# 集群安全等级与SSL证书校验的说明
## 一、准备工作
1、准备集群授权证书:向AnyChat申请TLS加密通信授权;
2、客户自行准备SSL证书以及对应的SSL证书key,并生成证书链;
3、更新集群版本至1868或以上、更新集群版本MT(20190114)、更新客户端SDK(r8151)。
## 二、证书的添加
1、添加授权证书:集群MT-系统管理-证书管理-【添加授权证书】
2、添加SSL证书:集群MT-系统管理-证书管理-【添加SSL证书】
3、编辑SSL证书私钥:集群MT-系统管理-证书管理-点开SSL证书详情-【私钥编辑】,将证书的key值复制到编辑框-点击【修改】,检查SSL证书详情是否编辑成功
## 三、安全等级的设置与说明
### 1、全局安全等级设置
设置路径:系统管理-->基本设置-->安全设置。
### 2、运营商安全等级设置
设置路径:系统管理-->运营商配置-->添加/编辑运营商。
### 注意:
运营商的安全等级与全局安全等级的区别:
1)如果运营商的安全等级未配置,安全等级以全局设置为准。
2)如果配置了运营商的安全等级,对应物理机的接入服务器以运营商安全级别为准。
3)不需要设置运营商的集群可忽略此项。
### 3、安全等级说明
可以配置5个选项:未设置;低;中;较高;最高。
| 安全等级 | 说明 |
| --- | --- |
|未设置|无安全等级|
| 低 | 不校验SSL证书,允许新旧插件不带SSL证书链登录 |
|中 | 新的客户端校验SSL证书链的正确性,可通过服务器的IP和域名连接登录;旧的客户端不校验SSL证书链,可正常登录。 |
|较高|新的客户端校验SSL证书链的正确性,并且只能通过服务器的域名连接登录|
|最高|新的客户端校验SSL证书链的正确性,并且只能通过服务器的域名连接登录,媒体包加密传输,只能通过服务器转发媒体流
注:较高和最高,旧的插件不允许登录,提示74。
### 4、常见错误码定义
当安全等级为中、较高、最高时,可能出现以下错误:
``` #define AC_ERROR_KEYVERIFYFAILED 66 ///< 密钥校验失败
#define AC_ERROR_NOCERTCHAIN 67 ///< 缺少证书链
#define AC_ERROR_CERTVERIFYFAIL 68 ///< 证书校验失败
#define AC_ERROR_CERTDATEFAIL 69 ///< 证书日期校验失败
#define AC_ERROR_CERTURLFAIL 70 ///< 证书URL地址校验失败
#define AC_ERROR_CERTPUBKEYFAIL 71 ///< 缺少公钥
#define AC_ERROR_CERTPRIVATEKEYFAIL 72 ///< 服务器没有配置SSL证书所对应的私钥
#define AC_ERROR_CERTFILENOTCONFIG 73 ///< 服务器没有配置SSL证书
#define AC_ERROR_CERTHIGHSECURITY 74 ///< 安全级别限制,不允许连接
#define AC_ERROR_SECURITYBREAK 75 ///< 安全协商失败
```
## 四、客户端SSL证书的校验
### 1、校验函数
```
define BRAC_SO_CORESDK_SSLCERTCHAIN 232 ///证书链
SetSDKOption(BRAC_SO_CORESDK_SSLCERTCHAIN, "证书链内容"); // InitSDK之后调用该方法
```
说明:
Web端支持.p7b和.cer格式的证书链;移动端目前只支持.cer格式的证书链。
### 2、范例
#### 1)web端
```
BRAC_SetSDKOption(BRAC_SO_CORESDK_SSLCERTCHAIN, "subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018\nissuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA\n-----BEGIN CERTIFICATE-----\nMIIEsTCCA5mgAwIBAgIQCKWiRs1LXIyD1wK0u6tTSTANBgkqhkiG9w0BAQsFADBh\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\nQTAeFw0xNzExMDYxMjIzMzNaFw0yNzExMDYxMjIzMzNaMF4xCzAJBgNVBAYTAlVT\nMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\nb20xHTAbBgNVBAMTFFJhcGlkU1NMIFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEA5S2oihEo9nnpezoziDtx4WWLLCll/e0t1EYemE5n\n+MgP5viaHLy+VpHP+ndX5D18INIuuAV8wFq26KF5U0WNIZiQp6mLtIWjUeWDPA28\nOeyhTlj9TLk2beytbtFU6ypbpWUltmvY5V8ngspC7nFRNCjpfnDED2kRyJzO8yoK\nMFz4J4JE8N7NA1uJwUEFMUvHLs0scLoPZkKcewIRm1RV2AxmFQxJkdf7YN9Pckki\nf2Xgm3b48BZn0zf0qXsSeGu84ua9gwzjzI7tbTBjayTpT+/XpWuBVv6fvarI6bik\nKB859OSGQuw73XXgeuFwEPHTIRoUtkzu3/EQ+LtwznkkdQIDAQABo4IBZjCCAWIw\nHQYDVR0OBBYEFFPKF1n8a8ADIS8aruSqqByCVtp1MB8GA1UdIwQYMBaAFAPeUDVW\n0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo\nMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E\nOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i\nYWxSb290Q0EuY3JsMGMGA1UdIARcMFowNwYJYIZIAYb9bAECMCowKAYIKwYBBQUH\nAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCwYJYIZIAYb9bAEBMAgG\nBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcNAQELBQADggEBAH4jx/LKNW5ZklFc\nYWs8Ejbm0nyzKeZC2KOVYR7P8gevKyslWm4Xo4BSzKr235FsJ4aFt6yAiv1eY0tZ\n/ZN18bOGSGStoEc/JE4ocIzr8P5Mg11kRYHbmgYnr1Rxeki5mSeb39DGxTpJD4kG\nhs5lXNoo4conUiiJwKaqH7vh2baryd8pMISag83JUqyVGc2tWPpO0329/CWq2kry\nqv66OSMjwulUz0dXf4OHQasR7CNfIr+4KScc6ABlQ5RDF86PGeE6kdwSQkFiB/cQ\nysNyq0jEDQTkfa2pjmuWtMCNbBnhFXBYejfubIhaUbEv2FOQB3dCav+FPg5eEveX\nTVyMnGo=\n-----END