CN117938975A - SSL protocol mutual conversion method and device based on API gateway - Google Patents
SSL protocol mutual conversion method and device based on API gateway Download PDFInfo
- Publication number
- CN117938975A CN117938975A CN202311802390.XA CN202311802390A CN117938975A CN 117938975 A CN117938975 A CN 117938975A CN 202311802390 A CN202311802390 A CN 202311802390A CN 117938975 A CN117938975 A CN 117938975A
- Authority
- CN
- China
- Prior art keywords
- ssl
- international
- protocol
- client
- api gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000006243 chemical reaction Methods 0.000 title claims abstract description 29
- 238000013507 mapping Methods 0.000 claims abstract description 22
- 230000004044 response Effects 0.000 claims abstract description 19
- 238000007781 pre-processing Methods 0.000 claims abstract description 7
- 230000006835 compression Effects 0.000 claims description 18
- 238000007906 compression Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 13
- 230000001172 regenerating effect Effects 0.000 claims description 3
- 239000003795 chemical substances by application Substances 0.000 description 8
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000005111 flow chemistry technique Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Abstract
The invention discloses a method and a device for mutually converting SSL protocols based on an API gateway, wherein the method comprises the following steps: s01, preprocessing the flow, receiving the flow of the client by using an API gateway, and determining the protocol type of the flow; s02, configuration management is carried out to manage the mapping relation between the national security SSL protocol and the international SSL protocol; s03, protocol conversion is carried out to convert the traffic of the national security SSL protocol, and the traffic of the client and the traffic of the international SSL protocol are mutually converted; s04, forwarding the flow, forwarding the converted international SSL message to the back-end service, and forwarding the received back-end service response to the client. The SSL protocol interconversion method and device based on the API gateway provided by the invention have the advantages that two sets of back-end servers are not required to be deployed, the quick deployment can be realized under the condition that the back-end service is not modified, and the national security SSL protocol is supported in a low-cost mode.
Description
Technical Field
The invention relates to the field of communication, in particular to a method and a device for mutually converting SSL protocols based on an API gateway.
Background
With the continuous improvement of the importance of national security, the national security SSL certificates are increasingly favored by vast government authorities and enterprises, and become an important technical means for improving the security capability of website data. Because the encryption algorithm, the message format and the protocol type of the national security SSL and the international SSL are different, enterprises cannot support the national security SSL and the international SSL at the same time. At present, most of the website encryption protocols use TLS, and few domestic websites use a national encryption algorithm. The client cannot determine what protocol the server uses for encryption before connecting to the server, and if an incorrect protocol is used, the connection will fail.
In order to solve the above problems, the following schemes are generally used in the industry: deploying two sets of back-end servers, and respectively processing messages of national security SSL and international SSL protocols; and deploying a set of proxy equipment, judging whether the client message is a national SSL protocol or an international SSL protocol according to the SSL protocol version of the client message, and forwarding the message to a corresponding back-end server for processing. But such a solution would increase the cost of the enterprise while being disadvantageous for rapid deployment.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a method and a device for mutually converting SSL protocols based on an API gateway, which can quickly support the national security SSL protocol with low cost under the condition that an enterprise does not modify a back-end service.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
In an embodiment of the present invention, a method for mutually converting SSL protocols based on an API gateway is provided, where the method includes:
S01, preprocessing the flow, receiving the flow of the client by using an API gateway, and determining the protocol type of the flow;
Further, the S01 includes:
S011, uploading a certificate of the national security SSL to an API gateway;
S012, receiving the client flow, identifying a User-Agent field of a request head in the flow, judging whether the client browser is a global universal browser, and directly forwarding the flow of the global universal browser to a back-end service;
s013, if the client browser is not a global universal browser, continuing to identify a client hello message of the SSL protocol;
S014, analyzing the version number in the client hello message, and determining whether the protocol type of the flow is the national security SSL protocol or the international SSL protocol;
s015, the message of the subsequent international SSL protocol is matched and routed and forwarded to the back-end service.
The User-Agent of the browser is different, the global universal browser is not compatible with the SSL protocol of the national security, and the message can be initially screened by identifying the User-Agent.
Further, the national security SSL protocol version number is 0x0101;
The TLSv1.0 version number in the international SSL protocol is 0x0301, the TLSv1.1 version number in the international SSL protocol is 0x0302, the TLSv1.2 version number in the international SSL protocol is 0x0303, and the TLSv1.3 version number in the international SSL protocol is 0x0304.
S02, configuration management is carried out to manage the mapping relation between the national security SSL protocol and the international SSL protocol;
further, the S02 includes:
s021, mapping the version number of the national security SSL protocol into the highest TLS version number supported by the back-end service;
For example: the backend service supports tlsv1.0, tlsv1.1, tlsv1.2 and tlsv1.3 simultaneously, and tlsv1.3 is selected as the TLS version of the national security SSL protocol map.
S022, keeping the client random number, the compression algorithm list and the extension field of the international SSL protocol consistent with the national security SSL protocol;
Further, the compression algorithm in S022 includes: NULL compression algorithm, LZS compression algorithm, deflate compression algorithm, gzip compression algorithm, etc.
S023, mapping the cipher suite supported by the national security SSL protocol into a corresponding international SSL protocol cipher suite;
further, the cipher suite in S023 includes an encryption algorithm and a key length.
Further, the common encryption algorithm of the S023 chinese secret SSL protocol includes: SM2, SM3 and SM4; common encryption algorithms for the international SSL protocol include: RSA, SHA, diffie-Hellman, AES, etc.
The key length and encryption strength of the national and international SSL protocols algorithms are not exactly equivalent, for example: the key length commonly used by the RSA encryption algorithm is 2048 bits, and the key length commonly used by the SM2 algorithm is 256 bits, which is equivalent to 3072 bits of RSA.
For example: the SM2 algorithm of 256-bit key length of the national cipher SSL protocol is mapped into the RSA algorithm of 2048-bit key length.
S024, regenerating the length field of the international SSL protocol according to the new message length.
S03, protocol conversion is carried out to convert the traffic of the national security SSL protocol, and the traffic of the client and the traffic of the international SSL protocol are mutually converted;
further, the step S03 includes:
S031, repackaging the traffic of the national security SSL protocol into a client hello message of the international SSL protocol according to the mapping relation;
s032, establishing connection with a back-end service by using a repackaged client hello message;
s033, taking a repackaged client hello message source port as a key, taking a source IP and a source port of a client as a value, and storing the key-value into a Redis cache;
Further, in S033, the source port is: the API gateway accesses ports used by the backend services.
Further, in S033, the source IP and the source port are respectively: the client accesses the IP and ports used by the API gateway.
S034, carrying out SSL unloading on the national security SSL protocol messages of the subsequent clients, and generating new international SSL messages according to the mapping relation.
S04, forwarding the flow, forwarding the converted international SSL message to the back-end service, and forwarding the received back-end service response to the client.
Further, the S04 includes:
S041, forwarding the converted international SSL message to a back-end service;
s042, when the API gateway receives the response of the back-end service, the destination port in the response message is used as a key to find out the corresponding client IP and port;
further, the destination port in the response message is: the API gateway accesses ports used by the backend services.
S043, unloading the international SSL message, and repackaging the international SSL message into a national secret SSL message according to the mapping relation;
s044, forwarding the encapsulated SSL message to the client IP and the port;
s045, forwarding the subsequent client requests according to the rule of the flow forwarding module.
In an embodiment of the present invention, an apparatus for SSL protocol inter-conversion based on an API gateway is further provided, where the apparatus includes:
The flow preprocessing module receives the flow of the client by using the API gateway and determines whether the protocol type of the flow is national or international SSL protocol;
The configuration management module is used for managing the mapping relation between the national security SSL protocol and the international SSL protocol;
The protocol conversion module is used for converting the traffic of the national security SSL protocol and converting the traffic of the client and the traffic of the international SSL protocol;
And the flow forwarding module is used for forwarding the converted international SSL message to the back-end service, and forwarding the received back-end service response to the client after conversion.
In an embodiment of the present invention, a computer device is further provided, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the method for implementing the foregoing SSL protocol interconversion based on the API gateway when executing the computer program.
In an embodiment of the present invention, a computer-readable storage medium is also presented, in which a computer program for executing the method of SSL protocol inter-conversion based on an API gateway is stored.
The beneficial effects are that:
the SSL protocol interconversion method and device based on the API gateway provided by the invention have the advantages that two sets of back-end servers are not required to be deployed, the quick deployment can be realized under the condition that the back-end service is not modified, and the national security SSL protocol is supported in a low-cost mode.
Drawings
Fig. 1 is a flow chart of a method for mutually converting SSL protocols based on an API gateway according to the present invention;
FIG. 2 is a flow chart of the user A according to the embodiment of the present invention;
FIG. 3 is a flow chart of a user B according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an apparatus structure for SSL protocol inter-conversion based on an API gateway according to the present invention;
FIG. 5 is a schematic diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, with the understanding that these embodiments are merely provided to enable those skilled in the art to better understand and practice the invention and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Those skilled in the art will appreciate that embodiments of the invention may be implemented as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the following forms, namely: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, the SSL protocol interconversion method and device based on the API gateway are provided, so that enterprises can quickly support the national security SSL protocol with low cost under the condition of not modifying back-end service.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments thereof.
As shown in fig. 1, the present invention relates to a method for mutually converting SSL protocols based on an API gateway, the method comprising:
S01, preprocessing the flow, receiving the flow of the client by using an API gateway, and determining the protocol type of the flow;
The S01 includes:
S011, uploading a certificate of the national security SSL to an API gateway;
S012, receiving the client flow, identifying a User-Agent field of a request head in the flow, judging whether the client browser is a global universal browser, and directly forwarding the flow of the global universal browser to a back-end service;
s013, if the client browser is not a global universal browser, continuing to identify a client hello message of the SSL protocol;
S014, analyzing the version number in the client hello message, and determining whether the protocol type of the flow is the national security SSL protocol or the international SSL protocol;
s015, the message of the subsequent international SSL protocol is matched and routed and forwarded to the back-end service.
The User-Agent of the browser is different, the global universal browser is not compatible with the SSL protocol of the national security, and the message can be initially screened by identifying the User-Agent.
The version number of the national security SSL protocol is 0x0101;
The TLSv1.0 version number in the international SSL protocol is 0x0301, the TLSv1.1 version number in the international SSL protocol is 0x0302, the TLSv1.2 version number in the international SSL protocol is 0x0303, and the TLSv1.3 version number in the international SSL protocol is 0x0304.
S02, configuration management is carried out to manage the mapping relation between the national security SSL protocol and the international SSL protocol;
the S02 includes:
s021, mapping the version number of the national security SSL protocol into the highest TLS version number supported by the back-end service;
For example: the backend service supports tlsv1.0, tlsv1.1, tlsv1.2 and tlsv1.3 simultaneously, and tlsv1.3 is selected as the TLS version of the national security SSL protocol map.
S022, keeping the client random number, the compression algorithm list and the extension field of the international SSL protocol consistent with the national security SSL protocol;
the compression algorithm in S022 includes: NULL compression algorithm, LZS compression algorithm, deflate compression algorithm, gzip compression algorithm, etc.
S023, mapping the cipher suite supported by the national security SSL protocol into a corresponding international SSL protocol cipher suite;
the cipher suite in S023 includes an encryption algorithm and a key length.
The common encryption algorithm of the S023 China secret SSL protocol comprises the following steps: SM2, SM3 and SM4; common encryption algorithms for the international SSL protocol include: RSA, SHA, diffie-Hellman, AES, etc.
The key length and encryption strength of the national and international SSL protocols algorithms are not exactly equivalent, for example: the key length commonly used by the RSA encryption algorithm is 2048 bits, and the key length commonly used by the SM2 algorithm is 256 bits, which is equivalent to 3072 bits of RSA.
For example: the SM2 algorithm of 256-bit key length of the national cipher SSL protocol is mapped into the RSA algorithm of 2048-bit key length.
S024, regenerating the length field of the international SSL protocol according to the new message length.
S03, protocol conversion is carried out to convert the traffic of the national security SSL protocol, and the traffic of the client and the traffic of the international SSL protocol are mutually converted;
S031, repackaging the traffic of the national security SSL protocol into a client hello message of the international SSL protocol according to the mapping relation;
s032, establishing connection with a back-end service by using a repackaged client hello message;
s033, taking a repackaged client hello message source port as a key, taking a source IP and a source port of a client as a value, and storing the key-value into a Redis cache;
the source port in S033 is: the API gateway accesses ports used by the backend services.
The source IP and the source port in S033 are respectively: the client accesses the IP and ports used by the API gateway.
S034, carrying out SSL unloading on the national security SSL protocol messages of the subsequent clients, and generating new international SSL messages according to the mapping relation.
S04, forwarding the flow, forwarding the converted international SSL message to the back-end service, and forwarding the received back-end service response to the client.
The S04 includes:
S041, forwarding the converted international SSL message to a back-end service;
s042, when the API gateway receives the response of the back-end service, the destination port in the response message is used as a key to find out the corresponding client IP and port;
the destination port in the response message is: the API gateway accesses ports used by the backend services.
S043, unloading the international SSL message, and repackaging the international SSL message into a national secret SSL message according to the mapping relation;
s044, forwarding the encapsulated SSL message to the client IP and the port;
s045, forwarding the subsequent client requests according to the rule of the flow forwarding module.
It should be noted that although the operations of the method of the present invention are described in a particular order in the above embodiments and the accompanying drawings, this does not require or imply that the operations must be performed in the particular order or that all of the illustrated operations be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
In order to more clearly explain the method of the SSL protocol inter-conversion based on the API gateway, the following description is made with reference to specific embodiments, however, it should be noted that this embodiment is only for better explaining the present invention, and is not meant to limit the present invention unduly.
An enterprise deploys a set of HTTPS services using the international SSL protocol, which now needs to support both national and international SSL protocols due to security and compliance requirements. In order to realize the national security SSL protocol rapidly and at low cost, the back-end service is not modified, and the international SSL protocol and the national security SSL protocol are mutually converted on an API gateway. And the user A and the user B access the back-end service by using an IE8.0 browser and a national password browser respectively.
The flow processing flow of the user a is as shown in fig. 2:
the API gateway receives the flow of the User A, recognizes that the User-Agent of the User A is Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 6.0;Trident/4.0), and judges that the browser used by the User A is IE8.0;
The API gateway directly matches the route to the flow of the user A and forwards the flow to the back-end service;
The response of the back-end service received by the API gateway is directly forwarded to the user A.
The flow processing flow of user B is as shown in fig. 3:
The API gateway receives the traffic of user B, where the source IP and source port are 192.168.0.101, 50011, respectively. Judging that the User B does not use the international general browser by identifying the User-Agent of the User B;
continuously identifying the flow of the user B, analyzing a client hello message of the SSL protocol to obtain the version number of SSL which is 0x0101, and determining that the user B uses the national secret SSL protocol;
analyzing a field of a client hello message in the user B to obtain a field value mapped into an international SSL protocol;
assume that the client hello message field for user B is as follows in table 1:
TABLE 1
The mapped fields are as follows in table 2:
TABLE 2
The API gateway generates a new international SSL protocol client hello message according to the mapped field, requests back-end service, and the source port of the request is 50012;
After the API gateway establishes SSL connection with the back-end service, a source port of the back-end service requested by the API gateway is used as a key, an IP and a port of the API gateway accessed by a user B are used as values, a key value pair 50012:192.168.0.101-50011 is generated, and the key value pair is stored in a Redis cache;
The API gateway receives a subsequent request of the user B and converts the national security SSL message into an international SSL message request back-end service;
After receiving the response of the back-end service, the API gateway retrieves the key value pair of Redis according to the destination port of the response, acquires the IP and the port of the user B, and maps the message into a national security SSL message to be returned to the user B.
Based on the same inventive concept, the invention also provides an SSL protocol interconversion device based on the API gateway. The implementation of the device can be referred to as implementation of the above method, and the repetition is not repeated. The term "module" as used below may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 4 is a schematic diagram of an apparatus structure for SSL protocol inter-conversion based on an API gateway according to the present invention. As shown in fig. 4, the apparatus includes:
The flow preprocessing module 110 receives client flow by using an API gateway and determines whether the protocol type of the flow is national or international SSL protocol;
The configuration management module 120 manages the mapping relationship between the national security SSL protocol and the international SSL protocol;
The protocol conversion module 130 converts traffic of the national security SSL protocol, and converts traffic of the client and traffic of the international SSL protocol to each other;
the traffic forwarding module 140 is configured to forward the converted international SSL packet to a back-end service, and forward the received back-end service response to the client after conversion.
It should be noted that although several modules of an API gateway based SSL protocol interconversion device are mentioned in the above detailed description, this division is merely exemplary and not mandatory. Indeed, the features and functions of two or more modules described above may be embodied in one module in accordance with embodiments of the present invention. Conversely, the features and functions of one module described above may be further divided into a plurality of modules to be embodied.
Based on the foregoing inventive concept, as shown in fig. 5, the present invention further proposes a computer device 200, including a memory 210, a processor 220, and a computer program 230 stored in the memory 210 and capable of running on the processor 220, where the processor 220 implements the method for mutually converting SSL protocols based on API gateway when executing the computer program 230.
Based on the foregoing inventive concept, the present invention also proposes a computer-readable storage medium storing a computer program for executing the foregoing method of SSL protocol inter-conversion based on an API gateway.
The SSL protocol interconversion method and device based on the API gateway provided by the invention have the advantages that two sets of back-end servers are not required to be deployed, the quick deployment can be realized under the condition that the back-end service is not modified, and the national security SSL protocol is supported in a low-cost mode.
While the spirit and principles of the present invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments nor does it imply that features of the various aspects are not useful in combination, nor are they useful in any combination, such as for convenience of description. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
It should be apparent to those skilled in the art that various modifications or variations can be made in the present invention without requiring any inventive effort by those skilled in the art based on the technical solutions of the present invention.
Claims (15)
1. A method for mutual conversion of SSL protocols based on an API gateway, the method comprising:
S01, preprocessing the flow, receiving the flow of the client by using an API gateway, and determining the protocol type of the flow;
s02, configuration management is carried out to manage the mapping relation between the national security SSL protocol and the international SSL protocol;
S03, protocol conversion is carried out to convert the traffic of the national security SSL protocol, and the traffic of the client and the traffic of the international SSL protocol are mutually converted;
S04, forwarding the flow, forwarding the converted international SSL message to the back-end service, and forwarding the received back-end service response to the client.
2. The method for mutual conversion of SSL protocols based on API gateway according to claim 1, wherein said S01 comprises:
S011, uploading a certificate of the national security SSL to an API gateway;
S012, receiving the client flow, identifying a User-Agent field of a request head in the flow, judging whether the client browser is a global universal browser, and directly forwarding the flow of the global universal browser to a back-end service;
s013, if the client browser is not a global universal browser, continuing to identify a client hello message of the SSL protocol;
S014, analyzing the version number in the client hello message, and determining whether the protocol type of the flow is the national security SSL protocol or the international SSL protocol;
s015, the message of the subsequent international SSL protocol is matched and routed and forwarded to the back-end service.
3. The method for mutual conversion of SSL protocols based on API gateway according to claim 2, wherein said national security SSL protocol version number is 0x0101;
The TLSv1.0 version number in the international SSL protocol is 0x0301, the TLSv1.1 version number in the international SSL protocol is 0x0302, the TLSv1.2 version number in the international SSL protocol is 0x0303, and the TLSv1.3 version number in the international SSL protocol is 0x0304.
4. The method for mutual conversion of SSL protocols based on API gateway according to claim 1, wherein said S02 comprises:
s021, mapping the version number of the national security SSL protocol into the highest TLS version number supported by the back-end service;
s022, keeping the client random number, the compression algorithm list and the extension field of the international SSL protocol consistent with the national security SSL protocol;
s023, mapping the cipher suite supported by the national security SSL protocol into a corresponding international SSL protocol cipher suite;
s024, regenerating the length field of the international SSL protocol according to the new message length.
5. The method for mutual conversion of SSL protocols based on API gateway as recited in claim 4, wherein said compression algorithm in S022 comprises: NULL compression algorithm, LZS compression algorithm, deflate compression algorithm, gzip compression algorithm.
6. The method of claim 4, wherein the cipher suite includes an encryption algorithm and a key length in S023.
7. The method for mutual conversion of SSL protocols based on API gateway as recited in claim 4, wherein said encryption algorithm of S023 chinese-secret SSL protocols comprises: SM2, SM3 and SM4; the encryption algorithm of the international SSL protocol includes: RSA, SHA, diffie-Hellman, AES.
8. The method for mutual conversion of SSL protocols based on API gateway according to claim 1, wherein said S03 comprises:
S031, repackaging the traffic of the national security SSL protocol into a client hello message of the international SSL protocol according to the mapping relation;
s032, establishing connection with a back-end service by using a repackaged client hello message;
s033, taking a repackaged client hello message source port as a key, taking a source IP and a source port of a client as a value, and storing the key-value into a Redis cache;
s034, carrying out SSL unloading on the national security SSL protocol messages of the subsequent clients, and generating new international SSL messages according to the mapping relation.
9. The method for mutual conversion of SSL protocols based on API gateway according to claim 8, wherein the source port in S033 is: the API gateway accesses ports used by the backend services.
10. The method for mutual conversion of SSL protocols based on API gateway according to claim 8, wherein the source IP and source port in S033 are respectively: the client accesses the IP and ports used by the API gateway.
11. The method for mutual conversion of SSL protocols based on API gateway according to claim 1, wherein said S04 comprises:
S041, forwarding the converted international SSL message to a back-end service;
s042, when the API gateway receives the response of the back-end service, the destination port in the response message is used as a key to find out the corresponding client IP and port;
s043, unloading the international SSL message, and repackaging the international SSL message into a national secret SSL message according to the mapping relation;
s044, forwarding the encapsulated SSL message to the client IP and the port;
s045, forwarding the subsequent client requests according to the rule of the flow forwarding module.
12. The method for mutual conversion of SSL protocols based on API gateway according to claim 11, wherein the destination port in the response message is: the API gateway accesses ports used by the backend services.
13. An apparatus for interconversion of SSL protocols based on an API gateway, the apparatus comprising:
The flow preprocessing module receives the flow of the client by using the API gateway and determines whether the protocol type of the flow is national or international SSL protocol;
The configuration management module is used for managing the mapping relation between the national security SSL protocol and the international SSL protocol;
The protocol conversion module is used for converting the traffic of the national security SSL protocol and converting the traffic of the client and the traffic of the international SSL protocol;
And the flow forwarding module is used for forwarding the converted international SSL message to the back-end service, and forwarding the received back-end service response to the client after conversion.
14. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-12 when executing the computer program.
15. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for performing the method of any one of claims 1-12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311802390.XA CN117938975A (en) | 2023-12-26 | 2023-12-26 | SSL protocol mutual conversion method and device based on API gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311802390.XA CN117938975A (en) | 2023-12-26 | 2023-12-26 | SSL protocol mutual conversion method and device based on API gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117938975A true CN117938975A (en) | 2024-04-26 |
Family
ID=90761966
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311802390.XA Pending CN117938975A (en) | 2023-12-26 | 2023-12-26 | SSL protocol mutual conversion method and device based on API gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117938975A (en) |
-
2023
- 2023-12-26 CN CN202311802390.XA patent/CN117938975A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11856026B2 (en) | Selective deep inspection in security enforcement by a network security system (NSS) | |
| US20200374334A1 (en) | Network Management Interface | |
| US10171590B2 (en) | Accessing enterprise communication systems from external networks | |
| US8804504B1 (en) | System and method for reducing CPU load in processing PPP packets on a SSL-VPN tunneling device | |
| US7509431B2 (en) | Performing message and transformation adapter functions in a network element on behalf of an application | |
| US9003498B2 (en) | Method and apparatus for routing application programming interface (API) calls | |
| CN107852411B (en) | Efficient use of IPsec tunnels in a multipath environment | |
| US10164961B2 (en) | Dynamic web services server | |
| US11601508B2 (en) | Network access method and device for edge router | |
| US9800551B2 (en) | AVC Bi-directional correlation using an overlay fabric header | |
| US20160087860A1 (en) | Application topology based on network traffic | |
| US10284460B1 (en) | Network packet tracing | |
| US10834232B2 (en) | Connection management service | |
| KR20150022840A (en) | Stream-based data deduplication in a multi-tenant shared infrastructure using asynchronous data dictionaries | |
| CN108337163B (en) | Method and apparatus for aggregating links | |
| CN113158226A (en) | Method and system for realizing postGreSQL database audit based on SSL connection | |
| US11677585B2 (en) | Transparent TCP connection tunneling with IP packet filtering | |
| US11487442B1 (en) | Data storage interface for protocol-agnostic storage services | |
| CN110545230A (en) | method and device for forwarding VXLAN message | |
| CN117938975A (en) | SSL protocol mutual conversion method and device based on API gateway | |
| US20170111473A1 (en) | Selective routing of encrypted requests via computer networks | |
| CN113626873B (en) | Authentication method, device, electronic equipment and computer readable medium | |
| US20220407840A1 (en) | Protocol Switching For Connections To Zero-Trust Proxy | |
| CN116846894A (en) | Method and device for realizing SSL unloading of API gateway | |
| CN117560168A (en) | SRv6 message generation and transmission method based on zero trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |