尽管握手是在建立连接之后才进行的,但是客户机或服务器可以在任何时刻请求进行一次新的握手。
Even though the handshake is performed after the connection is established, the client or server can request a new handshake at any point in time.
如果我们限制服务器上受信任的签署者,我们就连谁能完成SSL握手都可以限制。
If we limit the signers we trust on the server, we can limit who can even complete that SSL handshake.
用WMQFTE的专业术语来讲,这意味着当一个连接试图连接一个队列管理器时,该连接将其证书发送到WMQFTE,作为初始ssl握手的一部分。
What this means in terms of WMQFTE is that when a connection is made to a queue manager, it sends its certificate to WMQFTE as part of the initial SSL handshake.
并且,正如我们可以从本系列的第2部分有关数字证书的讨论中看到的一样,服务器还必须要在握手过程中提供安全证书。
And, as you might recall from the digital certificates discussion in Part 2 of this series, the server must also provide the security certificate used during the handshake.
在握手过程中,服务器向客户机发送一个证书,然后,客户机根据一组可信任证书来核实该证书。
During the handshake, the server sends a certificate to the client, which the client then verifies against a set of trust certificates.
这是在握手过程中需要的,因为客户机在这个过程中正将这些信息发送给对公钥进行加密的服务器。
This part is needed during the handshake, because the client will be sending information to the server encrypted to the public certificate.
由于本文重点要介绍在握手过程中服务器数字证书的处理,因此让我们来深入介绍一下握手是如何工作的。
Since this article focuses on handling the server's digital certificate during the handshake, let's go into depth as to how the handshake works.
在SSL握手期间,客户端将拒绝无法验证的服务器端证书。
Unverifiable server side certificates will be rejected by clients during the SSL handshake.
在客户机和服务器通信之间差别不大,惟一的差别就是对于握手来说,服务器就像是硬币的反面。
There is very little difference between secure client and server communication, except that the server is the reverse side of the coin in terms of the handshake.
支持自定义JSSE信任和密钥管理器,从而允许对SSL握手进行更多的控制。
Support for custom JSSE trust and key managers enables more control of the SSL handshake.
在握手时所提供的服务器的证书应该有一个名字与该服务器的主机名匹配。
The server's certificate provided in the handshake should have a name on it that matches the server's host name.
SSL服务器用一条同样用秘钥加密的消息作出响应,表示握手中的服务器部分完成。
The SSL Server responds with a message similarly encrypted with the secret key, indicating that the Server part of the handshake is complete.
这是因此客户端的标识在SSL握手期间才为服务器所知,而客户端只同链上的第一个 SSL 端点执行该过程。
This is because the identity of the client is made known to the server during the SSL handshake and the client performs this process with only the first SSL endpoint in the chain.
如果上面的所有检查都成功了,SSL握手就会完成,TM 1现在可以向LDAP服务器验证身份。
If all the tests above signal success the SSL handshake is complete and TM1 will now try to authenticate to the LDAP server.
这个握手过程要检查 LDAP服务器的证书并确认对它的信任。
This handshake involves verification of the LDAP server's certificate and acknowledgement of the trust to it.
服务器要负责提供在握手过程中使用的安全证书。
The server is responsible for providing the security certificate that will be used during the handshake.
连接建立:TCP连接的建立由要建立连接的客户机和该客户机联系的服务器通过三步握手过程执行。
Connection setup: the setup of a TCP connection is performed by a three-step handshake between a client that wants to establish the connection and the server that is contacted by the client.
如果限制服务器上可信的签署者,就可以限制谁能完成SSL握手。
If you limit the signers you trust on the server, you can limit who can even complete that SSL handshake.
当客户机连接并且SSL握手完成时,服务器将用如下所示进行响应。
When the client connects and the SSL handshake completes, the server will respond with the following.
如果没有这个选项,当服务器希望进行一次新的握手时,进行读或写操作都将返回一个错误,同时还会在该过程中设置retry标记。
Without this option, any read or write operation will return an error if the server wants a new handshake, setting the retry flag in the process.
客户机通过向服务器发送一个表明自己已经完成握手的消息,以及一组加密的单向hash值让服务器进行验证,从而结束握手的过程。
The client terminates the handshake by sending a message to the server that it has finished, an encrypted set of one-way hash values to be verified by the server.
使用这个选项进行设置,如果服务器突然希望进行一次新的握手,那么OpenSSL可以在后台处理它。
With this option set, if the server suddenly wants a new handshake, OpenSSL handles it in the background.
要建立一个WebSocket连接,客户端和服务器在初次握手的时候从HTTP协议提升到WebSocket协议,如例1所展示的。
To establish a WebSocket connection, the client and server upgrade from the HTTP protocol to the Web Socket protocol during an initial handshake, as shown in Example 1.
因此,一个工作良好的透明代理服务器几乎会立刻引起WebSocekt升级握手失败。
Therefore, a well-behaved transparent proxy server will cause the WebSocket upgrade handshake to fail almost immediately.
当显式的代理服务器允许CONNECT方法时,TLS握手被发送出去,后面紧跟着WebSocket连接升级握手。
When the explicit proxy server allows the connect method, the TLS handshake is sent, followed by the WebSocket connection upgrade handshake.
这系列的握手成功后,WebSocket信息流就可以开始无阻碍的通过代理服务器了。
After those handshakes succeed, WebSocket traffic can start flowing unimpeded through the proxy server.
如果服务器禁用了HTTP持续连接(keepalives),那么还需要再进行一次TCP三次握手,这又导致一次双向连接,造成延迟时间加倍的后果。
Or if your server has HTTP keepalives disabled, doing another TCP three-way handshake adds another round trip, doubling this latency.
为什么是必需的,因为使用SSL握手服务器将发送其SSL证书,客户端将从其密钥库中存在的可信证书列表中验证此证书。
Why it is required because using SSL handshake server will send its SSL certificate and client will validate this certificate from its trusted list of certificates present in his keystore.
TCP协议的建立通过客户与服务器之间的“三次握手”过程实现。
The establishment of the TCP agreement makes it possible that "three-way handshake" connects the client and the server.
TCP协议的建立通过客户与服务器之间的“三次握手”过程实现。
The establishment of the TCP agreement makes it possible that "three-way handshake" connects the client and the server.
应用推荐