ProHoster > Blog > internet nhau > Kuburitswa kwekutanga kweTLS 1.3 protocol implementation muJava neGOST algorithms zvichienderana neRFC 9367

Kuburitswa kwekutanga kweTLS 1.3 protocol implementation muJava neGOST algorithms zvichienderana neRFC 9367

Module crypto-gost-tls13 ine kuiswa TLS 1.3 (RFC 8446 + RFC 9367) neGOST cryptography. Iyi ndiyo yekutanga yeraibhurari uye yakagadzirira kushandiswa mukati.

Chinhu chakasiyana neraibhurari iyi ndechekushandisa kwayo Java chete. Mabasa ese e cryptographic anoitwa uchishandisa maturusi akavakirwa mukati meraibhurari, pasina zvinhu zvekunze.

Iyi ndeimwe yemaitiro ekutanga eTLS 1.3 neGOST muJava, saka kuyedzwa kwe interop kwakaitwa kusvika padanho diki rinogoneka.

Pazasi pane kugona kweraibhurari.

  1. Maitiro ekushandisa:
  • Kukwazisana nemaoko: zvizere (mutengi/seva), pfupi (PSK), mutual (mTLS).
  • ALPN (RFC 7301) - Kukurukurirana kweApplication Layer Protocol (HTTP/2, HTTP/1.1).
  • SNI (RFC 6066) - Chiratidzo cheZita server yekushandiswa kwevagari vakawanda.
  • KeyUpdate (RFC 8446 §4.6.3) - kugadzirisa makiyi ekuvhara traffic.
  • Cipher suites: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • ECDHE: CryptoPro-A (256-bit), CryptoPro-B (512-bit)
  • Kuisa TLSTREE pa rekodhi imwe neimwe — kuchinja kiyi yekuvhara rekodhi yega yega yeTLS.
  • Kupatsanurwa uye kubatanidzwazve kwekubatana maoko nemarekodhi (RFC 8446 §5.1).
  • Kutangisazve kwechikamu: PSK kuburikidza neNewSessionTicket (PskStore iri mundangariro, inoshandiswa kamwe chete).
  • Kubatanidza OCSP: server inoisa mhinduro yeOCSP pachitupa.
  • Mashoko ekutumira mushure mekukwazisana: NewSessionTicket (chengetedza PSK).
  1. Kudhirowa kwemashoko:
  • Purogiramu inokosha: HKDF-Streebog (RFC 5869) pamusoro peTLS 1.3 (RFC 8446 §7.1).
  • Dziviriro yezvinyorwa: MGM-AEAD (Kuznyechik) isina chinhu maererano neRFC 8446 §5.3.
  • Makiyi enguva pfupi anodzimwa mushure mekushandisa.
  1. Zvitupa:
  • Kuongorora X.509v3 (GOST R 34.10-2012) — DER parser yakavakirwa mukati.
  • Cheni yekusimbisa: masiginecha, DN (mupi → musoro), Zvirambidzo zveBasic, Kushandiswa kweKiyi, Kushandiswa kweKiyi Yakawedzerwa * (serverAuth / clientAuth), pathLen.
  • Kutarisa zita remubati: dNSName + iPAddress (RFC 6125).
  • Kusimbiswa kwemhinduro dzeOCSP (RFC 6960).

4.Zvokufambisa:

  • TlsTransport - interface.
  • InMemoryTlsTransport - yemiedzo uye zviitiko zve single-process (mu-memory queue).
  • SocketTlsTransport — inovhara I/O pamusoro pe java.net.Socket.
  • ChannelTlsTransport - NIO Socket Kutakurwa kwakavakirwa paChannel (nzira yekuvharira, inovhiringidzwa).
  1. Kukwazisana maoko nhanho nhanho:
  • TlsHandshakeEngine muchina wekubatsirana nemaoko (wakabviswa kubva kuI/O). Unoshandisa TlsSession semugadziri wezvinhu uye wakakodzera kubatanidzwa neJSSE (SSLEngine).
  1. ByteBuffer API:
  • TlsRecord.protect/unprotect — ByteBuffer inowandisa zvinhu kuti isanganiswe neNIO pasina kukopa. Makiyi ekurodha:
  • Pkcs12Loader — kuverenga PFX (PKCS#12) nePBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Kupera kwechikamu:
  • close_notify - gadzirisa kuvhara zvichienderana neprotocol.
  • Kupukuta zvinhu zvakakosha kana uchivhara kana kuita chikanganiso.
  • Yambiro yekubata: inouraya - kuvhara nekukurumidza + kudzima.
  1. Kuchengetedzwa kwekushandiswa:
  • Kuenzanisa kwenguva dzose kwe verify_data ne PSK binders (dziviriro kubva pakurwiswa kwenguva)
  • Kupukuta zvinhu zvemakiyi: paradza() pazvinhu zvese nemakiyi (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), pakuvhara, yambiro yerufu, kunze kwekunge uchibata ruoko
  • Dziviriro yeDoS: miganhu pakureba kwecheni yesitifiketi (10), mameseji epashure pekukwazisana, saizi yerekodhi.
  • MGM nonce: MSB yebhaiti yekutanga inobviswa kuICN (RFC 9058 §3, RFC 9367 §3.3).
  • Kiyi yeECDHE yakavanzika uye chinyorwa chekukwazisana zvinoparadzwa mushure mekunge kubatana kwapera.
  • Zvinhu zveHMAC zvinodzimwa mushure mekushandisa (HkdfStreebog, KdfGostR3411_2012_256).
  1. Kukanganisa:
  • PSK yekudzorerazve chete (0-RTT nePSK yekunze hazvitsigirwi).
  • Psk_dhe_ke chete (PSK yakachena isina ECDHE haitsigirwi).
  • HelloRetryRequest (RFC 8446 §4.1.4) haitsigirwi - boka rimwe chete rine zita ndiro rinoshandiswa (GC256A nedefault).
  • GOST chete (ma suites echifidhi asiri eGOST haatsigirwi).
  1. Kuedza:
  • Raibhurari iyi ine Miedzo Inozivikanwa Yemhinduro kubva kuRFC 9367 Appendix A.1 (L naS variants)—chirongwa chakazara chekiyi, TLSTREE, AEAD, uye ECDHE. Inopfuurawo huwandu hwakazara hwebvunzo dzeKAT.
  • Miedzo mina yekubatanidza (self-interop) kuburikidza nemasoketi eTCP chaiwo.
  • Miedzo yeFuzz yevanoparura: TlsMessageParser (nzira 8), TlsDerParser (nzira 3), TlsOcspVerifier (nzira 1), yekuona kuchengetedzeka uye kuderedza kurwiswa kwevector pavanoparura.
  1. Mhinduro dzekuvaka:
  • TlsHandshakeEngine - muchina wemamiriro ezvinhu wakabviswa kubva kuI/O (yemuchina weJSSE weramangwana).
  • ByteBuffer inowedzera TlsRecord.protect/unprotect yeNIO/JSSE.
  • TLSTREE cache (TlsTreeCache) - kuverengazve mazinga akachinja chete (RFC 9367).
  • InMemoryTlsTransport.Pair ipair inotenderera mativi maviri yekuedza uye kutaurirana kwemaitiro mamwe chete.

Raibhurari iyi inogoverwa pasi perezenisi remahara.

Source: linux.org.ru

Tenga inovimbika yekutambira kwemasaiti ane DDoS dziviriro, VPS VDS maseva 🔥 Tenga webhusaiti yakavimbika ine dziviriro yeDDoS, maseva eVPS VDS | ProHoster