CERTIFICATE-----\n\nsubject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA\nissuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA\n-----BEGIN CERTIFICATE-----\nMIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\nQTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\nMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\nb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\nCSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\nnh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\nT19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\ngdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\nBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\nTLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\nDQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\nhMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\nPnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\nYSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\nCAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n-----END CERTIFICATE-----");
```
#### 2)iOS端
//把cer证书链加到工程,InitSDK之后调用。
```
NSString *outCertPA = [[NSBundle mainBundle] pathForResource:@"outcertificate.cer" ofType:nil];
NSData *outCertPAData = [NSData dataWithContentsOfFile:outCertPA];
NSString *outCertPAStr = [[NSString alloc] initWithData:outCertPAData encoding:NSUTF8StringEncoding];
[AnyChatPlatform SetSDKOptionString:BRAC_SO_CORESDK_SSLCERTCHAIN :outCertPAStr];
```
#### 3)Android端
```
String strCertChain = "subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018\n" +
"issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA\n" +
"-----BEGIN CERTIFICATE-----\n" +
"MIIEsTCCA5mgAwIBAgIQCKWiRs1LXIyD1wK0u6tTSTANBgkqhkiG9w0BAQsFADBh\n" +
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" +
"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n" +
"QTAeFw0xNzExMDYxMjIzMzNaFw0yNzExMDYxMjIzMzNaMF4xCzAJBgNVBAYTAlVT\n" +
"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n" +
"b20xHTAbBgNVBAMTFFJhcGlkU1NMIFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B\n" +
"AQEFAAOCAQ8AMIIBCgKCAQEA5S2oihEo9nnpezoziDtx4WWLLCll/e0t1EYemE5n\n" +
"+MgP5viaHLy+VpHP+ndX5D18INIuuAV8wFq26KF5U0WNIZiQp6mLtIWjUeWDPA28\n" +
"OeyhTlj9TLk2beytbtFU6ypbpWUltmvY5V8ngspC7nFRNCjpfnDED2kRyJzO8yoK\n" +
"MFz4J4JE8N7NA1uJwUEFMUvHLs0scLoPZkKcewIRm1RV2AxmFQxJkdf7YN9Pckki\n" +
"f2Xgm3b48BZn0zf0qXsSeGu84ua9gwzjzI7tbTBjayTpT+/XpWuBVv6fvarI6bik\n" +
"KB859OSGQuw73XXgeuFwEPHTIRoUtkzu3/EQ+LtwznkkdQIDAQABo4IBZjCCAWIw\n" +
"HQYDVR0OBBYEFFPKF1n8a8ADIS8aruSqqByCVtp1MB8GA1UdIwQYMBaAFAPeUDVW\n" +
"0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF\n" +
"BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo\n" +
"MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E\n" +
"OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i\n" +
"YWxSb290Q0EuY3JsMGMGA1UdIARcMFowNwYJYIZIAYb9bAECMCowKAYIKwYBBQUH\n" +
"AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCwYJYIZIAYb9bAEBMAgG\n" +
"BmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcNAQELBQADggEBAH4jx/LKNW5ZklFc\n" +
"YWs8Ejbm0nyzKeZC2KOVYR7P8gevKyslWm4Xo4BSzKr235FsJ4aFt6yAiv1eY0tZ\n" +
"/ZN18bOGSGStoEc/JE4ocIzr8P5Mg11kRYHbmgYnr1Rxeki5mSeb39DGxTpJD4kG\n" +
"hs5lXNoo4conUiiJwKaqH7vh2baryd8pMISag83JUqyVGc2tWPpO0329/CWq2kry\n" +
"qv66OSMjwulUz0dXf4OHQasR7CNfIr+4KScc6ABlQ5RDF86PGeE6kdwSQkFiB/cQ\n" +
"ysNyq0jEDQTkfa2pjmuWtMCNbBnhFXBYejfubIhaUbEv2FOQB3dCav+FPg5eEveX\n" +
"TVyMnGo=\n" +
"-----END CERTIFICATE-----\n" +
"\n" +
"subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA\n" +
"issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA\n" +
"-----BEGIN CERTIFICATE-----\n" +
"MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n" +
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" +
"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n" +
"QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n" +
"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n" +
"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n" +
"9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n" +
"CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n" +
"nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n" +
"43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n" +
"T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n" +
"gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n" +
"BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n" +
"TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n" +
"DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n" +
"hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n" +
"06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n" +
"PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n" +
"YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n" +
"CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n" +
"-----END CERTIFICATE-----";
anyChatSDK.SetSDKOptionString(BRAC_SO_CORESDK_SSLCERTCHAIN , strCertChain);
```
- 1 版本更新记录
- 1.1 集群V6.3_r1337
- 1.2 集群V6.3_r1342
- 1.3 集群V6.4_r1352
- 1.4 集群V6.4_r1387&1389
- 1.5 集群V6.4_r1391
- 1.6 集群V6.4_r1402
- 1.7 集群V6.4_r1404&r1405
- 1.8 集群V6.4_r1412
- 1.9 集群V6.4_r1416
- 1.10 集群V6.4_r1427&r1428
- 1.11 集群V6.4_r1430&r1431
- 1.12 集群V6.4_r1433
- 1.13 集群V6.4_r1443
- 1.14 集群V6.4_r1445
- 1.15 集群V6.4_r1447
- 1.16 集群V6.4_r1451
- 1.17 集群V6.4_r1453
- 1.18 集群V6.5_r1452
- 1.19 集群V6.5_r1469
- 1.20 集群V6.5_r1471
- 1.21 集群V6.5_r1488
- 1.22 集群V6.5_r1498&r1500
- 1.23 集群V6.5_r1502
- 1.24 集群V6.5_r1503
- 1.25 集群V6.5_r1514
- 1.26 集群V6.5_r1517
- 1.27 集群V6.5_r1526
- 1.28 集群V7.0_r1570
- 1.29 集群V7.0_r1583
- 1.30 集群V7.0_r1599
- 1.31 集群V7.0_r1612
- 1.32 集群V7.0_r1616
- 1.33 集群V7.1_r1671
- 1.34 集群V7.1_r1678
- 1.35 集群V7.1_r1743
- 1.36 集群V7.1_r1754~1769
- 1.37 集群V7.2_r1794
- 1.38 集群V7.2_r1797&1799
- 2 集群新增功能说明
- 2.1 新增“不校验APPID”配置项
- 2.2 运营商绑定应用和物理机[r1503~r1583]
- 2.3 寻址服务指定寻址区域
- 2.4 新增“关联营业厅客户等待时间”配置项(智能排队-全局服务改造)
- 2.5 新增“视频流传输方式”配置
- 2.6 新增了队列变化通知回调接口
- 2.7 通过内核日志查询指定应用绑定的核心
- 2.8 新增录制wav格式文件的功能
- 2.9 新增“客户端日志路径前缀”配置项
- 2.10 一个坐席同时服务多个用户的功能
- 2.11 H5视频编码器配置项
- 2.12 开启服务器时间戳
- 2.13 【新】运营商绑定应用和物理机功能[V7.0_r1599]
- 2.14 新增应用配置项“录像时UDP通道优先”
- 2.15 录像服务扩展项新增“限制连接IP”
- 2.16 新增限制物理机IP的功能
- 2.17 新增查询和删除本地录制文件的功能
- 2.18 新增营业部的设置和查询接口
- 2.19 智能排队统计信息项变更
- 2.20 新增房间服务器以及使用房间服务器配置项
- 2.21 DNS寻址H5接入服务器注意事项
- 2.22 集群灾备服务器
- 3 其他说明
- 3.1 datatype
- 3.2 eventtype
- 3.3 日志标记
- 3.3.1 业务服务器
- 3.3.2 接入服务器
- 3.3.3 云平台代理
- 3.3.4 数据库服务
- 3.3.5 进程服务
- 3.3.6 监控服务
- 3.3.7 升级服务
- 3.3.8 核心服务
- 3.3.9 录像服务
- 3.3.10 总线服务
- 3.3.11 H5接入服务
- 3.3.12 通用服务
- 4功能点说明
- 4.1安全级别设置说明(SSL证书校验)