CN114513362A - Long connection communication processing method and device based on TLS protocol - Google Patents
Long connection communication processing method and device based on TLS protocol Download PDFInfo
- Publication number
- CN114513362A CN114513362A CN202210163136.9A CN202210163136A CN114513362A CN 114513362 A CN114513362 A CN 114513362A CN 202210163136 A CN202210163136 A CN 202210163136A CN 114513362 A CN114513362 A CN 114513362A
- Authority
- CN
- China
- Prior art keywords
- connection
- client
- client side
- request
- establishing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims abstract description 75
- 238000004891 communication Methods 0.000 title claims abstract description 74
- 238000003672 processing method Methods 0.000 title claims abstract description 18
- 238000000034 method Methods 0.000 claims abstract description 40
- 230000005540 biological transmission Effects 0.000 claims abstract description 31
- 238000012545 processing Methods 0.000 claims abstract description 28
- 230000002452 interceptive effect Effects 0.000 claims abstract description 10
- 238000004590 computer program Methods 0.000 claims description 29
- 238000012795 verification Methods 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 7
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 238000005336 cracking Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 238000013496 data integrity verification Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a long connection communication processing method and a long connection communication processing device based on a TLS protocol, which relate to the technical field of financial data security, and the method comprises the following steps: an encryption channel is established between a client side and a service side based on a TLS protocol, and certificates used for interactive identity authentication of both communication sides are placed in the encryption channel; when a connection establishment request sent by a client side is obtained, using a certificate to carry out identity authentication on two communication sides, and verifying the integrity of request data initiated by the client side; if the identity authentication is passed and the requested data is verified, establishing SOCKET long connection in the encryption channel; and sending the connection establishing request to the application end by using the SOCKET long connection, establishing the connection between the client side and the application end, and performing message transmission between the client side and the application end.
Description
Technical Field
The invention relates to the technical field of financial data security, in particular to a long-connection communication processing method and device based on a TLS protocol.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
With the wide popularization of financial payment scenes, the requirement on data security is higher and higher, and in the commonly used TCP and UDP data transmission modes, data packets are possibly intercepted in the communication process, and data information is easy to analyze, so that great challenges are brought to the financial information security of private line data transmission by using a TCP protocol.
Currently, for the communication protocol, the existing methods include: based on the TLS protocol, HTTPS connection is established, but long connection communication is not supported. The long connection based on SOCKET uses a TCP data transmission mode, does not have encryption and identity authentication functions, and has low message transmission safety.
Therefore, a technical solution for ensuring data security and improving communication efficiency is needed to overcome the above-mentioned drawbacks.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a long connection communication processing method and device based on a TLS protocol. The invention provides more reliable security guarantee by setting the encryption channel, and greatly improves the security of information transmission based on the TLS protocol; based on the encryption, identity verification and data integrity characteristics of the TLS protocol, the probability of intercepting data can be reduced, the cracking difficulty is increased, and detected tampered or forged data can be identified and discarded in time; and the TLS protocol is packaged on the outer layer connected with a special line, so that the safety of financial information transmission is greatly improved.
In a first aspect of the embodiments of the present invention, a method for processing long connection communication based on a TLS protocol is provided, where the method includes:
an encryption channel is established between a client side and a service side based on a TLS protocol, and certificates used for interactive identity authentication of both communication sides are placed in the encryption channel;
when a connection establishment request sent by a client side is obtained, using a certificate to carry out identity authentication on two communication sides, and verifying the integrity of request data initiated by the client side;
if the identity authentication is passed and the requested data is verified, establishing SOCKET long connection in the encryption channel;
and sending the connection establishing request to the application end by using the SOCKET long connection, establishing the connection between the client side and the application end, and performing message transmission between the client side and the application end.
Further, an encrypted channel is established between the client and the server based on the TLS protocol, which includes:
the method comprises the steps of obtaining a port number and an address white list appointed by a client side and a service side, configuring an SSL accelerator, and establishing an encryption channel between the client side and the service side based on a TLS protocol.
Further, when acquiring a connection establishment request sent by a client, using a certificate to authenticate identities of both communication parties, and verifying integrity of request data sent by the client, the method comprises the following steps:
when the SSL accelerator identifies the connection establishment request, the server side certificate is used for carrying out identity authentication on the client side, and the client side certificate is used for carrying out identity authentication on the server side;
verifying the integrity of the request data initiated by the client;
and if the identity authentication fails or the request data check fails, discarding the connection establishment request.
Further, if the identity authentication passes and the requested data check passes, establishing SOCKET long connection in the encryption channel, including:
based on TCP protocol, long-time maintained connection is established between two communication parties, and automatic reconnection mechanism is used for keeping the long connection alive.
Further, by using SOCKET long connection, sending a connection establishment request to an application end, establishing a connection between a client and the application end, and performing message transmission between the client and the application end, the method includes:
when the application end receives a connection establishment request of a client side, judging whether a port of the client side passes through the encryption channel or not;
if yes, agreeing to establish a connection request;
if not, judging whether the parameter configuration of the application terminal is met, if so, agreeing to establish the connection request, and if not, discarding the connection establishment request.
Further, the method also comprises the following steps:
after the connection between the client and the application is established, the integrity of the message transmitted between the client and the application is verified by using the certificate.
In a second aspect of the embodiments of the present invention, a long connection communication processing apparatus based on a TLS protocol is provided, including:
the encrypted channel establishing module is used for establishing an encrypted channel between the client side and the service side based on the TLS protocol, and certificates used for interactive identity authentication of the two communication sides are placed in the encrypted channel;
the request analysis module is used for carrying out identity authentication on two communication parties by using a certificate when a connection establishment request sent by a client side is obtained, and verifying the integrity of request data sent by the client side;
the long connection communication module is used for establishing SOCKET long connection in the encryption channel if the identity authentication passes and the requested data passes the verification;
and the application end processing module is used for sending the connection establishment request to the application end by utilizing the SOCKET long connection, establishing the connection between the client side and the application end and carrying out message transmission between the client side and the application end.
Further, the encryption channel establishing module is specifically configured to:
the method comprises the steps of obtaining a port number and an address white list appointed by a client side and a service side, configuring an SSL accelerator, and establishing an encryption channel between the client side and the service side based on a TLS protocol.
Further, the request parsing module is specifically configured to:
when the SSL accelerator identifies the connection establishment request, the server certificate is used for carrying out identity authentication on the client side, and the client certificate is used for carrying out identity authentication on the server side;
verifying the integrity of the request data initiated by the client;
and if the identity authentication fails or the request data check fails, discarding the connection establishment request.
Further, the long connection communication module is specifically configured to:
based on TCP protocol, long-time maintained connection is established between two communication parties, and automatic reconnection mechanism is used for keeping the long connection alive.
Further, the application processing module is specifically configured to:
when the application end receives a connection establishment request of a client side, judging whether a port of the client side passes through the encryption channel or not;
if yes, agreeing to establish a connection request;
if not, judging whether the parameter configuration of the application terminal is met, if so, agreeing to establish the connection request, and if not, discarding the connection establishment request.
Further, the application processing module is further configured to:
after the connection between the client and the application is established, the integrity of the message transmitted between the client and the application is verified by using the certificate.
In a third aspect of the embodiments of the present invention, a computer device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements a long connection communication processing method based on a TLS protocol when executing the computer program.
In a fourth aspect of the embodiments of the present invention, a computer-readable storage medium is provided, in which a computer program is stored, and the computer program, when executed by a processor, implements a long-connection communication processing method based on a TLS protocol.
In a fifth aspect of the embodiments of the present invention, a computer program product is provided, where the computer program product includes a computer program, and the computer program is executed by a processor to implement a long connection communication processing method based on a TLS protocol.
The TLS protocol-based long-connection communication processing method and device can establish an encryption channel between a client side and a server side based on the TLS protocol, and place certificates used for interactive identity verification by both communication sides in the encryption channel; when a connection establishment request sent by a client side is obtained, using a certificate to carry out identity authentication on two communication sides, and verifying the integrity of request data initiated by the client side; if the identity authentication is passed and the requested data is verified, establishing SOCKET long connection in the encryption channel; the method comprises the steps that a SOCKET long connection is utilized, a connection establishment request is sent to an application end, connection between a client side and the application end is established, message transmission is carried out between the client side and the application end, the whole scheme provides more reliable safety guarantee by establishing an encryption channel, and the security of information transmission is greatly improved by adopting a TLS protocol; based on encryption, authentication and data integrity characteristics of the TLS protocol, the probability of intercepting data can be reduced, the cracking difficulty is increased, detected tampered or forged data can be identified and discarded in time, and the security of financial information transmission is greatly improved by the TLS protocol in an outer package of a private line connection.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flow chart of a long connection communication processing method based on the TLS protocol according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating authentication and integrity check of request data according to an embodiment of the present invention.
Fig. 3 is a flowchart illustrating an application-side process according to an embodiment of the invention.
Fig. 4 is a schematic diagram of an architecture of a long-connection communication processing device based on the TLS protocol according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given solely for the purpose of enabling those skilled in the art to better understand and to practice the invention, and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a long connection communication processing method and device based on a TLS protocol are provided, and the technical field of financial data security is involved. The invention realizes the encryption of message transmission, the authentication of client side identity and the data integrity check by packaging the TLS protocol on the outer layer of the SOCKET long connection protocol, and improves the communication security. Firstly, according to the port number and address white list agreed by both communication parties, an encryption channel is established between the two communication parties based on TLS protocol, a certificate for interactive identity verification is placed in the channel, then a socket-based ordinary long connection is established in the channel, when a service party receives a connection establishment request of a client party, a server certificate is used for carrying out identity authentication on the request party, only the request passing the identity authentication is forwarded to an application processing module, the application terminal can agree with the request of the client party without other authentication or verification after receiving the request, and message transmission can be started after the connection is established.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
Fig. 1 is a schematic flow chart of a long connection communication processing method based on the TLS protocol according to an embodiment of the present invention. As shown in fig. 1, the method includes:
s101, an encryption channel is established between a client side and a service side based on a TLS protocol, and certificates used for interactive identity authentication of both communication sides are placed in the encryption channel;
s102, when a connection establishment request sent by a client side is obtained, the certificate is used for authenticating the identity of the two communication sides, and the integrity of request data sent by the client side is verified;
s103, if the identity authentication is passed and the requested data is verified, establishing a SOCKET long connection in the encryption channel;
s104, utilizing the SOCKET long connection to send the connection establishing request to the application end, establishing the connection between the client side and the application end, and carrying out message transmission between the client side and the application end.
For a more clear explanation of the above long connection communication processing method based on the TLS protocol, each step is described in detail below.
In S101, an encrypted channel is established between a client and a server based on the TLS protocol, including:
the method comprises the steps of obtaining a port number and an address white list appointed by a client side and a service side, configuring an SSL accelerator, and establishing an encryption channel between the client side and the service side based on a TLS protocol.
Fig. 2 is a schematic flowchart illustrating an authentication process and an integrity check process of request data according to an embodiment of the present invention. As shown in fig. 2, in S102, when acquiring a connection establishment request sent by a client, using a certificate to authenticate identities of both parties of communication, and verifying integrity of request data sent by the client, the method includes:
s1021, when the SSL accelerator identifies the connection establishment request, the server certificate is used for carrying out identity authentication on the client side, and the client certificate is used for carrying out identity authentication on the server side;
s1022, checking the integrity of the request data initiated by the client;
and S1023, if the identity authentication fails or the request data check fails, discarding the connection establishment request.
If the identity authentication is passed and the requested data check is passed, the process continues to execute S103.
In S103, if the identity authentication passes and the requested data check passes, establishing a SOCKET long connection in the encryption channel, including:
based on TCP protocol, long-time maintained connection is established between two communication parties, and automatic reconnection mechanism is used for keeping the long connection alive.
Because the TLS protocol is packed on the outer layer of the TCP special line connection, the safety of financial information transmission is greatly improved.
Fig. 3 is a schematic flowchart of an application process according to an embodiment of the invention. As shown in fig. 3, in S104, the sending of the connection establishment request to the application end by using SOCKET long connection, establishing connection between the client and the application end, and performing packet transmission between the client and the application end includes:
s1041, when the application end receives the connection establishment request of the client, judging whether the port of the client passes through the encryption channel;
if yes, S1042, agreeing to establish a connection request;
if not, S1043, judging whether the parameter configuration of the application terminal is met;
the application end parameter configuration comprises the following steps: whether the application port is in a monitoring state and whether the request source meets specified conditions;
if so, agreeing to establish the connection request (pointing to S1042); if not, (pointing to S1044), discarding the connection establishment request.
Further, the method also comprises the following steps:
after the connection between the client and the application is established, the integrity of the message transmitted between the client and the application is verified by using the certificate.
Specifically, when two parties communicate in an encryption channel, the certificate is used for carrying out certain calculation on the whole data and then transmitting the data, one party receiving the data needs to restore the data by using the own certificate, and the two parties in the data calculation and processing process need to jointly agree, so that the integrity of data transmission can be ensured, and meanwhile, the safety of data transmission can be ensured.
It should be noted that although the operations of the method of the present invention have been described in the above embodiments and the accompanying drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the operations shown must be performed, to achieve the desired results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
The invention realizes the encryption of message transmission, the authentication of client side identity and the data integrity check by packaging the TLS protocol on the outer layer of the SOCKET long connection protocol, and improves the communication security.
In an actual application scenario, firstly, according to port numbers and address white lists agreed by two communication parties, an encryption channel is established between the two communication parties based on a TLS protocol, a certificate for interactive identity verification is placed in the channel, then, a normal long connection based on SOCKET is established in the channel, when a service party receives a connection establishment request of a client party, the service party certificate is used for carrying out identity authentication on a requesting party, only the request passing the identity authentication is forwarded to an application processing module, the application terminal can agree with the request of the client party without other authentication or verification after receiving the request, and message transmission can be started after the connection is established.
After the method of the exemplary embodiment of the present invention is introduced, a long-connection communication processing apparatus based on the TLS protocol of the exemplary embodiment of the present invention will be described with reference to fig. 4.
The implementation of the long-connection communication processing device based on the TLS protocol may refer to the implementation of the above method, and repeated details are omitted. The term "module" or "unit" used hereinafter may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Based on the same inventive concept, the present invention further provides a long connection communication processing apparatus based on the TLS protocol, as shown in fig. 4, the apparatus includes:
an encrypted channel establishing module 410, configured to establish an encrypted channel between the client and the server based on the TLS protocol, and place a certificate for performing interactive authentication between the two parties in the encrypted channel;
a request analysis module 420, configured to, when a connection establishment request sent by a client is obtained, perform identity authentication on both communication parties by using a certificate, and verify integrity of request data sent by the client;
the long connection communication module 430 is configured to establish a SOCKET long connection in the encryption channel if the identity authentication passes and the requested data passes the verification;
the application processing module 440 is configured to send a connection establishment request to the application by using SOCKET long connection, establish a connection between the client and the application, and perform packet transmission between the client and the application.
Further, the encryption channel establishing module 410 is specifically configured to:
the method comprises the steps of obtaining a port number and an address white list appointed by a client side and a service side, configuring an SSL accelerator, and establishing an encryption channel between the client side and the service side based on a TLS protocol.
Further, the request parsing module 420 is specifically configured to:
when the SSL accelerator identifies the connection establishment request, the server certificate is used for carrying out identity authentication on the client side, and the client certificate is used for carrying out identity authentication on the server side;
verifying the integrity of the request data initiated by the client;
and if the identity authentication fails or the request data check fails, discarding the connection establishment request.
Further, the long connection communication module 430 is specifically configured to:
based on TCP protocol, long-time maintained connection is established between two communication parties, and automatic reconnection mechanism is used for keeping the long connection alive.
Further, the application processing module 440 is specifically configured to:
when the application end receives a connection establishment request of a client side, judging whether a port of the client side passes through the encryption channel or not;
if yes, agreeing to establish a connection request;
if not, judging whether the parameter configuration of the application terminal is met, if so, agreeing to establish the connection request, and if not, discarding the connection establishment request.
Further, the application processing module 440 is further configured to:
after the connection between the client and the application is established, the integrity of the message transmitted between the client and the application is verified by using the certificate.
It should be noted that although several modules of the TLS protocol based long connection communication processing apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the modules described above may be embodied in one module according to embodiments of the invention. Conversely, the features and functions of one module described above may be further divided into embodiments by a plurality of modules.
Based on the aforementioned inventive concept, as shown in fig. 5, the present invention further provides a computer device 500, which includes a memory 510, a processor 520, and a computer program 530 stored in the memory 510 and executable on the processor 520, wherein the processor 520 executes the computer program 530 to implement the aforementioned long-connection communication processing method based on the TLS protocol.
Based on the foregoing inventive concept, the present invention provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the TLS protocol-based long connection communication processing method.
Based on the foregoing inventive concept, the present invention proposes a computer program product comprising a computer program, which when executed by a processor implements a long connection communication processing method based on the TLS protocol.
For a clearer explanation of the method and apparatus for processing long connection communication based on TLS protocol, a specific embodiment is described below, but it should be noted that the embodiment is only for better explaining the present invention and is not to be construed as an undue limitation on the present invention.
And under an application scene, a TLS request analysis module, a long-connection communication module and an application processing module are set up.
The TLS request analysis module: according to the port number and address white list appointed by two parties needing communication, relevant parameter configuration is carried out on an SSL accelerator, an encryption channel is established between the two parties based on TLS protocol, an accelerator certificate is placed in the channel, a two-way authentication mode is used for verifying the identities of a requesting party and a service party respectively, and the certificate is also used for data integrity verification in the following message transmission.
Long connection communication module: establishing SOCKET long connection, establishing connection capable of being maintained for a long time between two communication parties based on a TCP protocol, and keeping the long connection alive by using an automatic reconnection mechanism.
The application end processing module: after receiving the request for establishing connection with the client, the application end does not need to verify the identity and the request data of the client, can regard the application end as a safe request, approve the request, allow the connection with the client, and then can perform data transmission between two communication parties.
The TLS protocol-based long-connection communication processing method and device can establish an encryption channel between a client side and a server side based on the TLS protocol, and place certificates used for interactive identity verification by both communication sides in the encryption channel; when a connection establishment request sent by a client side is obtained, using a certificate to carry out identity authentication on two communication sides, and verifying the integrity of request data initiated by the client side; if the identity authentication is passed and the requested data is verified, establishing SOCKET long connection in the encryption channel; the method comprises the steps that a SOCKET long connection is utilized, a connection establishment request is sent to an application end, connection between a client side and the application end is established, message transmission is carried out between the client side and the application end, the whole scheme provides more reliable safety guarantee by establishing an encryption channel, and the security of information transmission is greatly improved by adopting a TLS protocol; based on encryption, authentication and data integrity characteristics of the TLS protocol, the probability of intercepting data can be reduced, the cracking difficulty is increased, detected tampered or forged data can be identified and discarded in time, and the security of financial information transmission is greatly improved by the TLS protocol in an outer package of a private line connection.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (15)
1. A long connection communication processing method based on TLS protocol is characterized by comprising the following steps:
an encryption channel is established between a client side and a service side based on a TLS protocol, and certificates used for interactive identity authentication of both communication sides are placed in the encryption channel;
when a connection establishment request sent by a client side is obtained, using a certificate to carry out identity authentication on two communication sides, and verifying the integrity of request data initiated by the client side;
if the identity authentication is passed and the requested data is verified, establishing SOCKET long connection in the encryption channel;
and sending the connection establishing request to the application end by using the SOCKET long connection, establishing the connection between the client side and the application end, and performing message transmission between the client side and the application end.
2. The method of claim 1, wherein establishing an encrypted tunnel between the client and the server based on the TLS protocol comprises:
the method comprises the steps of obtaining a port number and an address white list appointed by a client side and a service side, configuring an SSL accelerator, and establishing an encryption channel between the client side and the service side based on a TLS protocol.
3. The method of claim 2, wherein when acquiring a connection establishment request sent by a client, using a certificate to authenticate identities of both parties of communication, and verifying integrity of request data sent by the client, comprises:
when the SSL accelerator identifies the connection establishment request, the server certificate is used for carrying out identity authentication on the client side, and the client certificate is used for carrying out identity authentication on the server side;
verifying the integrity of the request data initiated by the client;
and if the identity authentication fails or the request data check fails, discarding the connection establishment request.
4. The method of claim 1, wherein establishing a SOCKET long connection in the encrypted channel if the authentication passes and the requested data check passes comprises:
based on TCP protocol, long-time maintained connection is established between two communication parties, and automatic reconnection mechanism is used for keeping the long connection alive.
5. The method of claim 1, wherein sending a connection establishment request to the application using a SOCKET long connection, establishing a connection between the client and the application, and performing message transmission between the client and the application comprises:
when the application end receives a connection establishment request of a client side, judging whether a port of the client side passes through the encryption channel or not;
if yes, agreeing to establish a connection request;
if not, judging whether the parameter configuration of the application terminal is met, if so, agreeing to establish the connection request, and if not, discarding the connection establishment request.
6. The method of claim 1, further comprising:
after the connection between the client and the application is established, the integrity of the message transmitted between the client and the application is verified by using the certificate.
7. A TLS protocol-based long-connection communication processing apparatus, comprising:
the encrypted channel establishing module is used for establishing an encrypted channel between the client side and the service side based on the TLS protocol, and certificates used for mutual identity authentication of the two communication sides are placed in the encrypted channel;
the request analysis module is used for carrying out identity authentication on two communication parties by using a certificate when a connection establishment request sent by a client side is obtained, and verifying the integrity of request data sent by the client side;
the long connection communication module is used for establishing SOCKET long connection in the encryption channel if the identity authentication passes and the requested data passes the verification;
and the application end processing module is used for sending the connection establishment request to the application end by utilizing the SOCKET long connection, establishing the connection between the client side and the application end and carrying out message transmission between the client side and the application end.
8. The apparatus according to claim 7, wherein the encryption channel establishing module is specifically configured to:
the method comprises the steps of obtaining a port number and an address white list appointed by a client side and a service side, configuring an SSL accelerator, and establishing an encryption channel between the client side and the service side based on a TLS protocol.
9. The apparatus of claim 8, wherein the request resolution module is specifically configured to:
when the SSL accelerator identifies the connection establishment request, the server certificate is used for carrying out identity authentication on the client side, and the client certificate is used for carrying out identity authentication on the server side;
verifying the integrity of the request data initiated by the client;
and if the identity authentication fails or the request data check fails, discarding the connection establishment request.
10. The apparatus of claim 7, wherein the long-connection communication module is specifically configured to:
based on TCP protocol, long-time maintained connection is established between two communication parties, and automatic reconnection mechanism is used for keeping the long connection alive.
11. The apparatus of claim 7, wherein the application processing module is specifically configured to:
when the application end receives a connection establishment request of a client side, judging whether a port of the client side passes through the encryption channel or not;
if yes, agreeing to establish a connection request;
if not, judging whether the parameter configuration of the application terminal is met, if so, agreeing to establish the connection request, and if not, discarding the connection establishment request.
12. The apparatus of claim 7, wherein the application processing module is further configured to:
after the connection between the client and the application is established, the integrity of the message transmitted between the client and the application is verified by using the certificate.
13. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 6 when executing the computer program.
14. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 6.
15. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210163136.9A CN114513362A (en) | 2022-02-22 | 2022-02-22 | Long connection communication processing method and device based on TLS protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210163136.9A CN114513362A (en) | 2022-02-22 | 2022-02-22 | Long connection communication processing method and device based on TLS protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114513362A true CN114513362A (en) | 2022-05-17 |
Family
ID=81553918
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210163136.9A Pending CN114513362A (en) | 2022-02-22 | 2022-02-22 | Long connection communication processing method and device based on TLS protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114513362A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018121249A1 (en) * | 2016-12-30 | 2018-07-05 | 中国银联股份有限公司 | Ssl protocol-based access control method and device |
| CN113328980A (en) * | 2020-02-29 | 2021-08-31 | 杭州迪普科技股份有限公司 | TLS authentication method, device and system, electronic equipment and readable medium |
| CN113347010A (en) * | 2021-08-05 | 2021-09-03 | 深圳市财富趋势科技股份有限公司 | Mutual authentication method and device based on SSL-TLS protocol |
-
2022
- 2022-02-22 CN CN202210163136.9A patent/CN114513362A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018121249A1 (en) * | 2016-12-30 | 2018-07-05 | 中国银联股份有限公司 | Ssl protocol-based access control method and device |
| CN113328980A (en) * | 2020-02-29 | 2021-08-31 | 杭州迪普科技股份有限公司 | TLS authentication method, device and system, electronic equipment and readable medium |
| CN113347010A (en) * | 2021-08-05 | 2021-09-03 | 深圳市财富趋势科技股份有限公司 | Mutual authentication method and device based on SSL-TLS protocol |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11818108B2 (en) | System and method for a multi system trust chain | |
| CN107277061B (en) | IOT (Internet of things) equipment based end cloud secure communication method | |
| CN110870277B (en) | Introducing middleboxes into secure communication between a client and a server | |
| US11303431B2 (en) | Method and system for performing SSL handshake | |
| CN110380852A (en) | Mutual authentication method and communication system | |
| US10075439B1 (en) | Programmable format for securely configuring remote devices | |
| WO2017067160A1 (en) | Main stream connection establishment method and device based on mptcp | |
| CN109413060A (en) | Message processing method, device, equipment and storage medium | |
| AU2020396746B2 (en) | Provisioning method and terminal device | |
| CN112714053A (en) | Communication connection method and device | |
| CN114338844B (en) | Cross-protocol communication method and device between client servers | |
| CN116016302B (en) | HTTPS-based smart card data encryption and decryption test method and system | |
| CN114531272B (en) | HTTPS request processing method and device based on national secret and international algorithm | |
| CN103312731A (en) | Processing method supporting both TLS short connection and long connection, processing system supporting both TLS short connection and long connection, and equipment | |
| CN114830572A (en) | Data transmission method, device, equipment, system and storage medium | |
| CN114513362A (en) | Long connection communication processing method and device based on TLS protocol | |
| KR101971995B1 (en) | Method for decryping secure sockets layer for security | |
| JP2014147039A (en) | Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program | |
| CN114157509A (en) | Encryption method and device with SSL and IPsec based on cryptographic algorithm | |
| CN111245601B (en) | Communication negotiation method and device | |
| CN111049798B (en) | Information processing method and device and computer readable storage medium | |
| CN111064571B (en) | Communication terminal, server and method for dynamically updating pre-shared key | |
| CN111221764B (en) | Cross-link data transmission method and system | |
| CN113986464A (en) | Method and system for safely migrating virtual machine | |
| CN111614660A (en) | Method and device for detecting safety verification defects and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |