{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放我归山 的问题《Unencrypted SSL protocol?》','https://www.manongdao.com/q-631176.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Is it possible to send a message over https that isn't encrypted? For example, require that certificate validation and authorization occur, but not encrypt the actual data being sent over the socket?
相关问题
- “Zero out” sensitive String data in Swift
- Mechanize getting “Errno::ECONNRESET: Connection r
- High cost encryption but less cost decryption
- Can ServiceStack JsonServiceClient send a get requ
- Tomcat and SSL Client certificate
相关文章
- 请大神帮忙 post向https接口发送数据 部署到服务器为什么运行一会后就会报空指针
- ssl配置问题
- Intermittent “sslv3 alert handshake failure” under
- Making a two way SSL authentication between apache
- decrypt TLS 1.2 AES-GCM packet
- How to use Jetty with Let's Encrypt certificat
- Does the apple push notification distribution cert
- Sending email using php, gmail, and swiftmailer ca
Yes, TLS and SSL support "no-encryption" modes. Whether the particular client and server in question are configured to enable is a separate issue.
It's possible, though unlikely, that a server could enable one of these cipher suites by default. What is more likely is that a server would enable weak cipher suites (like the "export"-grade DES-based suites) by default. That's why you should carefully review the server's whitelist of cipher suites, and leave only a few trusted, widely-supported algorithms.
You can use the TLS_RSA_WITH_NULL_SHA cipher suite, among others, to protect the authenticity and integrity of traffic, without encryption.
The "RSA" in this case refers to the key exchange algorithm, while "SHA" refers to the message authentication algorithm used to protect the traffic from being altered. "NULL" is the encryption algorithm, or, in this case, the lack of encryption.
It's important to realize that the traffic, though it's not encrypted, is bundled up in SSL records. The client and server must be SSL-enabled.
If you are looking for a step-down solution where some data is exchanged over SSL, then SSL is turned off but the application traffic continues, that's possible too, but keep in mind that it offers absolutely no security for the cleartext traffic; it can be tampered with by an attacker. So, for example, authenticating with SSL, then stepping down to an "in-the-clear" protocol to receive commands that use the authentication negotiated via SSL would unsafe.
I think you can.
but it would be stupid, you will loose the point of the authentication, and leave yourself exposed to attackers that can intercept and alter your packets.
The SSL/TLS specs define a "NULL cipher" which you could use for this. Most client and server software disable it for obvious reasons.
However, if you are writing your own software, you may be able to convince your library to negotiate it.
No, the protocol doesn't allow for that.
One solution you could do is connect over https, verify the connection, then drop subsequent connections to HTTP with a session cookie. Without that cookie, redirect back to https so that the client always connects over it.
This might not be relevant to you, though, so if you provide more information about the problem you're trying to solve we could be of more help.