ProHoster > Блог > rongo ipurangi > Ko te tukunga tuatahi o te whakatinanatanga o te kawa TLS 1.3 i roto i te Java me ngā rauropi GOST e ai ki te RFC 9367.

Ko te tukunga tuatahi o te whakatinanatanga o te kawa TLS 1.3 i roto i te Java me ngā rauropi GOST e ai ki te RFC 9367.

Takahauira crypto-gost-tls13 kei roto ko te whakatinanatanga TLS 1.3 (RFC 8446 + RFC 9367) me te whakamunatanga GOST. Koinei te putanga tuatahi o te whare pukapuka, ā, kua rite mō te whakamahi ā-roto.

Ko tētahi āhuatanga ahurei o te whare pukapuka ko tana whakatinanatanga Java parakore. Ka mahia ngā mahi whakamuna katoa mā te whakamahi i ngā taputapu kua hangaia ki roto i te whare pukapuka, kāore he whakawhirinakitanga o waho.

Koinei tētahi o ngā whakatinanatanga tuwhera tuatahi o TLS 1.3 me GOST i roto i te Java, nō reira kua oti te whakamātautau interop ki te iti rawa e taea ana.

Kei raro nei ngā āheinga o te whare pukapuka.

  1. Ngā Kawa:
  • Ringaringa: katoa (kiritaki/tūmau), poto (PSK), tahi (mTLS).
  • ALPN (RFC 7301) - Whiriwhiringa Kawa Papa Taupānga (HTTP/2, HTTP/1.1).
  • SNI (RFC 6066) - Tohu Ingoa tūmau mō ngā whakatinanatanga maha-kairēti.
  • KeyUpdate (RFC 8446 §4.6.3) – te whakahou i ngā kī whakamunatanga waka.
  • Nga huinga cipher: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • ECDHE: CryptoPro-A (256-moka), CryptoPro-B (512-moka)
  • Te whakahou i te kī TLSTREE mō ia rekoata — te whakarerekē i te kī whakamunatanga mō ia rekoata TLS.
  • Te wehewehe me te whakakotahi anō i ngā rūrū ringa me ngā tuhinga (RFC 8446 §5.1).
  • Tīmatanga anō o te wātū: PSK mā NewSessionTicket (PskStore i roto i te mahara, kotahi te whakamahinga).
  • Te whakapiri OCSP: tūmau прикладывает OCSP-ответ к сертификату.
  • Ngā karere i muri i te rūrū: NewSessionTicket (haunga a PSK).
  1. Te Whakamunatanga:
  • Kaupapa matua: HKDF-Streebog (RFC 5869) mā te TLS 1.3 (RFC 8446 §7.1).
  • Te tiakitanga o ngā tuhinga: MGM-AEAD (Kuznyechik) me te nonce e ai ki te RFC 8446 §5.3.
  • Ka mukua ngā kī rangitahi i muri i te whakamahinga.
  1. Tiwhikete:
  • Te tātaritanga X.509v3 (GOST R 34.10-2012) — he tātaritanga DER kua hangaia ki roto.
  • Mekameka whakamana: waitohu, DN (kaituku → kaupapa), Herenga Taketake, Whakamahinga Kī, Whakamahinga Kī Whānui * (serverAuth / clientAuth), pathLen.
  • Tirohia te ingoa kaihautū: dNSName + iPAddress (RFC 6125).
  • Te manatoko i ngā urupare OCSP (RFC 6960).

4.Tukunga:

  • TlsTransport - atanga.
  • InMemoryTlsTransport - mō ngā whakamātautau me ngā horopaki tukanga-kotahi (rārangi i roto i te mahara).
  • SocketTlsTransport — te aukati i te I/O mā runga i te java.net.Socket.
  • ChannelTlsTransport - Te kawe i runga i te NIO SocketChannel (aratau aukati, aukati).
  1. Te rūrū ringa taahiraa-i-te-taahiraa:
  • He mīhini āhua a TlsHandshakeEngine mō te rūrū ā-ringa (kua wehea mai i te I/O). Ka whakamahia e ia a TlsSession hei kaiwhakarite, ā, he pai mō te whakauru ki a JSSE (SSLEngine).
  1. API ByteBuffer:
  • TlsRecord.protect/unprotect — Ka nui rawa te ByteBuffer mō te whakaurunga kore-tārua ki te NIO. Ngā kī e utaina ana:
  • Pkcs12Loader — te pānui i te PFX (PKCS#12) me te PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Te mutunga o te wātū:
  • close_notify - te kati tika e ai ki te kawa.
  • Te muru i ngā rauemi matua i te wā e kati ana, e hē ana rānei.
  • Whakatūpato whakahaere: mate - kati tonu + muku.
  1. Haumarutanga whakatinanatanga:
  • Ngā whakataurite wā-pūmau mō ngā here verify_data me PSK (te tiaki i ngā whakaeke wā)
  • Te muru i ngā rauemi matua: destroy() i runga i ngā mea katoa me ngā kī (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), kei te kati, he whakatūpato mate, he okotahi i roto i te rūrū ringaringa
  • Te tiakitanga DoS: ngā herenga mō te roa o te mekameka tiwhikete (10), ngā karere whai muri i te rūrū, te rahi o te rekoata.
  • MGM nonce: Kua whakakorea te MSB o te paita tuatahi mō te ICN (RFC 9058 §3, RFC 9367 §3.3).
  • Ka whakangaromia te kī tūmataiti ECDHE me te tuhinga rūrū i muri i te otinga o te rūrū.
  • Ka mukua te rauemi matua HMAC i muri i te whakamahinga (HkdfStreebog, KdfGostR3411_2012_256).
  1. Whakamutanga:
  • Whakahokia anō te PSK anake (kāore e tautokona te 0-RTT me te PSK o waho).
  • Ko te psk_dhe_ke anake (kāore e tautokona te PSK parakore kāore he ECDHE).
  • Kāore a HelloRetryRequest (RFC 8446 §4.1.4) e tautokona ana - kotahi anake te rōpū kua whakaingoatia e whakamahia ana (GC256A mā te taunoa).
  • GOST anake (kāore e tautokona ngā huinga tohu huna ehara i te GOST).
  1. Whakamātautau:
  • Kei roto i te whare pukapuka ngā Whakamātautau Whakautu Mōhiotia mai i te RFC 9367 Tāpiritanga A.1 (ngā momo L me S)—te rārangi matua katoa, TLSTREE, AEAD, me ECDHE. Ka paahitia hoki e ia te whānuitanga katoa o ngā whakamātautau KAT.
  • 4 ngā whakamātautau whakauru (whakauru-ake) mā roto i ngā hononga TCP tūturu.
  • Ngā whakamātautau Fuzz mō ngā parser: TlsMessageParser (8 ngā tikanga), TlsDerParser (3 ngā tikanga), TlsOcspVerifier (1 te tikanga), hei whakarite i te haumarutanga me te whakaiti i te whakaekenga o ngā parser.
  1. Ngā otinga hoahoa whare:
  • TlsHandshakeEngine - te mīhini āhua kua wehea mai i te I/O (mō te kōwae JSSE ā muri ake nei).
  • Ka utaina e ByteBuffer te TlsRecord.protect/unprotect mō NIO/JSSE.
  • TLSTREE keteroki (TlsTreeCache) - tātaitanga anō o ngā taumata kua whakarerekētia anake (RFC 9367).
  • He takirua ā-rua a InMemoryTlsTransport.Pair mō ngā whakamātautau me ngā whakawhitiwhitinga tukanga-kotahi.

E tohatohahia ana te whare pukapuka i raro i tētahi raihana kore utu.

Source: linux.org.ru

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster