OkHttp学习笔记4--HTTPS

2019-02-19  本文已影响0人  雪晨杰

HTTPS

OkHttp attempts to balance two competing concerns:

OkHttp试图平衡两个相互竞争的关注点:

When negotiating a connection to an HTTPS server, OkHttp needs to know which TLS versions and cipher suites to offer. A client that wants to maximize connectivity would include obsolete TLS versions and weak-by-design cipher suites. A strict client that wants to maximize security would be limited to only the latest TLS version and strongest cipher suites.

当协商到HTTPS服务器的连接时,OkHttp需要知道提供哪些TLS版本和密码套件。希望最大限度地提高连通性的客户机将包括过时的TLS版本和设计较弱的密码套件。希望最大限度地提高安全性的严格客户机将被限制在最新的TLS版本和最强的密码套件中。

Specific security vs. connectivity decisions are implemented by ConnectionSpec. OkHttp includes four built-in connection specs:

特定的安全性和连接性决策由ConnectionSpec实现。OkHttp包含四个内置连接规范:

These loosely follow the model set in Google Cloud Policies.

这些没有严格遵循 Google Cloud Policies中的模型

By default, OkHttp will attempt a MODERN_TLS connection. However by configuring the client connectionSpecs you can allow a fall back to COMPATIBLE_TLS connection if the modern configuration fails.

默认情况下,OkHttp将尝试一个moderni_tls连接。然而,通过配置client connectionSpecs,如果现代配置失败,您可以允许退回到COMPATIBLE_TLS连接。

OkHttpClient client = new OkHttpClient.Builder() 
    .connectionSpecs(Arrays.asList(ConnectionSpec.MODERN_TLS, ConnectionSpec.COMPATIBLE_TLS))
    .build();

The TLS versions and cipher suites in each spec can change with each release. For example, in OkHttp 2.2 we dropped support for SSL 3.0 in response to the POODLE attack. And in OkHttp 2.3 we dropped support for RC4. As with your desktop web browser, staying up-to-date with OkHttp is the best way to stay secure.

每个规范中的TLS版本和密码套件可以随着每个版本的变化而变化。例如,在OkHttp 2.2中,我们放弃了对SSL 3.0的支持,以应对POODLE的攻击。在OkHttp 2.3中,我们放弃了对RC4的支持。与桌面web浏览器一样,使用最新的OkHttp是保持安全的最佳方法。

You can build your own connection spec with a custom set of TLS versions and cipher suites. For example, this configuration is limited to three highly-regarded cipher suites. Its drawback is that it requires Android 5.0+ and a similarly current webserver.

您可以使用一组定制的TLS版本和密码套件构建自己的连接规范。例如,此配置仅限于三个高度重视的密码套件。它的缺点是需要Android 5.0+和类似的当前web服务器。

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)  
    .tlsVersions(TlsVersion.TLS_1_2)
    .cipherSuites(
          CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
          CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
          CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
    .build();

OkHttpClient client = new OkHttpClient.Builder() 
    .connectionSpecs(Collections.singletonList(spec))
    .build();

Certificate Pinning

By default, OkHttp trusts the certificate authorities of the host platform. This strategy maximizes connectivity, but it is subject to certificate authority attacks such as the 2011 DigiNotar attack. It also assumes your HTTPS servers’ certificates are signed by a certificate authority.

默认情况下,OkHttp信任主机平台的证书颁发机构。这种策略最大限度地提高了连接性,但也会受到证书颁发机构的攻击,比如2011 DigiNotar attack攻击。它还假设HTTPS服务器的证书由证书颁发机构签名。

Use CertificatePinner to restrict which certificates and certificate authorities are trusted. Certificate pinning increases security, but limits your server team’s abilities to update their TLS certificates. Do not use certificate pinning without the blessing of your server’s TLS administrator!

使用CertificatePinner来限制哪些证书和证书颁发机构是受信任的。证书固定增加了安全性,但限制了服务器团队更新其TLS证书的能力。如果没有服务器TLS管理员的许可,不要使用证书固定!

  public CertificatePinning() {
    client = new OkHttpClient.Builder()
        .certificatePinner(new CertificatePinner.Builder()
            .add("publicobject.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
            .build())
        .build();
  }

  public void run() throws Exception {
    Request request = new Request.Builder()
        .url("https://publicobject.com/robots.txt")
        .build();

    Response response = client.newCall(request).execute();
    if (!response.isSuccessful()) throw new IOException("Unexpected code " + response);

    for (Certificate certificate : response.handshake().peerCertificates()) {
      System.out.println(CertificatePinner.pin(certificate));
    }
  }

Customizing Trusted Certificates

The full code sample shows how to replace the host platform’s certificate authorities with your own set. As above, do not use custom certificates without the blessing of your server’s TLS administrator!

完整的代码示例展示了如何用您自己的设置替换主机平台的证书颁发机构。如上所述,如果没有服务器的TLS管理员的许可,请不要使用自定义证书!

  private final OkHttpClient client;

  public CustomTrust() {
    SSLContext sslContext = sslContextForTrustedCertificates(trustedCertificatesInputStream());
    client = new OkHttpClient.Builder()
        .sslSocketFactory(sslContext.getSocketFactory())
        .build();
  }

  public void run() throws Exception {
    Request request = new Request.Builder()
        .url("https://publicobject.com/helloworld.txt")
        .build();

    Response response = client.newCall(request).execute();
    System.out.println(response.body().string());
  }

  private InputStream trustedCertificatesInputStream() {
    ... // Full source omitted. See sample.
  }

  public SSLContext sslContextForTrustedCertificates(InputStream in) {
    ... // Full source omitted. See sample.
  }

上一篇下一篇

猜你喜欢

热点阅读