SSL安全连接
tigase版本:8.1.2
默认tigase在certs目录下有tigase参考自签证书:Server Certificates
备份tigase原certs目录(内部域名证书,如ubuntu.pem是使用开源ca创建,参考上述文章),然后定制我们生成的服务证书(pem放置格式,包括证书和私钥内容)certs目录,然后客户端使用服务端crt证书(不含私钥)即可。
不用ca用自己的key来签(虚拟机:192.168.43.23)
输入密码并记住 openssl req -nodes -new -newkey rsa:2048 -keyout tigase_certs/tigase8.key -out tigase_certs/tigase8.csr
附加用途,添加 tigase_certs/ubuntu.ext文件
keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] IP.1=192.168.43.23 IP.2=192.168.43.24 DNS.1=ubuntu DNS.2=ubuntu24
生成证书
openssl x509 -req -days 365 -in tigase_certs/tigase8.csr -signkey tigase_certs/tigase8.key -out tigase_certs/tigase8.crt -extfile tigase_certs/tigase8.ext
新建一个tigase8.pem以上文件crt复制文件内容,然后复制key文件内容复制如下:
-----BEGIN CERTIFICATE----- MIIDhDCCAmwCCQCqYO2d0SnjmjANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMC ... WZQERoZS5K4ZFQhHcfrBK8ypaBFgmtNCaHIkQEHO/A7Rh/zAi5ZrPOfHoVnSgCBx CmUEQn0rvtnKtYMTYN8gXrGlQ3I0HAOFpcD/qChnJosDr0nnY/x4Ng== -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCx9d5Qw8N9kJvk ... X6M /Y4fSD4FbnYZSLpyL4o7EkvyafoZZGbWR0ADKcwOw4lJ1sXgR4Wfz8yHe Mj 5oUd2r6EAT0Ql/OZBiqloiRt -----END PRIVATE KEY-----
生成客户需要的keystore文件
密码 openssl pkcs12 -export -in tigase_certs/tigase8.crt -inkey tigase_certs/tigase8.key -out tigase_certs/tigase8.p12 (java平台支持jks) keytool -importkeystore -v -srckeystore tigase_certs/tigase8.p12 -srcstoretype pkcs12 -srcstorepass 你的密码 -destkeystore tigase_certs/tigase8.keystore -deststoretype jks -deststorepass 你的密码 支持安卓平台bks bcprov-ext-jdk15on-157.jar下载地址 https://mvnrepository.com/artifact/org.bouncycastle/bcprov-ext-jdk15on/1.57 密码 keytool -importkeystore -srckeystore tigase_certs/tigase8.p12 -srcstoretype pkcs12 -destkeystore tigase_certs/tigase8.bks -deststoretype bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath tigase_certs/bcprov-ext-jdk15on-1.57.jar
将tigase8.pem拷贝到/home/kangming/tigase-server-8.1.2-b10915/certs/目录,将ubuntu.keystore复制到代码工程。tigase(正确加载ubuntu.pem),然后用客户端进行连接测试。
通过以上操作,服务端所需的证书已经准备好了(tigase8.pem,包括自签证和私钥Java安卓证书。证书可用于安全连接。注意服务端证书,tigase8.pem这个名字需要根据你目前使用的名字来确定domain命名,比如我现在的名字,tigase使用的domain是ubuntu,那么需要把tigase8.pem改名为ubuntu.pem放置到tigase根目录的certs目录下。
SSL实现安全连接代码
代码如下
package com.nufront.xmpp.client.conn; import org.jivesoftware.smack.ConnectionConfiguration; import org.jivesoftware.smack.tcp.XMPPTCPConnection; import org.jivesoftware.smack.tcp.XMPPTCPConnectionConfiguration; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import java.security.KeyStore; import java.security.cert.X509Certificate; public class XMPPSSLTest { static { } public static void main(String[] args) { try { SSLContext ctx = SSLContext.getInstance("SSL"); TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); KeyStore tks = KeyStore.getInstance("JKS"); tks.load(XMPPSSLTest.class.getResourceAsStream("/tigase8.keystore"), "你的密码".toCharArray()); tmf.init(tks); ctx.init(null, tmf.getTrustManagers(), null); XMPPTCPConnectionConfiguration config = XMPPTCPConnectionConfiguration.builder() .setHost("ubuntu") .setXmppDomain("ubuntu") .setPort(5222) .setSslContextFactory(() -> ctx) .setSecurityMode(ConnectionConfiguration.SecurityMode.required) .setResource("Smack") //信任自签证书 .setCustomX509TrustManager(new X509TrustManager() { @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } @Override public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) { } @Override public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType) { } }) .build(); XMPPTCPConnection connection = new XMPPTCPConnection(config); connection.connect();
try {
connection.login("admin@192.168.31.61", "123456");
System.out.println("登陆成功");
} catch (Exception e) {
System.out.println("登录失败");
e.printStackTrace();
}
} catch (Exception e) {
e.printStackTrace();
}
}
}