'SN < - > service' corresponding relation table to obtain the ID of the SS L certificate to be used or an 'IP + TCP Port' binary group;
step C31, if the certificate ID is found, the SS L session connection is established;
step C32: otherwise, establishing the communication connection between the browser and the HTTPS service is executed.
It should be noted that, with the above improvement, the SS L VPN service is a standard SS L VPN service program before introducing the SNI proxy module, such as open source ocsrv.
1. And configuring a service side certificate, and monitoring an IP address and a port of the SS L VPN service.
2. And receiving a handshake request message sent by the SS L VPN client, and performing handshake with the client by using the certificate configured in the previous step.
3. And after the handshake is successful, obtaining a data connection file descriptor communicated with the client, and communicating with the client.
Compared with the prior art, the SNI agent module is introduced into the SS L VPN service terminal, so that the processing of the T L S connection by the SS L VPN service is changed, and the processing is performed on the following aspects:
1. the configuration of the SS L VPN Service side certificate allows the use of multiple certificates, each certificate assigning a unique digital ID and Service name to the Service each certificate representing an SS L VPN Service, which may belong to different organizations.
2. The T L S message sent by the client is processed by the SNI agent module, and the module selects which certificate to use to handshake with the client according to the configured ServiceName, so that the client is selected to communicate with which organization in the SS L VPN.
3. After the handshake is successful, the SNI agent module obtains a data connection file descriptor communicated with the client, the data connection file descriptor is handed to SS L VPN service, and the VPN is communicated with the client through the file descriptor.
Fig. 2 shows that, when proxy configuration is performed in the step of querying proxy configuration according to the Service Name, a two-dimensional table is used, and when a key of the two-dimensional table is used, the Service Name, the content Cert ID, or a Service address is used. The proxy format is as follows, table 1, and proxy configuration is as shown in table 2:
| class A Service Name | Cert ID |
| Class B Service Name | IP+TCP Port |
TABLE 1
| VPN.Service1 | 1 |
| VPN.Service2 | 2 |
| VPN.Service3 | 3 |
| www.example.com | 127.0.0.1:443 |
TABLE 2
The HTTPS service is a service program running on the native machine, which listens to a local host address, such as 127.0.0.1: 443. the "IP + TCP Port" in table 1 represents the address to which the HTTPS service listens.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 7:
the present embodiment is further optimized based on the foregoing embodiment, as shown in fig. 1, and further, to better implement the present invention, the step of SS L session connection in step C3 specifically means that the SNI proxy module reads a certificate according to the certificate ID, and then uses the read certificate to handshake with the SS L client to establish an SS L session connection and start data communication.
Further, in order to better implement the present invention, the step C32 of executing the communication connection between the browser and the HTTPS service specifically includes the following steps:
step C321: according to the searched HTTPS service monitoring address, the SNI agent module is used as a connection initiated by a TCP agent reverse agent browser client;
step C322: and changing the destination address of the message into the searched monitoring address of the HTTPS service to establish connection with the HTTPS service. And after the connection is established, the browser communicates with the HTTPS service through the SNI agent module.
Furthermore, in order to better realize the invention, one class A Service Name corresponds to one SS L Service certificate, and the class A Service Name is issued by the SS L VPN Service according to the used SS L Service certificate.
It should be noted that, through the above improvement, the SNI proxy service is compatible with the HTTPS service, and the HTTPS service is described as follows:
1. for HTTPS services, the certificate used is typically issued by an authority for the real domain Name, rather than being self-signed, and the Service Name used in the SNI proxy configuration table is the certificate domain Name.
2. And when the browser accesses the HTTPS Service, filling the domain Name into a T L S field, and after intercepting a handshake message of the HTTPS request, searching a proxy configuration table according to the Service Name filled in by the browser to obtain a real Service address monitored by the HTTPS Service.
And 3, the SNI proxy module is used as a TCP reverse proxy service, pretends to be a browser, and establishes connection with the real HTTPS service.
4. After the connection is successfully established, the communication path between the browser and the HTTPS is as follows: browser < - > SNI agent module < - > HTTPS service.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (8)
1. An SS L VPN multi-service address sharing system is characterized by comprising an SS L VPN client provided with an SNI setting module, an SS L VPN server provided with an SNI agent module and connected with the SS L VPN client, a browser and HTTPS services respectively connected with the SNI agent module, wherein the SNI setting module is connected with the SNI agent module.
2. The SS L VPN multi-service address sharing system according to claim 1, wherein the SS L VPN service end further comprises a plurality of SS L VPN services connected to SNI agent modules, and the SNI agent modules agent the SS L VPN services and HTTPS services and are provided with ports for intercepting SS L requests.
3. The SS L VPN multi-service address sharing method according to claim 2, wherein:
the method includes the steps that a Service Name field in an SS L protocol SNI extension is divided into a class A Service Name and a class B Service Name, an SS L VPN client uses the class A Service Name or a browser uses the class B Service Name to establish connection with an SNI proxy module of an SS L VPN Service end, the SNI proxy module selects a Service end certificate and Service to be used, the SS L VPN Service end achieves TCP connection distribution based on the SNI field through the SNI proxy module, and therefore port sharing among a plurality of SS L VPN services and between the SS L VPN Service and the HTTPS Service is achieved.
4. The SS L VPN multi-service address sharing method according to claim 3, comprising the steps of:
the SS L VPN client establishes connection with an SS L VPN server, specifically, a user sets an SNI field through an SNI configuration module in the SS L VPN client and establishes connection with an SNI agent module, and the method specifically comprises the following steps:
a1, setting the domain Name or IP, port to be connected and the class A Service Name of SS L VPN Service;
step A2, calling an SS L library function API to set SNI, and setting a Service Name to be served to an SS L to be initiated for connection;
and step A3, the SS L VPN client initiates SS L connection carrying class A Service Name to inform the SS L of the certificate and Service requested by the VPN Service terminal.
5. The SS L VPN multi-service address sharing method according to claim 3, wherein the browser establishes connection with an SS L VPN service end, specifically:
when the browser accesses HTTPS service, filling the domain name into the SNI field; and filling an SNI field by using a domain Name as a class B Service Name in an SNI agent configuration table of the SNI agent module, and realizing the connection and routing of the SNI agent module through the corresponding relation of the Service names.
6. The SS L VPN multi-service address sharing method according to claim 3 or 4, wherein the SS L VPN service end realizes TCP connection distribution based on SNI field through SNI agent module, which includes the following steps:
step C1, configuring one or more SS L certificates at the SS L VPN Service end, and setting an A-type Service Name for one SS L certificate, wherein the A-type Service Name is a character string conforming to the DNS domain Name format;
setting a class B Service Name in the HTTPS Service; the class B Service Name is a registered real domain Name, and is convenient for a browser to access through the Internet;
step C2: setting the corresponding relation of 'SN < - > Service' between class A Service Name and class B Service Name and certificate, setting the corresponding relation of 'SN < - > Service' in the corresponding table of 'SN < - > Service' of SNI agent module,
the corresponding relation is as follows:
class A Service Name < - > Cert ID, wherein Cert ID represents SS L certificate ID;
class B Service Name < - > IP + TCP Port; wherein the IP + TCP Port represents the address monitored by the HTTPS service;
step C3, when the SS L VPN service end receives the handshake message sent by the SS L VPN client or browser, firstly searching the 'SN < - > service' corresponding relation table to obtain the ID of the SS L certificate to be used or an 'IP + TCP Port' binary group;
step C31, if the certificate ID is found, the SS L session connection is established;
step C32: otherwise, establishing a communication connection with the HTTPS service is performed.
7. The SS L VPN multi-service address sharing method according to claim 6, wherein the SS L session connection in the step C31 is that the SNI proxy module reads the certificate according to the certificate ID, and then uses the read certificate to handshake with the SS L client to establish the SS L session connection and start data communication.
8. The SS L VPN multi-service address sharing method according to claim 7, wherein the execution of the step C32 of establishing a communication connection with an HTTPS service specifically includes the steps of:
step C321: according to the searched HTTPS service monitoring address, the SNI agent module is used as a connection initiated by a TCP agent reverse agent browser client;
step C322: the destination address of the message is changed into the searched HTTPS service monitoring address to establish connection with the HTTPS service;
and after the connection is established, the browser communicates with the HTTPS service through the SNI agent module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010260442.5A CN111490985B (en) | 2020-04-03 | 2020-04-03 | SSL VPN multi-service address sharing system and sharing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010260442.5A CN111490985B (en) | 2020-04-03 | 2020-04-03 | SSL VPN multi-service address sharing system and sharing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111490985A true CN111490985A (en) | 2020-08-04 |
| CN111490985B CN111490985B (en) | 2022-02-25 |
Family
ID=71798676
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010260442.5A Active CN111490985B (en) | 2020-04-03 | 2020-04-03 | SSL VPN multi-service address sharing system and sharing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111490985B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114189493A (en) * | 2021-11-08 | 2022-03-15 | 深圳市酷开网络科技股份有限公司 | Distributed signaling communication method, computer device, signaling system, and storage medium |
| CN114268657A (en) * | 2021-12-24 | 2022-04-01 | 北京天威诚信电子商务服务有限公司 | Method and system for establishing SSL _ TLS communication between browser application and local application |
| CN115396531A (en) * | 2022-08-23 | 2022-11-25 | 臻乐尔科技服务(上海)有限公司 | IP multiplexing method and system for TCP/UDP proxy |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150074751A1 (en) * | 2008-01-26 | 2015-03-12 | Citirx Systems, Inc. | Systems and methods for fine grain policy driven clientless ssl vpn access |
| CN105634904A (en) * | 2016-01-19 | 2016-06-01 | 深圳前海达闼云端智能科技有限公司 | SSLVPN proxy method, server, client and processing method thereof |
| CN108156224A (en) * | 2017-12-14 | 2018-06-12 | 上海格尔软件股份有限公司 | The method that self-defined agent tunnel agreement is realized based on tls protocol SNI mechanism |
| US20190028439A1 (en) * | 2017-07-24 | 2019-01-24 | Centripetal Networks, Inc. | Efficient SSL/TLS Proxy |
-
2020
- 2020-04-03 CN CN202010260442.5A patent/CN111490985B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150074751A1 (en) * | 2008-01-26 | 2015-03-12 | Citirx Systems, Inc. | Systems and methods for fine grain policy driven clientless ssl vpn access |
| CN105634904A (en) * | 2016-01-19 | 2016-06-01 | 深圳前海达闼云端智能科技有限公司 | SSLVPN proxy method, server, client and processing method thereof |
| US20190028439A1 (en) * | 2017-07-24 | 2019-01-24 | Centripetal Networks, Inc. | Efficient SSL/TLS Proxy |
| CN108156224A (en) * | 2017-12-14 | 2018-06-12 | 上海格尔软件股份有限公司 | The method that self-defined agent tunnel agreement is realized based on tls protocol SNI mechanism |
Non-Patent Citations (1)
| Title |
|---|
| 毛宇航: "物联网平台认证和授权协议实现的安全分析", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114189493A (en) * | 2021-11-08 | 2022-03-15 | 深圳市酷开网络科技股份有限公司 | Distributed signaling communication method, computer device, signaling system, and storage medium |
| CN114189493B (en) * | 2021-11-08 | 2024-04-12 | 深圳市酷开网络科技股份有限公司 | Distributed signaling communication method, computer device, signaling system and storage medium |
| CN114268657A (en) * | 2021-12-24 | 2022-04-01 | 北京天威诚信电子商务服务有限公司 | Method and system for establishing SSL _ TLS communication between browser application and local application |
| CN114268657B (en) * | 2021-12-24 | 2024-05-24 | 北京天威诚信电子商务服务有限公司 | Method and system for establishing SSL_TLS communication between browser application and local application |
| CN115396531A (en) * | 2022-08-23 | 2022-11-25 | 臻乐尔科技服务(上海)有限公司 | IP multiplexing method and system for TCP/UDP proxy |
| CN115396531B (en) * | 2022-08-23 | 2023-10-17 | 臻乐尔科技服务(上海)有限公司 | IP multiplexing method and system of TCP/UDP proxy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111490985B (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10079803B2 (en) | Peer-to-peer connection establishment using TURN | |
| US11825310B2 (en) | Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks | |
| US11832172B2 (en) | Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface | |
| US12114249B2 (en) | Method for identification of traffic suitable for edge breakout and for traffic steering in a mobile network | |
| US6751677B1 (en) | Method and apparatus for allowing a secure and transparent communication between a user device and servers of a data access network system via a firewall and a gateway | |
| JP4708376B2 (en) | Method and system for securing access to a private network | |
| CN111490985B (en) | SSL VPN multi-service address sharing system and sharing method | |
| JP3819295B2 (en) | Public network access server with user configurable firewall | |
| US20040179537A1 (en) | Method and apparatus providing a mobile server function in a wireless communications device | |
| CN110784434B (en) | Communication method and device | |
| US20230336377A1 (en) | Packet forwarding method and apparatus, and network system | |
| US9413590B2 (en) | Method for management of a secured transfer session through an address translation device, corresponding server and computer program | |
| CN113872933B (en) | Method, system, device, equipment and storage medium for hiding source station | |
| WO2024000975A1 (en) | Session establishment system and method, electronic device, and storage medium | |
| US20130268584A1 (en) | Methods and apparatus for publishing and subscribing electronic documents using intermediate rendezvous servers | |
| WO2014001871A1 (en) | System and method for facilitating communication between multiple networks | |
| CN101572729B (en) | Processing method of node information of virtual private network, interrelated equipment and system | |
| KR100660123B1 (en) | Vpn server system and vpn terminal for a nat traversal | |
| JP2003504898A (en) | Addressing methods and name and address servers in digital networks | |
| CN113595848A (en) | Communication tunnel establishment method, device, equipment and storage medium | |
| TWI608749B (en) | Method for controlling a client device to access a network device, and associated control apparatus | |
| CN116647538B (en) | Connecting device capable of accessing different intranet services | |
| US6983332B1 (en) | Port-bundle host-key mechanism | |
| WO2023070500A1 (en) | Communication devices and methods therein for facilitating ike communications | |
| US20230379304A1 (en) | Policy-based dynamic vpn profile selection using dns protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |