CN114615309B

CN114615309B - Client access control method, device, system, electronic equipment and storage medium

Info

Publication number: CN114615309B
Application number: CN202210056377.3A
Authority: CN
Inventors: 蒋凯; 冯顾
Original assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Current assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Priority date: 2022-01-18
Filing date: 2022-01-18
Publication date: 2024-03-15
Anticipated expiration: 2042-01-18
Also published as: CN114615309A

Abstract

The invention provides a client access control method, a device, a system, electronic equipment and a storage medium, which are used for receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed; sending the first client certificate state acquisition request information to a CA service module; and receiving a state analysis result of the CA service module for the first client certificate state acquisition request information, controlling the access of the first client according to the state analysis result, and moving the realization of the client access control requirement from the application layer of the system to the SSL connection layer, thereby being safer and more efficient and reducing the realization complexity of application layer software.

Description

Client access control method, device, system, electronic equipment and storage medium

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a system, an electronic device, and a storage medium for controlling access of a client.

Background

Currently, there are several typical requirements for controlling terminal access in a terminal management system:

(1) Authentication of client access. The client calls the API to access the server, the server needs to authenticate the client, in the prior art, the authentication is usually realized at an application layer, the server and the client agree on an authentication method, for example, the client and the server agree on a token, the client brings the token in a request, the server can check whether the token is matched, and the method is easy to be recognized and counterfeited.

(2) Control of the authorization date. The server or client may check the date of authorization, and may make some functional restrictions beyond the date of authorization, typically running a timed task at the application layer to check the date of authorization.

(3) The server can force denial of access to a client, such as forcing cancellation of authorization of a client. Typically a check will be made in the code of the API and then an error code returned.

The realization of the access requirement of the control terminal is completed by the codes of the application layer after the connection is established, so that the safety and the efficiency are not high enough, and the complexity of the realization of the application layer software is increased.

Disclosure of Invention

The invention provides a client access control method, a device, a system, electronic equipment and a storage medium, which are used for solving the problems that the existing terminal management system realizes the control of client access at an application layer, is not safe and efficient enough, and increases the complexity of the realization of application layer software.

In a first aspect, the present invention provides a method for controlling access of a client, including:

receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client;

verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed;

sending the first client certificate state acquisition request information to a CA service module;

and receiving a state analysis result of the CA service module on the first client certificate state acquisition request information, and controlling the access of the first client according to the state analysis result.

Further, the method further comprises:

and prohibiting access of the first client in case that the verification is not passed.

Further, the receiving the state analysis result of the request information obtained by the CA service module for the first client certificate state, and controlling the access of the first client according to the state analysis result specifically includes:

allowing the access of the first client under the condition that the state analysis result is normal;

and prohibiting the access of the first client under the condition that the state analysis result is the revocation or the falsification.

Further, the pre-stored certificate verification information includes:

the identification information, the validity time information and the issuing information of the CA certificate of the SSL certificate are stored in advance.

Further, the client access control method further includes:

receiving first client certificate state acquisition request information sent by an SSL module;

and carrying out state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL module so that the SSL module controls access of the first client according to the state analysis result.

Further, the performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to the SSL module, includes:

According to the pre-stored state information of the SSL certificate, carrying out state analysis on the state acquisition request information of the first client side certificate, and returning a state analysis result of SSL certificate revocation or falsification to the SSL module under the condition that the state analysis result is abnormal;

and under the condition that the state analysis result is good, returning the state analysis result of normal state of the SSL certificate to the SSL module.

Further, the method further comprises:

receiving a certificate configuration file of a second client sent by a server program module;

generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and storing the SSL certificate and the state information of the SSL certificate of the second client locally; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

and sending the SSL certificate of the second client to the server program module so as to send the SSL certificate mark of the second client to the second client through the server program module.

Further, the method further comprises:

receiving an instruction sent by a server program module to revoke an SSL certificate of a third client;

Searching the SSL certificate of the third client from the SSL certificates of the issued clients;

and setting the state information of the SSL certificate of the third client to be in a revocation state.

Further, the client access control method further includes:

generating a certificate configuration file for the second client, and sending the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

Further, the method further comprises:

and sending an instruction for canceling the SSL certificate of the third client to the CA service module.

Further, the method further comprises:

the method comprises the steps of configuring a CA certificate and address information of a CA service module for an SSL module, and starting the SSL module; the CA certificate is a public key used by the CA service module when issuing the SSL certificate of the second client.

In a second aspect, the present invention further provides a client access control device, including: the device comprises a first receiving module, a verification module, a first sending module and a first control module, wherein:

the first receiving module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client;

the verification module is used for verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed;

the first sending module is used for sending the first client certificate state acquisition request information to the CA service module;

the first control module is used for receiving a state analysis result of the CA service module on the first client certificate state acquisition request information and controlling the access of the first client according to the state analysis result.

Further, the invention also provides a client access control device, which comprises: the second receiving module, the second control module, wherein:

the second receiving module is used for receiving the first client certificate state acquisition request information sent by the SSL module;

And the second control module is used for carrying out state analysis on the first client certificate state acquisition request information and sending a state analysis result to the SSL module so that the SSL module controls the access of the first client according to the state analysis result.

Further, the invention also provides a client access control device, which comprises: the device comprises a generation module and a second sending module, wherein:

the generation module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

and the second sending module is used for receiving the SSL certificate of the second client from the CA service module and sending the SSL certificate of the second client to the second client.

In a third aspect, the present invention further provides a client access control system, including: the client access control method comprises an SSL module, a CA service module and a service end program module, wherein the SSL module, the CA service module and the service end program module are used for executing the steps of the client access control method.

In a fourth aspect, the present invention also provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of any one of the client access control methods described above when the program is executed.

In a fifth aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a client access control method as described in any of the above.

In a sixth aspect, the invention also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of a client access control method as described in any of the above.

The invention provides a client access control method, a device, a system, electronic equipment and a storage medium, which are used for receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed; sending the first client certificate state acquisition request information to a CA service module; the CA service module receives the state analysis result of the request information acquired by the CA service module on the state of the first client certificate and controls the access of the first client according to the state analysis result, so that the problem that the existing terminal management system realizes the control of the access of the client at the application layer, is not safe and efficient enough, and also increases the complexity of the implementation of the application layer software is solved, and the implementation of the access control requirement of the client is moved from the application layer of the system to the SSL connection layer, so that the system is safer and more efficient, and the implementation complexity of the application layer software is also reduced.

Drawings

In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic structural diagram of a client access control system according to an embodiment of the present invention;

fig. 2 is a schematic flow chart of a method for controlling access of a client according to an embodiment of the present invention;

fig. 3 is a flow chart of a method for controlling access of a client according to another embodiment of the present invention;

fig. 4 is a flow chart of a method for controlling access of a client according to still another embodiment of the present invention;

fig. 5 is a schematic flow chart of a method for controlling access of a client according to another embodiment of the present invention;

fig. 6 is a flow chart of a method for controlling access of a client according to another embodiment of the present invention;

fig. 7 is a block diagram of a client access control device according to an embodiment of the present invention;

Fig. 8 is a block diagram of a client access control device according to another embodiment of the present invention;

fig. 9 is a block diagram of a client access control device according to another embodiment of the present invention;

fig. 10 is a block diagram of a client access control system according to another embodiment of the present invention;

fig. 11 is a block diagram of a client access control electronic device according to another embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The SSL module, CA service module and server program module in the present invention constitute a client access control system, as shown in fig. 1, specifically as follows:

the SSL module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed; sending the first client certificate state acquisition request information to a CA service module; and receiving a state analysis result of the CA service module on the first client certificate state acquisition request information, and controlling the access of the first client according to the state analysis result.

The CA service module is used for receiving the first client certificate state acquisition request information sent by the SSL module; and carrying out state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL module so that the SSL module controls access of the first client according to the state analysis result.

The server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

Fig. 2 is a flow chart of a client access control method provided in this embodiment, referring to fig. 2, applied to an SSL module, the method includes:

step 201: receiving SSL connection request information initiated by a first client;

Wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; SSL is a secure network connection layer, is a secure access method of the current standard, provides security and data integrity for network communication, directly encrypts network connection between a transmission layer and an application layer, ensures that data is sent to a correct client and a correct server and prevents data from being stolen halfway; the SSL module is standard and generic, such as SSL client authentication using ngix directly.

It should be further noted that, the SSL certificate of the first client may be an issued SSL certificate, such as a self-issued SSL certificate, or an SSL certificate issued by an authority, or may be a revoked SSL certificate, where the first client is a client to be verified, is an Agent program deployed on a windows or linux host, and is a client managed by a server. The first client can be in communication connection with a terminal management system to which the SSL module belongs in a wired or wireless mode, and the first client can send SSL connection request information to the SSL module through a mobile phone, a tablet computer, a computer or company special electronic equipment.

Specifically, the first client sends SSL connection request information to the SSL module, and the SSL module receives the SSL connection request information initiated by the first client.

For example, an information technology company is provided with a dedicated computer for each employee of the company, and the employee a sends SSL connection request information to an SSL module of the company terminal management system through a computer with an identity code of 01, and the SSL module receives SSL connection request information initiated by the employee a through a computer with an identity code of 01.

Step 202: verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed;

the prestored certificate verification information comprises prestored identification information of the SSL certificate, valid time information and issuing information of the CA certificate.

Specifically, the SSL module verifies the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generates first client SSL certificate status acquisition request information when the verification is passed.

For example, an SSL module in a terminal management system of an information technology company verifies certificate information in SSL connection request information initiated by employee a through a computer with an identity code of 01 according to pre-stored identification information, valid time information and issuing information of a CA certificate, wherein the identification information in the computer certificate with the identity code of 01 used by employee a is identity code 01, the valid time information is 2021 month 1 to 2023 month 1, the issuing information of the CA certificate is a mechanism, the certificate information in the computer with the identity code of 01 is verified through comparison and verification by the pre-stored certificate verification information in the SSL module, and then computer SSL certificate status acquisition request information with the identity code of 01 is generated.

Step 203: sending the first client certificate state acquisition request information to a CA service module;

the CA is a certificate authority, and may issue various digital certificates, and the certificate issued by the CA authority may be a CA certificate, and the SSL certificate is one of the certificates issued by the CA authority, and besides, the certificate issued by the CA authority may be a mail certificate, an encryption certificate, or a software digital certificate, which is not limited herein.

It should be further noted that, in the case that the first client certificate information is verified, i.e. the first client has a certificate, the certificate is in the validity period and the issuer information is correct, but still it cannot be determined whether the certificate is revoked or in a counterfeit state, in this case, in order to prevent the client that has been revoked or has a counterfeit suspicion from accessing, it is necessary to further obtain the request information by sending the first client certificate state to the CA service module.

Specifically, according to pre-stored certificate verification information, when the certificate information in the SSL connection request information sent by the first client matches with the pre-stored certificate verification information in the SSL module, that is, the verification is passed, first client SSL certificate status acquisition request information is generated, and the SSL module sends the first client certificate status acquisition request information to the CA service module.

For example, according to the pre-stored certificate verification information, the SSL module in the terminal management system of an information technology company generates the first client SSL certificate status acquisition request information when the certificate information in the SSL connection request information sent by the employee a through the computer with the identity code of 01 matches the pre-stored certificate verification information in the SSL module, i.e. the verification is passed, and the SSL module sends the first client certificate status acquisition request information to the CA service module.

Step 204: and receiving a state analysis result of the CA service module on the first client certificate state acquisition request information, and controlling the access of the first client according to the state analysis result.

The state analysis result can be a normal state, a revocation state or a fake state, and the access of the first client is allowed under the condition that the state analysis result is normal; and prohibiting the access of the first client under the condition that the state analysis result is the revocation or the falsification.

Specifically, the SSL module receives a status analysis result of the CA service module for the first client certificate status acquisition request information, and controls access of the first client according to the status analysis result.

For example, an SSL module in a terminal management system of an information technology company obtains a status analysis result of request information after receiving a status of a computer certificate with an identity code 01 used by a CA service module for employee a, and controls access of a computer with the identity code 01 used by employee a according to the status analysis result.

The embodiment provides a client access control method, which is applied to an SSL module of a terminal management system and used for receiving SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed; sending the first client certificate state acquisition request information to a CA service module; the CA service module receives the state analysis result of the request information acquired by the CA service module on the state of the first client certificate and controls the access of the first client according to the state analysis result, so that the problem that the existing terminal management system realizes the control of the access of the client at the application layer, is not safe and efficient enough, and also increases the complexity of the implementation of the application layer software is solved, and the implementation of the access control requirement of the client is moved from the application layer of the system to the SSL connection layer, so that the system is safer and more efficient, and the implementation complexity of the application layer software is also reduced.

Based on the foregoing embodiment, in this embodiment, step 202 verifies the certificate information in the SSL connection request message according to pre-stored certificate verification information, and specifically further includes:

It should be further noted that, in the case that the certificate information in the SSL connection request information sent by the first client does not match with any one or more of the pre-stored certificate verification information, that is, the identification information, the validity time information, and the issuing information of the CA certificate, the access of the first client is prohibited.

Specifically, the SSL module verifies the certificate information in the SSL connection request information according to pre-stored certificate verification information, and prohibits the access of the first client if the verification is not passed.

For example, the SSL module in the terminal management system of an information technology company verifies the certificate information in SSL connection request information initiated by employee a through a computer with an identity code of 01 according to the pre-stored identification information, validity time information and issuing information of the CA certificate, wherein the identification information in the computer certificate with the identity code of 01 used by employee a is identity code 01, the validity time information is 2021 month 1 to 2022 month 1, the issuing information of the CA certificate is a mechanism, and the comparison and verification is performed through the pre-stored certificate verification information in the SSL module to find that the computer certificate information with the identity code of 01 used by employee a is out of date, i.e. not in the validity time, so that the verification is not passed and the access of the computer with the identity code of 01 used by employee a is forbidden.

The embodiment provides a client access control method, which is applied to an SSL module of a terminal management system, and is used for verifying certificate information in SSL connection request information according to prestored certificate verification information, and prohibiting access of a first client under the condition that verification is not passed, so that the problem that the certificate owned by the client can still be accessed under the condition that expiration or identity information and issuing information are incorrect is avoided, and the client can be accessed more safely and effectively.

Based on the foregoing embodiment, in this embodiment, the step 204 of receiving a status analysis result of the CA service module for obtaining the request information for the status of the first client certificate, and controlling access of the first client according to the status analysis result may be specifically implemented by:

Specifically, the SSL module receives a state analysis result of the CA service module on the first client certificate state acquisition request information, controls access of the first client according to the state analysis result, and allows the access of the first client under the condition that the state analysis result is normal; and prohibiting the access of the first client under the condition that the state analysis result is the revocation or the falsification.

For example, an SSL module in a terminal management system of an information technology company verifies certificate information in SSL connection request information initiated by employee a through a computer with an identity code of 01 and an SSL connection request information initiated by employee B through a computer with an identity code of 02 according to pre-stored identification information, valid time information and issuing information of SSL certificates of 2021, 1 st 3 nd 1 st, the issuing information of CA certificates is a mechanism, the identifying information of computer certificates with an identity code of 02 used by employee B is an identity code 02, the issuing information of CA certificates is a mechanism, the verification information of certificates pre-stored in SSL modules is compared and verified, the verification information of computer certificates with an identity code of 01 used by employee a is found, and the computer with an identity code of 01 used by employee a is allowed to be accessed by the computer with an identity code of 01 used by employee a; the computer with the identity code of 02 used by the staff B is expired, namely not in the effective time, so that the verification is not passed, and the access of the computer with the identity code of 02 used by the staff B is forbidden.

The embodiment provides a client access control method, which is applied to an SSL module of a terminal management system, and allows access of a first client under the condition that the state analysis result is normal; under the condition that the state analysis result is cancellation or forgery, the access of the first client is forbidden, the problem that the existing terminal management system realizes the control of the access of the client at the application layer, is not safe and efficient enough, and also increases the complexity of the implementation of the application layer software is solved, and the implementation of the client access control requirement is moved from the application layer of the system to the SSL connection layer, so that the system is safer and efficient, and the implementation complexity of the application layer software is also reduced.

Fig. 3 is a flow chart of another method for controlling access of a client according to this embodiment, referring to fig. 3, applied to a CA service module, where the method includes:

step 301: receiving first client certificate state acquisition request information sent by an SSL module;

step 302: and carrying out state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL module so that the SSL module controls access of the first client according to the state analysis result.

It should be further noted that the CA service module exists in the terminal management system.

Specifically, the CA service module receives the first client certificate status acquisition request information sent by the SSL module, performs status analysis on the first client certificate status acquisition request information, and sends a status analysis result to the SSL module, so that the SSL module controls access of the first client according to the status analysis result.

For example, a CA service module in a terminal management system of an information technology company receives certificate status acquisition request information of a computer with an identity code of 01 sent by an SSL module; after receiving the certificate status acquisition request information of the computer with the identity code of 01 sent by the SSL module, performing status analysis on the certificate status acquisition request information of the computer with the identity code of 01, and sending a status analysis result to the SSL module so that the SSL module controls the access of the computer with the identity code of 01 according to the status analysis result.

The embodiment provides a client access control method, which is applied to a CA service module of a terminal management system and used for receiving first client certificate state acquisition request information sent by an SSL module; the method comprises the steps of carrying out state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL module, so that the SSL module controls access of the first client according to the state analysis result, the problem that an existing terminal management system realizes control of client access at an application layer, is not safe and efficient enough, and also increases complexity of application layer software implementation is solved, and the implementation of client access control requirements is moved downwards from the application layer of the system to an SSL connection layer, so that the method is safer and efficient, and the implementation complexity of the application layer software is also reduced.

Based on the foregoing embodiment, in this embodiment, in step 302, the state analysis is performed on the first client certificate state acquisition request information, and the state analysis result is sent to the SSL module, which may be specifically implemented by the following manner:

The pre-stored state information of the SSL certificate is information for analyzing and verifying whether the client certificate has a revocation or counterfeit suspicion state.

Specifically, the CA service module performs state analysis on the first client certificate state acquisition request information according to the state information of the pre-stored SSL certificate, and returns a state analysis result of SSL certificate revocation or falsification to the SSL module under the condition that the state analysis result is abnormal; and under the condition that the state analysis result is good, returning the state analysis result of normal state of the SSL certificate to the SSL module.

For example, the CA service module performs a state analysis on the computer certificate status acquisition request information with the identity code 01 used by the employee a according to the pre-stored state information of the SSL certificate, and returns an SSL certificate revocation or counterfeit status analysis result to the SSL module when the status analysis result is abnormal, and at this time, even if the certificate information in the SSL connection request information sent by the computer with the identity code 01 used by the employee a matches with the pre-stored certificate verification information, that is, if the verification passes, the access of the computer with the identity code 01 cannot be realized; and under the condition that the state analysis result is good, returning the state analysis result of normal state of the SSL certificate to the SSL module, and at the moment, realizing the access of the computer with the identity code of 01.

The embodiment provides a client access control method, which is applied to a CA service module of a terminal management system, and is used for carrying out state analysis on first client certificate state acquisition request information according to state information of pre-stored SSL certificates, and returning state analysis results of SSL certificate revocation or falsification to the SSL module under the condition that the state analysis results are abnormal; and under the condition that the state analysis result is good, returning the state analysis result of the normal state of the SSL certificate to the SSL module, avoiding the problem of normal access caused by the fact that the client is revoked midway or the client is a fake certificate client, and realizing the access of the client more safely and efficiently by arranging the CA service module.

Based on the foregoing embodiments, in this embodiment, the client access control method is applied to a CA service module, and specifically includes:

generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and storing the SSL certificate and the state information of the SSL certificate of the second client locally;

The SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; the identification information of the second client, such as the identity ID of the user computer.

It should be further noted that, in order to distinguish the first client to be authenticated that initiates the SSL connection request information, the second client is herein a client that needs to generate an SSL certificate, that is, a client that is not issued an SSL certificate, for example, a newly-entered employee C, for which the company is equipped with a new computer, but the new computer is not equipped with an SSL certificate, and therefore, the SSL certificate needs to be issued for the new computer of the employee C; the second client may be connected to the server program module in a wired or wireless manner, and the second client may be any electronic device capable of performing a pass connection, such as a mobile phone, a tablet computer, a computer, or a company-specific electronic device, which is not specifically limited herein.

Specifically, the CA service module receives a certificate configuration file of the second client sent by the service end program module; generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and storing the SSL certificate and the state information of the SSL certificate of the second client locally; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and sending the SSL certificate of the second client to the server program module so as to send the SSL certificate mark of the second client to the second client through the server program module.

For example, the CA service module receives the certificate configuration file of the new computer used by employee C sent by the service side program module; generating SSL certificates of the new computers used by the staff C and state information of the SSL certificates of the new computers used by the staff C according to the certificate configuration files of the new computers used by the staff C, and locally storing the SSL certificates; the SSL certificate of the new computer used by the employee C includes the identification information of the new computer used by the employee C, that is, the identity code is 03, and the valid time information of the SSL certificate of the new computer used by the employee C is 2022, 1 month, 1 day, and 2024, 1 month, 1 day; and sending the SSL certificate of the new computer used by the staff C to a server program module so as to issue the SSL certificate of the new computer used by the staff C to the new computer used by the staff C through the server program module.

The embodiment provides a client access control method, which is applied to a CA service module of a terminal management system and used for receiving a certificate configuration file of a second client sent by a service program module; generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and storing the SSL certificate and the state information of the SSL certificate of the second client locally; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and sending the SSL certificate of the second client to the server program module, so that the SSL certificate of the second client is sent to the second client through the server program module, and the CA service module is arranged to realize the issuance of the SSL certificate of the new client, so that the realization of the access control requirement of the client is moved down to the SSL connection layer from the application layer of the system, thereby being safer and more efficient, and reducing the realization complexity of application layer software.

Based on the foregoing embodiment, in this embodiment, the client access control method is applied to a CA service module, and the method further includes:

and receiving an instruction sent by the server program module to revoke the SSL certificate of the third client.

The third client is a client which has an SSL certificate issued by the CA service module, but needs to be de-authorized by the CA service module.

It should be further noted that, the manner of searching the SSL certificate of the third client from the SSL certificates of the issued clients may be to input the identification information of the third client, or may be to locally store the SSL certificate of the second client according to the above description.

It can be understood that, when the state of the SSL certificate of the third client is the revoked state, the third client cannot access even if it has the SSL certificate issued by the CA service module and still is within the authorized validity period.

Specifically, the CA service module receives an instruction sent by the server program module to revoke the SSL certificate of the third client.

For example, when employee D of an information technology company is opened by the company due to leakage of company confidentiality, since the SSL certificate issued by the CA service module in the terminal management system of the previous company is still within the validity period, even if the employee is away, the employee can log in through the computer, so that for safety reasons, the company can operate the terminal management system at the moment of opening employee D, the CA service module receives an instruction sent by the service program module to cancel the SSL certificate of the computer with the identity code 04 used by employee D, and searches the SSL certificate of the computer with the identity code 04 used by employee D in the SSL certificate of the issued client; the state of the SSL certificate of the computer with the identity code 04 used by employee D is set to the revoked state, and even the SSL certificate of employee D is not accessible for the validity period.

The embodiment provides a client access control method, a CA service module receives an instruction sent by a service end program module to cancel an SSL certificate of a third client, and the CA service module is arranged to solve the problem that the client can be normally accessed due to the fact that the client is canceled halfway, so that the access of the client is controlled more safely and more efficiently.

Fig. 4 is a flowchart of another client access control method provided in this embodiment, referring to fig. 4, applied to a server program module, where the method includes:

step 401: generating a certificate configuration file for the second client, and sending the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

step 402: and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

The server program module generates a certificate configuration file for the second client, and the certificate configuration file comprises identification information of the second client, such as an identity ID of a user computer or related information such as an authorization valid date of the client, which can judge whether the client can be accessed.

Specifically, the server program module generates a certificate configuration file for the second client, and sends the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

For example, a server program module of an information technology company generates a certificate configuration file for a new computer of a new employee C, and sends the certificate configuration file of the new computer of the employee C to the CA service module, so that the CA service module generates an SSL certificate of the new computer of the employee C according to the certificate configuration file of the new computer of the employee C; the identification information of the new computer of the employee C is an identity code 03, and the effective time information of the SSL certificate of the new computer of the employee C is 2022, 1 month, 1 day to 2024, 1 month, 1 day; the SSL certificate of the new computer of the staff C is received from the CA service module, and the SSL certificate of the new computer of the staff C is sent to the new computer of the staff C.

The embodiment provides a client access control method, which is applied to a server program module of a terminal management system, generates a certificate configuration file for a second client, and sends the certificate configuration file of the second client to a CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client, so that the issuance of the SSL certificate of the new client is realized, and the access of the client is controlled more safely and more efficiently.

Based on the foregoing embodiment, in this embodiment, the client access control method is applied to a server program module, and the method further includes:

It should be further noted that, before the server program module sends an instruction for canceling the SSL certificate of the third client to the CA service module, a related person in charge of the terminal management system may implement, through a related operation, control of the server program module by using a related icon or key for issuing the instruction, so that the server program module sends an instruction for canceling the SSL certificate of the third client to the CA service module.

Specifically, the server program module sends an instruction to the CA service module to revoke the SSL certificate of the third client.

The embodiment provides a client access control method, wherein a server program module sends an instruction for canceling an SSL certificate of a third client to a CA service module, so that the cancellation of the SSL certificate of a new client is realized, the problem that the client can be normally accessed due to the cancellation in the midway is avoided, and the access of the client is controlled more safely and more efficiently.

the method comprises the steps of configuring a CA certificate and address information of a CA service module for an SSL module, and starting the SSL module;

the CA certificate is a public key used by the CA service module when issuing the SSL certificate of the second client.

It should be further described that, the CA certificate configured by the server program module for the SSL module is for performing comparative verification with the certificate information in the SSL connection request information sent by the client to be verified, to determine whether the issuing information of the CA certificate in the client to be accessed matches the CA certificate configured in the SSL module.

Specifically, the server program module configures a CA certificate and address information of a CA service module for the SSL module, and starts the SSL module; the CA certificate is a public key used by the CA service module when issuing the SSL certificate of the second client.

The embodiment provides a client access control method, which is applied to a server program module of a terminal management system, configures a CA certificate and address information of a CA service module for an SSL module, and starts the SSL module; the CA certificate is a public key used by the CA service module when issuing the SSL certificate of the second client, and the realization of the client access control requirement is moved downwards from the application layer of the system to the SSL connection layer, so that the CA certificate is safer and more efficient, and the realization complexity of application layer software is reduced.

Fig. 5 is a flow chart of another client access control method provided in this embodiment, referring to fig. 5, the method is a client certificate issuing and authenticating flow, and specifically includes:

preparing a CA certificate, wherein the CA certificate can be self-signed or issued by an authority;

starting a CA service program, wherein the CA service program can use a CA certificate to issue a client certificate;

configuring the CA certificate and url of the CA OCSP service program to an SSL module and starting; wherein, OCSP is an online certificate status protocol that specifies the communication syntax of the server and client applications, the OCSP protocol is generated to query the status of digital certificates in a Public Key Infrastructure (PKI) system instead of a Certificate Revocation List (CRL), when a client attempts to access a server, the online certificate status protocol sends a request for certificate status information, and the server replies a response that is "valid", "expired" or "unknown";

When deploying a client, a server program generates a certificate configuration file for the client, including but not limited to, filling a unique identifier (such as a machine ID) of the client into a CN field of a principal, and filling a Validity field of the certificate according to an authorization date;

calling a CA service program interface by a service end program, and transmitting a client certificate configuration file to generate a client certificate;

the client uses SSL certificate to connect with the server;

the SSL module verifies the certificate, and the verification information comprises whether the certificate is issued by a server, whether the certificate is revoked or within the validity period, so as to determine whether the client is allowed to access.

Fig. 6 is a flow chart of another method for controlling access of a client according to the present embodiment, referring to fig. 6, the method specifically includes:

access to a client is prohibited, such as forcing the authorization of a client to be canceled;

calling an api of a CA (certificate authority) by a service end program to revoke a certificate corresponding to the client, transmitting in a main body of the certificate and a serial number of the certificate, and setting the certificate to be in a revoked state by the CA;

the client continues to establish connection by using the certificates which are already revoked by the server;

the SSL module inquires the certificate state through OCSP, discovers that the certificate is revoked, refuses connection and returns error information.

Fig. 7 is a block diagram of a client access control device according to the present embodiment, where the device includes a first receiving module 701, a verification module 702, a first sending module 703, and a first control module 704, where:

a first receiving module 701, configured to receive SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client;

The verification module 702 is configured to verify the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generate first client SSL certificate status acquisition request information if the verification is passed;

A first sending module 703, configured to send the first client certificate status acquisition request information to a CA service module;

And the first control module 704 is configured to receive a status analysis result of the CA service module on the first client certificate status acquisition request information, and control access of the first client according to the status analysis result.

The embodiment provides a client access control device, which is applied to an SSL module of a terminal management system, and a first receiving module 701, configured to receive SSL connection request information initiated by a first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; the verification module 702 is configured to verify the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generate first client SSL certificate status acquisition request information if the verification is passed; a first sending module 703, configured to send the first client certificate status acquisition request information to a CA service module; the first control module 704 is configured to receive a status analysis result of the CA service module on the first client certificate status acquisition request information, and control access of the first client according to the status analysis result, so that the problem that the existing terminal management system realizes control of client access at an application layer, is not safe and efficient enough, and increases complexity of application layer software implementation is solved, and by moving implementation of client access control requirements from the application layer of the system down to an SSL connection layer, the system is safer and efficient, and implementation complexity of application layer software is reduced.

Optionally, the verification module 702 further includes:

for prohibiting access of said first client in case authentication is not passed.

Optionally, the first control module 704 specifically includes:

the method comprises the steps of allowing access of the first client under the condition that the state analysis result is normal;

Optionally, the pre-stored certificate verification information in the verification module 702 includes:

Fig. 8 is a block diagram of another client access control device according to this embodiment, where the device includes a second receiving module 801 and a second control module 802, where:

a second receiving module 801, configured to receive the first client certificate status acquisition request information sent by the SSL module;

the second control module 802 is configured to perform a state analysis on the first client certificate status acquisition request information, and send a status analysis result to the SSL module, so that the SSL module controls access of the first client according to the status analysis result.

The embodiment provides a client access control device, which is applied to a CA service module of a terminal management system, and a second receiving module 801, configured to receive first client certificate status acquisition request information sent by an SSL module; the second control module 802 is configured to perform a state analysis on the first client certificate state acquisition request information, and send a state analysis result to the SSL module, so that the SSL module controls access of the first client according to the state analysis result, thereby solving the problem that the existing terminal management system realizes control of client access at an application layer, is not safe and efficient enough, and also increases complexity of implementation of application layer software.

Optionally, the second control module 802 specifically includes:

the state analysis module is used for carrying out state analysis on the first client certificate state acquisition request information according to the state information of the pre-stored SSL certificate, and returning a state analysis result of SSL certificate revocation or falsification to the SSL module under the condition that the state analysis result is abnormal;

The embodiment provides a client access control device, which is applied to a CA service module of a terminal management system, and is used for carrying out state analysis on first client certificate state acquisition request information according to state information of pre-stored SSL certificates, and returning state analysis results of SSL certificate revocation or falsification to the SSL module under the condition that the state analysis results are abnormal; and under the condition that the state analysis result is good, returning the state analysis result of the normal state of the SSL certificate to the SSL module, avoiding the problem of normal access caused by the fact that the client is revoked midway or the client is a fake certificate client, and realizing the access of the client more safely and efficiently by arranging the CA service module.

Optionally, the apparatus further includes:

the certificate configuration file is used for receiving the certificate configuration file of the second client sent by the server program module;

The embodiment provides a client access control device, which is applied to a CA service module of a terminal management system and used for receiving a certificate configuration file of a second client sent by a service program module; generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and storing the SSL certificate and the state information of the SSL certificate of the second client locally; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and sending the SSL certificate of the second client to the server program module, so that the SSL certificate of the second client is sent to the second client through the server program module, and the CA service module is arranged to realize the issuance of the SSL certificate of the new client, so that the realization of the access control requirement of the client is moved down to the SSL connection layer from the application layer of the system, thereby being safer and more efficient, and reducing the realization complexity of application layer software.

Optionally, the apparatus further includes:

instructions for receiving SSL certificates sent by the server program module to revoke the third client;

The embodiment provides a client access control device, a CA service module receives an instruction sent by a service end program module to cancel an SSL certificate of a third client, and the CA service module is arranged to solve the problem that the client can be normally accessed due to the fact that the client is canceled halfway, so that the access of the client is controlled more safely and more efficiently.

Fig. 9 is a block diagram of a further client access control device according to the present embodiment, where the device includes a generating module 901 and a second sending module 902, where:

the generating module 901 is configured to generate a certificate configuration file for the second client, and send the certificate configuration file of the second client to the CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

And the second sending module 902 is configured to receive the SSL certificate of the second client from the CA service module, and send the SSL certificate of the second client to the second client.

The embodiment provides a client access control device, which is applied to a server program module of a terminal management system, and a generation module 901, wherein the generation module 901 is used for generating a certificate configuration file for a second client and sending the certificate configuration file of the second client to a CA service module, so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and the second sending module 902 is configured to receive the SSL certificate of the second client from the CA service module, and send the SSL certificate of the second client to the second client, so as to implement issuance of the SSL certificate of the new client, thereby controlling access of the client more safely and more efficiently.

Optionally, the apparatus further includes:

and sending instructions for revoked SSL certificates of the third clients to the CA service module.

The embodiment provides a client access control device, wherein a server program module sends an instruction for canceling an SSL certificate of a third client to a CA service module, so that the cancellation of the SSL certificate of a new client is realized, the problem that the client can be normally accessed due to the cancellation midway of the client is avoided, and the access of the client is controlled more safely and more efficiently.

Optionally, the apparatus further includes:

Fig. 10 is a block diagram of a client access control system according to the present embodiment, where the system includes an SSL module, a CA service module, and a server program module, where:

The embodiment provides a client access control system, which solves the problems that the existing terminal management system realizes the control of client access at an application layer, is not safe and efficient enough, and increases the complexity of the implementation of application layer software.

Fig. 11 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention, where, as shown in fig. 11, the electronic device may include: processor 1110, communication interface (Communications Interface) 1120, memory 1130 and bus 1140, wherein processor 1110, communication interface 1120, memory 1130 perform communication with each other via bus 1140. Bus 1140 may be used for information transfer between the electronic device and the sensor. Processor 1110 may call logic instructions in memory 1130 to perform the following methods: the SSL module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed; sending the first client certificate state acquisition request information to a CA service module; receiving a state analysis result of the CA service module on the first client certificate state acquisition request information, and controlling access of the first client according to the state analysis result; the CA service module is used for receiving the first client certificate state acquisition request information sent by the SSL module; performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL module so that the SSL module controls access of the first client according to the state analysis result; the server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

Further, the logic instructions in the memory 1130 described above may be implemented in the form of software functional units and sold or used as a stand-alone product, stored on a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

In another aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium storing computer instructions that cause a computer to perform a client access control method provided in the above embodiment, for example, including: the SSL module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed; sending the first client certificate state acquisition request information to a CA service module; receiving a state analysis result of the CA service module on the first client certificate state acquisition request information, and controlling access of the first client according to the state analysis result; the CA service module is used for receiving the first client certificate state acquisition request information sent by the SSL module; performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL module so that the SSL module controls access of the first client according to the state analysis result; the server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.

In yet another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing a client access control method provided by the above methods, the method comprising: the SSL module is used for receiving SSL connection request information initiated by the first client; wherein the SSL connection request information is generated based on a preset SSL certificate and CA certificate of the first client; verifying the certificate information in the SSL connection request information according to pre-stored certificate verification information, and generating first client SSL certificate state acquisition request information under the condition that verification is passed; sending the first client certificate state acquisition request information to a CA service module; receiving a state analysis result of the CA service module on the first client certificate state acquisition request information, and controlling access of the first client according to the state analysis result; the CA service module is used for receiving the first client certificate state acquisition request information sent by the SSL module; performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL module so that the SSL module controls access of the first client according to the state analysis result; the server program module is used for generating a certificate configuration file for the second client and sending the certificate configuration file of the second client to the CA service module so that the CA service module generates an SSL certificate of the second client according to the certificate configuration file of the second client; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client; and receiving the SSL certificate of the second client from the CA service module, and sending the SSL certificate of the second client to the second client.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will appreciate that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. The client access control method is characterized by being applied to an SSL module and comprising the following steps:

receiving SSL connection request information initiated by a first client; the SSL connection request information is generated based on a preset SSL certificate and a preset CA certificate of a first client, wherein the first client is a client to be verified;

Receiving a state analysis result of the CA service module on the first client certificate state acquisition request information, and controlling access of the first client according to the state analysis result, wherein the method further comprises the following steps: and prohibiting access of the first client in case that the verification is not passed.

2. The method for controlling access to a client according to claim 1, wherein the step of receiving a result of state analysis of the request information for the first client certificate obtained by the CA service module, and controlling access to the first client according to the result of state analysis, specifically comprises:

3. The client access control method of claim 1, wherein the pre-stored credential verification information comprises:

4. The client access control method is characterized by being applied to a CA service module and comprising the following steps:

performing state analysis on the first client certificate state acquisition request information, and sending a state analysis result to an SSL module so that the SSL module controls access of the first client according to the state analysis result, wherein the method further comprises the following steps:

and sending the SSL certificate of the second client to the server program module so as to send the SSL certificate mark of the second client to the second client through the server program module, wherein the second client is a client needing to generate the SSL certificate.

5. The method for controlling access to a client according to claim 4, wherein the performing state analysis on the first client certificate status acquisition request information and sending the result of the state analysis to the SSL module includes:

6. The method of client access control according to claim 4, wherein the method further comprises:

7. The client access control device is characterized by being applied to an SSL module and comprising a first receiving module, a verification module, a first sending module and a first control module, wherein:

the first receiving module is used for receiving SSL connection request information initiated by the first client; the SSL connection request information is generated based on a preset SSL certificate and a preset CA certificate of a first client, wherein the first client is a client to be verified;

the first control module is used for receiving a state analysis result of the CA service module on the first client certificate state acquisition request information and controlling the access of the first client according to the state analysis result, and the verification module is also used for: and prohibiting access of the first client in case that the verification is not passed.

8. The client access control device is characterized by being applied to a CA service module and comprising a second receiving module and a second control module, wherein:

the second control module is configured to perform state analysis on the first client certificate state acquisition request information, send a state analysis result to the SSL module, so that the SSL module controls access of the first client according to the state analysis result, and the second receiving module is further configured to: receiving a certificate configuration file of a second client sent by a server program module;

The second control module is further configured to: generating an SSL certificate of a second client and state information of the SSL certificate of the second client according to a certificate configuration file of the second client, and storing the SSL certificate and the state information of the SSL certificate of the second client locally; the SSL certificate of the second client comprises identification information of the second client and valid time information of the SSL certificate of the second client;

9. A client access control system, comprising: SSL module, CA service module and service end program module; wherein,

the SSL module for executing the steps of the client access control method according to any of claims 1 to 3;

the CA service module is configured to perform the steps of the client access control method according to any one of claims 4 to 6;

the server program module is configured to execute the following steps:

10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the client access control method according to any of claims 1 to 3 or the steps of the client access control method according to any of claims 4 to 6 when the program is executed.

11. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the client access control method according to any of claims 1 to 3 or the steps of the client access control method according to any of claims 4 to 6.