首页 > *nix技术, 数据泄露, 网络安全 > SSL-Explorer介绍与试用

SSL-Explorer介绍与试用

2013年11月2日 发表评论 阅读评论 3,449 次浏览

介绍:
SSL-Explorer被收购了,商业公司3sp不再提供更新了:

http://en.wikipedia.org/wiki/SSL-Explorer:_Community_Edition

最后的版本是:sslexplorer-1.0.0_RC17-src.tar.gz

http://sourceforge.net/projects/sslexplorer/

故此,开源社区fork了SSL-Explorer,名为Adito,后改名为OpenVPN ALS:

http://sourceforge.net/apps/trac/openvpn-als/wiki/what_is_openvpn-als

http://sourceforge.net/apps/trac/openvpn-als/wiki/enterprise_extensions

http://lars.werner.no/?page_id=153

http://jpaul.me/?p=883

当前最新版本是:adito-0.9.1-bin.tar.gz

http://sourceforge.net/projects/openvpn-als/

总结来看,我这里测试当然就是需要使用adito-0.9.1-bin.tar.gz,它是基于SSL-Explorer的最后版本做的,但是另外在这里:http://sourceforge.net/projects/sslexplorer/files/SSL-Explorer%201.0/Extensions/
有很多扩展模块是在Adito之后提供的,所以应该没有集成到Adito,需要关注一下。

关于SSL-Explorer和OpenVPN的差异,主要就是:
The differentiator here is that OpenVPN is SSL, yes, but not web-based. SSL Explorer is web based.
找到另外两个挺好的介绍文章:

http://drakpzone.wordpress.com/category/networking/

clientless vpn… who could ask for anything more?
August 4, 2006
In my last post, I stated that openvpn could be considered the perfect vpn solution nearly always. Well, “nearly” was there since another great opensource project appeared to me a few months ago: sslexplorer. While openvpn and sslexplorer share ssl as a security layer, their approach to vpns is totally different. Openvpn is a client-server based solution which uses ssl as a secure way to encapsulate ip traffic over a secure udp/tcp connection, while sslexplorer is a browser based vpn solution, which relies on https for communication security.

sslexplorer is a java based project that greatly simplifies the burden of distributing and configuring clients that other vpn solutions impose (while openvpn is way easier, though, than all the ugly ipsec stuff in general). Simply put, the client doesn’t exist… or at least the relevant part needed for secure communication is activated as a signed java applet after the user accesses the sslexplorer portal via a standard web browser. The java applet is responsible for the secure communication (ssl based) from the client to the server and back, and sslexplorer itself acts in general as a proxy to the corporate resources. Among other things, it can allow you to reverse proxy corporate intranet sites, redirect tcp ports for e.g. the corporate mailserver, or maybe give you access to a java applet that acts as an ssh client to your *nix servers. All this lives inside the browser session, so you can easily be at your favorite internet cafe @whatever place and without any sotware requirements other than a browser with a decent java plugin, you can get full access to your corporate resources in a snap.

But they went even further! If you do have your preferred email application (thunderbird, of course) at hand, why would you rely on that uncomfortable intranet webmail app? Just fire up the “bird” and configure it so that it points to localhost:xxxx where xxxx is the port number your friendly sslexplorer java applet is proxying versus your intranet imap/smtp server, for example.

Many other things not covered here make sslexplorer another great great opensource project (like, e.g., its powerful web based management interface).

Obviously, while sslexplorer is a great solution for roadwarrior vpn setup, it isn’t the right solution for site2site architectures. But for this, guys, there’s openvpn :-)

Jump in the openvpn & sslexplorer club… we’re having a hell of a party ;)

openvpn in the palm of your hand
August 4, 2006

A couple of years ago I discovered OpenVPN (www.openvpn.net). What an amazing piece of software! I digged into it very deeply, and concluded that’s imho the perfect vpn solution in most cases (or all cases, maybe). It’s an userspace application (no more kernel fiddling), it’s multiplatform, it’s udp OR tcp based, it uses openssl as crypto library (openssl is damn good!), it can pass through proxies, it can use certificates (or not!), it can authenticate users via pam or whatever… the feature list is endless, and I found everything to work even more than expected. It’s way way robust and stable and secure… And client deployment is hassle-free!

Having it tested (on the client side) on linux, win, and osx boxes, I thought at that stage that one could never ask of something more from a vpn solution. Then, it came to me that I own one platform that could bring openvpn coolness even further: the pocketpc. After a few post on openvpn’s official mailing list, I found that many other desired a openvpn pocketpc port, but a few people around seem to be able to develop on that platform (me… not for sure!).

As always, I kept my interest alive for this great project… till one day I saw on openvpn.net homepage a note about an ongoing project for porting openvpn to the pocketpc. After the initial surprise, I found that the project was already at a good stage, even after few days of work about the almighty Ziggurat29 (project mantainer).

Well… believe it or not, even the first alpha made my imate jasjar fly over my openvpn server @ my company. It was already stable and implemented nearly all of openvpn’s main source features. The openvpn for pocketpc community started to grow (with respect of pocketpc relative market share), and Ziggurat29 made an incredible job, providing us in a few weeks with an excellent openvpn client. Zigg is very conservative and considers openvpn for pocketpc at alpha or beta (at most) stage, but I can guarantee that I’ve been using it flawlessy for a couple of months now, and it allowed me to widespread the “always connected” philosophy inside my company (even one of the big big bosses is using an imate jamin for corporate email access via openpn).

Note that I banged my head for a while with windows mobile’s incarnation of a vpn… via l2tp/ipsec. Needless to say, it was a nearly complete failure. It helped me raise my hate versus ipsec, which I consider an old and absolutely obsolete protocol/approach to vpns in general.

So, all my respect to Jim Yonan for openvpn itself, and to Ziggurat29 for this great great porting project.

试用一下:
0,环境:
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ cat /etc/issue
Ubuntu 13.10 \n \l

lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ uname -a
Linux lenky-Aspire-V5-471G 3.11.6 #2 SMP Mon Oct 28 16:14:35 CST 2013 i686 i686 i686 GNU/Linux

1,按照jdk,ubuntu下就是openjdk了:
lenky@lenky-Aspire-V5-471G:~/asdf/ssl$ sudo apt-get install openjdk-7-jdk

2,安装ant:
lenky@lenky-Aspire-V5-471G:~/asdf/ssl$ sudo apt-get install ant1.7

3,拷贝一个依赖库,然后进行编译安装:
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ cp /usr/lib/jvm/java-7-openjdk-i386/lib/tools.jar adito/lib/
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo ant install

[javac] 警告: [options] 未与 -source 1.2 一起设置引导类路径
[javac] 警告: [options] 未与 -source 1.3 一起设置引导类路径
[javac] 警告: [options] 未与 -source 1.5 一起设置引导类路径

install:
[mkdir] Created dir: /home/lenky/asdf/ssl/adito-0.9.1/adito/tmp
Starting installation wizard…Point your browser to http://lenky-Aspire-V5-471G:28080.

Press CTRL+C or use the ‘Shutdown’ option from the web interface to leave the installation wizard.
.

4,根据提示,用浏览器打开地址:http://lenky-Aspire-V5-471G:28080
根据向导提示进行配置,填了一个帐号lenky0401/111111
配置完成后,终端将提示:
BUILD SUCCESSFUL
Total time: 19 minutes 15 seconds

5,编译另外两个,并启动服务:
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo ant install-agent
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo ant install-service
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo chkconfig adito on
lenky@lenky-Aspire-V5-471G:~/asdf/ssl/adito-0.9.1$ sudo /etc/init.d/adito start
Starting Adito…

6,浏览器打开:https://127.0.0.1/,输入帐号lenky0401/111111进行登录。
使用应用Putty SSH:

You can now log into it, but it will not do much as there are no applications installed. You need to check them out of Subversion, compile and upload them. You can do this on your local machine.

svn co https://openvpn-als.svn.sourceforge.net/svnroot/openvpn-als/adito-applications/
cd adito-aplications

There are quite a few there, but we will just do the portable Putty application.

cd adito-application-putty-portable-ssh
ant

The output will tell you the Zip file it has built which you can now upload. Go to the “Extension Manger” from the menu on the left. On the right you wil see “Upload Extension”. Choose the Zip file and you can configure it to connect to whatever Linux machine you want. “Putty SSH” will now be available in the list of installed applications.

给ubuntu firefox装上JAVA插件:
ubuntu环境上面说了,firefox用的是24.0。
因为使用SSL-Explorer需要浏览器用到Java Applet,所以也测试了,过程如下:
0,下载jdk:jdk-7u45-linux-i586.tar.gz

http://www.oracle.com/technetwork/java/javase/downloads/index.html

http://download.oracle.com/otn-pub/java/jdk/7u45-b18/jdk-7u45-linux-i586.tar.gz

1,解压并安装:
lenky@lenky-Aspire-V5-471G:~/asdf/openvpn$ sudo cp jdk-7u45-linux-i586.tar.gz /usr/lib/jvm/
[sudo] password for lenky:
lenky@lenky-Aspire-V5-471G:~/asdf/openvpn$ cd /usr/lib/jvm/
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo tar xf jdk-7u45-linux-i586.tar.gz
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ ls jdk1.7.0_45/
bin lib src.zip
COPYRIGHT LICENSE THIRDPARTYLICENSEREADME-JAVAFX.txt
db man THIRDPARTYLICENSEREADME.txt
include README.html
jre release

2,修改环境变量:
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ vi /home/lenky/.bashrc
在最末尾添加:
export JAVA_HOME=/usr/lib/jvm
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH

立即生效:
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ source !$
source /home/lenky/.bashrc

3,配置默认JDK版本:
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo update-alternatives –install /usr/bin/java java /usr/lib/jvm/jdk1.7.0_45/bin/java 300
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo update-alternatives –install /usr/bin/javac javac /usr/lib/jvm/jdk1.7.0_45/bin/javac 300
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo update-alternatives –install /usr/bin/jar jar /usr/lib/jvm/jdk1.7.0_45/bin/jar 300
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo update-alternatives –config java
有 2 个候选项可用于替换 java (提供 /usr/bin/java)。

选择 路径 优先级 状态
————————————————————
* 0 /usr/lib/jvm/java-7-openjdk-i386/jre/bin/java 1071 自动模式
1 /usr/lib/jvm/java-7-openjdk-i386/jre/bin/java 1071 手动模式
2 /usr/lib/jvm/jdk1.7.0_45/bin/java 300 手动模式

要维持当前值[*]请按回车键,或者键入选择的编号:2
update-alternatives: using /usr/lib/jvm/jdk1.7.0_45/bin/java to provide /usr/bin/java (java) in 手动模式
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$

4,测试:
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ java -version
java version “1.7.0_45″
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Server VM (build 24.45-b08, mixed mode)

5,给firefox增加JAVA插件:
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm$ sudo ln -s /usr/lib/jvm/jdk1.7.0_45/jre/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/mozilla/plugins/
重启firefox,打开about:plugins页,没看到Java(TM) Plug-in条目,继续:
lenky@lenky-Aspire-V5-471G:/usr/lib/jvm/jdk1.7.0_45/jre/lib/i386$ sudo update-alternatives –install /usr/lib/mozilla/plugins/mozilla-javaplugin.so mozilla-javaplugin.so /usr/lib/jvm/jdk1.7.0_45/jre/lib/i386/libnpjp2.so 1
update-alternatives: using /usr/lib/jvm/jdk1.7.0_45/jre/lib/i386/libnpjp2.so to provide /usr/lib/mozilla/plugins/mozilla-javaplugin.so (mozilla-javaplugin.so) in 自动模式
再重启firefox,打开about:plugins页,看到Java(TM) Plug-in条目,搞定。

参考:http://lars.werner.no/?page_id=153

http://www.howtoforge.com/installing-adito-openvpn-als-on-centos

转载请保留地址:http://www.lenky.info/archives/2013/11/2371http://lenky.info/?p=2371


备注:如无特殊说明,文章内容均出自Lenky个人的真实理解而并非存心妄自揣测来故意愚人耳目。由于个人水平有限,虽力求内容正确无误,但仍然难免出错,请勿见怪,如果可以则请留言告之,并欢迎来讨论。另外值得说明的是,Lenky的部分文章以及部分内容参考借鉴了网络上各位网友的热心分享,特别是一些带有完全参考的文章,其后附带的链接内容也许更直接、更丰富,而我只是做了一下归纳&转述,在此也一并表示感谢。关于本站的所有技术文章,欢迎转载,但请遵从CC创作共享协议,而一些私人性质较强的心情随笔,建议不要转载。

法律:根据最新颁布的《信息网络传播权保护条例》,如果您认为本文章的任何内容侵犯了您的权利,请以Email或书面等方式告知,本站将及时删除相关内容或链接。

  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.