首页 > *nix技术, 数据泄露, 网络安全 > SSL-Explorer介绍与试用


2013年11月2日 发表评论 阅读评论 3,449 次浏览





故此,开源社区fork了SSL-Explorer,名为Adito,后改名为OpenVPN ALS:








The differentiator here is that OpenVPN is SSL, yes, but not web-based. SSL Explorer is web based.


clientless vpn… who could ask for anything more?
August 4, 2006
In my last post, I stated that openvpn could be considered the perfect vpn solution nearly always. Well, “nearly” was there since another great opensource project appeared to me a few months ago: sslexplorer. While openvpn and sslexplorer share ssl as a security layer, their approach to vpns is totally different. Openvpn is a client-server based solution which uses ssl as a secure way to encapsulate ip traffic over a secure udp/tcp connection, while sslexplorer is a browser based vpn solution, which relies on https for communication security.

sslexplorer is a java based project that greatly simplifies the burden of distributing and configuring clients that other vpn solutions impose (while openvpn is way easier, though, than all the ugly ipsec stuff in general). Simply put, the client doesn’t exist… or at least the relevant part needed for secure communication is activated as a signed java applet after the user accesses the sslexplorer portal via a standard web browser. The java applet is responsible for the secure communication (ssl based) from the client to the server and back, and sslexplorer itself acts in general as a proxy to the corporate resources. Among other things, it can allow you to reverse proxy corporate intranet sites, redirect tcp ports for e.g. the corporate mailserver, or maybe give you access to a java applet that acts as an ssh client to your *nix servers. All this lives inside the browser session, so you can easily be at your favorite internet cafe @whatever place and without any sotware requirements other than a browser with a decent java plugin, you can get full access to your corporate resources in a snap.

But they went even further! If you do have your preferred email application (thunderbird, of course) at hand, why would you rely on that uncomfortable intranet webmail app? Just fire up the “bird” and configure it so that it points to localhost:xxxx where xxxx is the port number your friendly sslexplorer java applet is proxying versus your intranet imap/smtp server, for example.

Many other things not covered here make sslexplorer another great great opensource project (like, e.g., its powerful web based management interface).

Obviously, while sslexplorer is a great solution for roadwarrior vpn setup, it isn’t the right solution for site2site architectures. But for this, guys, there’s openvpn :-)

Jump in the openvpn & sslexplorer club… we’re having a hell of a party ;)

openvpn in the palm of your hand
August 4, 2006

A couple of years ago I discovered OpenVPN (www.openvpn.net). What an amazing piece of software! I digged into it very deeply, and concluded that’s imho the perfect vpn solution in most cases (or all cases, maybe). It’s an userspace application (no more kernel fiddling), it’s multiplatform, it’s udp OR tcp based, it uses openssl as crypto library (openssl is damn good!), it can pass through proxies, it can use certificates (or not!), it can authenticate users via pam or whatever… the feature list is endless, and I found everything to work even more than expected. It’s way way robust and stable and secure… And client deployment is hassle-free!

Having it tested (on the client side) on linux, win, and osx boxes, I thought at that stage that one could never ask of something more from a vpn solution. Then, it came to me that I own one platform that could bring openvpn coolness even further: the pocketpc. After a few post on openvpn’s official mailing list, I found that many other desired a openvpn pocketpc port, but a few people around seem to be able to develop on that platform (me… not for sure!).

As always, I kept my interest alive for this great project… till one day I saw on openvpn.net homepage a note about an ongoing project for porting openvpn to the pocketpc. After the initial surprise, I found that the project was already at a good stage, even after few days of work about the almighty Ziggurat29 (project mantainer).

Well… believe it or not, even the first alpha made my imate jasjar fly over my openvpn server @ my company. It was already stable and implemented nearly all of openvpn’s main source features. The openvpn for pocketpc community started to grow (with respect of pocketpc relative market share), and Ziggurat29 made an incredible job, providing us in a few weeks with an excellent openvpn client. Zigg is very conservative and considers openvpn for pocketpc at alpha or beta (at most) stage, but I can guarantee that I’ve been using it flawlessy for a couple of months now, and it allowed me to widespread the “always connected” philosophy inside my company (even one of the big big bosses is using an imate jamin for corporate email access via openpn).

Note that I banged my head for a while with windows mobile’s incarnation of a vpn… via l2tp/ipsec. Needless to say, it was a nearly complete failure. It helped me raise my hate versus ipsec, which I consider an old and absolutely obsolete protocol/approach to vpns in general.

So, all my respect to Jim Yonan for openvpn itself, and to Ziggurat29 for this great great porting project.

lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ cat /etc/issue
Ubuntu 13.10 \n \l

lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ uname -a
Linux lenky-Aspire-V5-471G 3.11.6 #2 SMP Mon Oct 28 16:14:35 CST 2013 i686 i686 i686 GNU/Linux

lenky@lenky-Aspire-V5-471G:~/asdf/ssl$ sudo apt-get install openjdk-7-jdk

lenky@lenky-Aspire-V5-471G:~/asdf/ssl$ sudo apt-get install ant1.7

lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ cp /usr/lib/jvm/java-7-openjdk-i386/lib/tools.jar adito/lib/
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo ant install

[javac] 警告: [options] 未与 -source 1.2 一起设置引导类路径
[javac] 警告: [options] 未与 -source 1.3 一起设置引导类路径
[javac] 警告: [options] 未与 -source 1.5 一起设置引导类路径

[mkdir] Created dir: /home/lenky/asdf/ssl/adito-0.9.1/adito/tmp
Starting installation wizard…Point your browser to http://lenky-Aspire-V5-471G:28080.

Press CTRL+C or use the ‘Shutdown’ option from the web interface to leave the installation wizard.

Total time: 19 minutes 15 seconds

lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo ant install-agent
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo ant install-service
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo chkconfig adito on
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo /etc/init.d/adito start
Starting Adito…

使用应用Putty SSH:

You can now log into it, but it will not do much as there are no applications installed. You need to check them out of Subversion, compile and upload them. You can do this on your local machine.

svn co https://openvpn-als.svn.sourceforge.net/svnroot/openvpn-als/adito-applications/
cd adito-aplications

There are quite a few there, but we will just do the portable Putty application.

cd adito-application-putty-portable-ssh

The output will tell you the Zip file it has built which you can now upload. Go to the “Extension Manger” from the menu on the left. On the right you wil see “Upload Extension”. Choose the Zip file and you can configure it to connect to whatever Linux machine you want. “Putty SSH” will now be available in the list of installed applications.

给ubuntu firefox装上JAVA插件:
因为使用SSL-Explorer需要浏览器用到Java Applet,所以也测试了,过程如下:



lenky@lenky-Aspire-V5-471G:~/asdf/openvpn$ sudo cp jdk-7u45-linux-i586.tar.gz /usr/lib/jvm/
[sudo] password for lenky:
lenky@lenky-Aspire-V5-471G:~/asdf/openvpn$ cd /usr/lib/jvm/
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo tar xf jdk-7u45-linux-i586.tar.gz
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ ls jdk1.7.0_45/
bin lib src.zip
include README.html
jre release

lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ vi /home/lenky/.bashrc
export JAVA_HOME=/usr/lib/jvm
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH

lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ source !$
source /home/lenky/.bashrc

lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo update-alternatives –install /usr/bin/java java /usr/lib/jvm/jdk1.7.0_45/bin/java 300
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo update-alternatives –install /usr/bin/javac javac /usr/lib/jvm/jdk1.7.0_45/bin/javac 300
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo update-alternatives –install /usr/bin/jar jar /usr/lib/jvm/jdk1.7.0_45/bin/jar 300
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo update-alternatives –config java
有 2 个候选项可用于替换 java (提供 /usr/bin/java)。

选择 路径 优先级 状态
* 0 /usr/lib/jvm/java-7-openjdk-i386/jre/bin/java 1071 自动模式
1 /usr/lib/jvm/java-7-openjdk-i386/jre/bin/java 1071 手动模式
2 /usr/lib/jvm/jdk1.7.0_45/bin/java 300 手动模式

update-alternatives: using /usr/lib/jvm/jdk1.7.0_45/bin/java to provide /usr/bin/java (java) in 手动模式

lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ java -version
java version “1.7.0_45″
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Server VM (build 24.45-b08, mixed mode)

lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo ln -s /usr/lib/jvm/jdk1.7.0_45/jre/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/mozilla/plugins/
重启firefox,打开about:plugins页,没看到Java(TM) Plug-in条目,继续:
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm/jdk1.7.0_45/jre/lib/i386$ sudo update-alternatives –install /usr/lib/mozilla/plugins/mozilla-javaplugin.so mozilla-javaplugin.so /usr/lib/jvm/jdk1.7.0_45/jre/lib/i386/libnpjp2.so 1
update-alternatives: using /usr/lib/jvm/jdk1.7.0_45/jre/lib/i386/libnpjp2.so to provide /usr/lib/mozilla/plugins/mozilla-javaplugin.so (mozilla-javaplugin.so) in 自动模式
再重启firefox,打开about:plugins页,看到Java(TM) Plug-in条目,搞定。






  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.