Tigase8 SSL安全连接配置与代码实现
SSL安全连接
tigase版本:8.1.2
默认tigase在certs目录下有tigase自签证书,参考:Server Certificates
备份tigase原certs目录(里面的域名证书,如ubuntu.pem是使用开源ca创建的,参考上面的文章),然后把我们自定义生成的服务证书(pem格式,包括证书和私钥内容)放置到certs目录,然后客户端使用服务端的crt证书(不包含私钥)即可。
不用ca签,使用自己的key来签(虚拟机:192.168.43.23)
输入密码并记住
openssl req -nodes -new -newkey rsa:2048 -keyout tigase_certs/tigase8.key -out tigase_certs/tigase8.csr附加用途,添加 tigase_certs/ubuntu.ext文件
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
IP.1=192.168.43.23
IP.2=192.168.43.24
DNS.1=ubuntu
DNS.2=ubuntu24生成证书
openssl x509 -req -days 365 -in tigase_certs/tigase8.csr -signkey tigase_certs/tigase8.key -out tigase_certs/tigase8.crt -extfile tigase_certs/tigase8.ext新建一个tigase8.pem文件,将上面的crt文件内容拷贝进去,再把key文件内容拷贝进去,大致内容如下:
-----BEGIN CERTIFICATE-----
MIIDhDCCAmwCCQCqYO2d0SnjmjANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMC
...
WZQERoZS5K4ZFQhHcfrBK8ypaBFgmtNCaHIkQEHO/A7Rh/zAi5ZrPOfHoVnSgCBx
CmUEQn0rvtnKtYMTYN8gXrGlQ3I0HAOFpcD/qChnJosDr0nnY/x4Ng==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCx9d5Qw8N9kJvk
...
X6M+/Y4fSD4FbnYZSLpyL4o7EkvyafoZZGbWR0ADKcwOw4lJ1sXgR4Wfz8yHe+Mj
5oUd2r6EAT0Ql/OZBiqloiRt
-----END PRIVATE KEY-----生成客户端需要的keystore文件
密码
openssl pkcs12 -export -in tigase_certs/tigase8.crt -inkey tigase_certs/tigase8.key -out tigase_certs/tigase8.p12
(java平台支持jks)
keytool -importkeystore -v -srckeystore tigase_certs/tigase8.p12 -srcstoretype pkcs12 -srcstorepass 你的密码 -destkeystore tigase_certs/tigase8.keystore -deststoretype jks -deststorepass 你的密码
安卓平台支持bks bcprov-ext-jdk15on-157.jar下载地址
https://mvnrepository.com/artifact/org.bouncycastle/bcprov-ext-jdk15on/1.57
密码
keytool -importkeystore -srckeystore tigase_certs/tigase8.p12 -srcstoretype pkcs12 -destkeystore tigase_certs/tigase8.bks -deststoretype bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath tigase_certs/bcprov-ext-jdk15on-1.57.jar将tigase8.pem拷贝到/home/kangming/tigase-server-8.1.2-b10915/certs/目录,将ubuntu.keystore拷贝到代码工程。重启tigase(正确加载了ubuntu.pem),然后使用客户端进行连接测试。
通过上面的操作,已经准备好了服务端所需的证书(tigase8.pem,包含自签证书和私钥)和Java端的证书,安卓端的证书。下面就可以使用证书进行安全连接了。注意服务端的证书,tigase8.pem这个名字需要根据你当前使用的domain来命名,比如说我当前当前的tigase使用的domain是ubuntu,那么需要把tigase8.pem改名为ubuntu.pem放置到tigase根目录的certs目录下。
SSL安全连接代码实现
代码如下
package com.nufront.xmpp.client.conn;
import org.jivesoftware.smack.ConnectionConfiguration;
import org.jivesoftware.smack.tcp.XMPPTCPConnection;
import org.jivesoftware.smack.tcp.XMPPTCPConnectionConfiguration;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
public class XMPPSSLTest {
static {
}
public static void main(String[] args) {
try {
SSLContext ctx = SSLContext.getInstance("SSL");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
KeyStore tks = KeyStore.getInstance("JKS");
tks.load(XMPPSSLTest.class.getResourceAsStream("/tigase8.keystore"), "你的密码".toCharArray());
tmf.init(tks);
ctx.init(null, tmf.getTrustManagers(), null);
XMPPTCPConnectionConfiguration config = XMPPTCPConnectionConfiguration.builder()
.setHost("ubuntu")
.setXmppDomain("ubuntu")
.setPort(5222)
.setSslContextFactory(() -> ctx)
.setSecurityMode(ConnectionConfiguration.SecurityMode.required)
.setResource("Smack")
//信任自签证书
.setCustomX509TrustManager(new X509TrustManager() {
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
})
.build();
XMPPTCPConnection connection = new XMPPTCPConnection(config);
connection.connect();
try {
connection.login("[email protected]", "123456");
System.out.println("登陆成功");
} catch (Exception e) {
System.out.println("登录失败");
e.printStackTrace();
}
} catch (Exception e) {
e.printStackTrace();
}
}
}