马哥教育网络班19期第十一周课程练习
1、详细描述一次加密通讯的过程,结合图示最佳。
加密通讯的过程与普通的TCP通讯在前一部分都是一样的,只是在三次握手后,加入了SSL握手认证及密钥交换等一系列安全措施。整个过程如下:
首先,客户端与服务器建立TCP会话,进行三次握手
TCP成功握手后,进行ssl握手认证,详情:
1.服务器向客户端发送证书
2.客户端验证服务器的证书,验证内容包括:
a.检查发行者的名称 找到发行者的证书,从中提取出公钥,解密服务器发来的证书的签名,能正确解密,则证书的发行者得到验证
b.检查证书的主体名称,与需要访问的网站的主体名称是否一致,确保网站不是假冒。
c.检查证书是否完整(使用单向加密算法,计算证书特征码,与证书解密出来的特征码比对确认,如是一致,则证明此证书没被篡改)
d.检查证书是否在证书吊销列表中,确认该证书还在有效期内。
以上检查通过,则认为该证书是可信的。然后,客户端与服务器开始加密通信。双方协商对称加密的算法,单向加密的算法,SSL/TLS版本协议等。。。
协商完毕,客户端生成一个对称加密密钥,用对方的公钥加密后发送给服务器,完成该次会话的临时密钥交换。(服务器不一定需要客户端的证书,看其加密级别)
密钥交换完成后,客户端请求服务器的资源,服务器就用协商生成的临时的对称密钥加密内容,再传给客户端。客户端同样用协商好的对称密钥解密,得到内容。
至此,加密连接建立完毕,开始数据通信。
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
创建私有CA的步骤:
(1)创建所需要的文件,第一次运行需要创建一些后面步骤需要用到文件
(2)自签证书 ##从自己的私钥文件抽取封装出来
生成私钥文件
生成自签证书,其中-x509:专用于CA生成自签证书,new:生成新证书签署请求,days n:证书的有效期限;out /PATH/TO/SOMECERTFILE:证书的保存路径
生成ca文件 cacert.pem
(3) 发证
(a) 用到证书的主机生成证书请求;
从私钥文件中提取出公钥,进行证书请求,参数与CA证书颁发机构的一致
(b) 把请求文件传输给CA;
##转到CA服务器
(4) CA签署证书,并将证书发还给请求者;
具体命令:
============================================================================
[root@www pki]# ls
CA CAOld ca.tar.gz ca-trust java nssdb rpm-gpg rsyslog tls
[root@www pki]# cd CA
[root@www CA]# ls
certs crl newcerts private
##创建index.txt 及 serial文件
[root@www CA]# touch index.txt
[root@www CA]# echo 01 > serial
##自签证书
##生成私钥文件
[root@www CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
…………………..+++
………………………….+++
e is 65537 (0x10001)
[root@www CA]#
##生成自签证书,其中-x509:专用于CA生成自签证书,new:生成新证书签署请求,days n:证书的有效期限;out /PATH/TO/SOMECERTFILE:证书的保存路径
[root@www CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Foshan
Locality Name (eg, city) []:Foshan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MageEdu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ca.test.net
Email Address []:caadmin@test.net
[root@www CA]#
## 生成ca文件 cacert.pem
##转到httpd服务器(需要申请证书的服务器),生成证书请求;
[root@localhost /]# cd /etc/httpd/
[root@localhost httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# cd ssl
##生成私钥
[root@localhost ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
…………………………………………..+++
……………………………………………………………………………………………………………………………………………+++
e is 65537 (0x10001)
[root@localhost ssl]# ls /etc/httpd/ssl/
httpd.key
[root@localhost ssl]#
##从私钥文件中提取出公钥,进行证书请求,参数与CA证书颁发机构的一致
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Foshan
Locality Name (eg, city) [Default City]:Foshan
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.test.net
Email Address []:wwwadmin@test.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls /etc/httpd/ssl/
httpd.csr httpd.key
[root@localhost ssl]#
##把请求文件传输给CA;
scp /etc/httpd/ssl/httpd.csr root@172.16.10.10/tmp/
##转到CA的机器上
[root@www ssl]# cd /etc/pki/tls
[root@www tls]# ls
cert.pem certs demoCA misc openssl.cnf openssl.cnf.bak private
##签署证书
[root@www tls]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 20 04:35:07 2016 GMT
Not After : Jul 20 04:35:07 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Foshan
organizationName = MageEdu
organizationalUnitName = IT
commonName = www.test.net
emailAddress = wwwadmin@test.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
27:F5:1F:90:58:5D:87:C6:ED:BF:17:D2:5E:42:E0:EA:EA:EA:9A:AE
X509v3 Authority Key Identifier:
keyid:11:10:82:7A:6A:8C:C7:C7:6F:D0:08:A3:55:4B:CF:BB:3C:2E:C2:9A
Certificate is to be certified until Jul 20 04:35:07 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@www tls]# ls /etc/pki/CA/certs/
httpd.crt
[root@www tls]#
##生成证书
##回传到web服务器
scp /etc/pki/CA/certs/httpd.crt root@172.16.20.20:/etc/httpd/ssl/
##在web服务器端查看证书信息
[root@localhost ssl]# openssl x509 -in /etc/httpd/ssl/httpd.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Foshan, L=Foshan, O=MageEdu, OU=IT, CN=ca.test.net/emailAddress=caadmin@test.net
Validity
Not Before: Jul 20 04:35:07 2016 GMT
Not After : Jul 20 04:35:07 2017 GMT
Subject: C=CN, ST=Foshan, O=MageEdu, OU=IT, CN=www.test.net/emailAddress=wwwadmin@test.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:d2:cd:f7:00:d7:b8:40:83:ac:0c:7d:43:22:
a5:45:83:cf:ac:66:98:74:e0:1a:11:8f:e7:bb:bb:
a5:57:03:1e:91:83:27:b8:c2:3f:22:2e:85:79:72:
e5:0e:a2:65:80:71:61:f0:25:fe:ea:5a:06:e4:09:
ec:79:aa:d7:ca:9c:cc:8c:5c:da:4f:8c:54:92:85:
34:33:e7:a7:3c:96:30:a9:f8:66:b9:af:b6:c5:ce:
0f:3d:32:89:71:c6:40:09:35:a6:55:7f:7f:28:2c:
ec:d6:dc:ba:30:68:e9:f8:d3:33:35:54:d8:e4:fa:
30:c4:eb:51:60:25:b3:63:c0:86:7c:7c:fe:31:c1:
49:34:1f:7c:b4:d5:9e:1f:90:2f:21:30:86:ea:68:
8f:d4:dd:2a:3d:6b:7c:48:86:a9:4c:de:f3:b6:b8:
db:e9:d8:f2:bd:1d:fc:45:25:85:d6:e5:7e:51:92:
ca:c3:ff:ad:b8:44:61:4e:e3:cb:6a:e6:50:76:9b:
f1:b0:e6:c8:28:cb:e1:61:d0:c1:77:90:e8:9f:35:
dd:bb:4c:28:a9:bf:b0:f4:6b:b3:76:63:06:4d:a3:
1c:39:41:d9:ee:8e:c1:32:0e:84:be:0b:4b:7b:8a:
b4:b3:dc:20:ff:07:b8:ce:d9:3c:e5:99:c4:8d:20:
8e:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
27:F5:1F:90:58:5D:87:C6:ED:BF:17:D2:5E:42:E0:EA:EA:EA:9A:AE
X509v3 Authority Key Identifier:
keyid:11:10:82:7A:6A:8C:C7:C7:6F:D0:08:A3:55:4B:CF:BB:3C:2E:C2:9A
Signature Algorithm: sha1WithRSAEncryption
1f:d0:98:a8:3a:8a:2d:c7:11:a8:4f:f1:f4:9e:54:65:3b:12:
17:fb:e3:80:2d:37:52:6e:1f:c3:fb:97:7e:8d:52:cc:3d:0a:
67:dc:56:47:5d:8a:9b:e7:da:57:db:d1:0c:6d:ae:4f:10:47:
0b:79:1e:af:40:f3:19:70:49:ec:f3:2a:23:ab:17:3e:a1:36:
9b:e8:65:05:e6:a5:06:69:42:a7:59:fc:cf:fc:dc:00:ab:00:
55:4e:05:04:5b:30:1c:bf:e3:d5:a6:8a:b5:88:8a:af:81:4f:
e4:b5:1f:61:69:b6:9f:57:cc:06:f7:50:98:bb:26:80:c6:e3:
5b:35:a4:20:51:b3:5b:af:1d:e9:c3:29:49:2f:8f:d9:cc:ce:
d8:6e:da:4b:86:f8:32:9e:c3:b4:2b:92:0f:c1:ce:5b:8d:c9:
85:57:0f:2b:bd:5c:22:2d:35:4d:bd:59:b9:c9:39:69:75:8a:
16:b9:9e:55:8a:40:92:bc:5e:af:94:8f:f4:8f:4a:94:fd:7b:
46:ea:a7:2b:13:66:cf:38:82:67:9c:06:32:90:80:b4:a4:fb:
52:cc:6f:75:31:4d:54:cc:75:66:91:97:c2:ee:07:bf:cb:b2:
f6:61:8f:1f:76:85:84:9d:b7:3d:44:4e:92:e1:70:3b:d2:c3:
a7:64:44:bc
[root@localhost ssl]#
3、描述DNS查询过程以及DNS服务器类别。
DNS服务器的类别一般可分为以下几种:
主DNS服务器
辅助DNS服务器
缓存DNS服务器
转发器
DNS的查询过程为:
客户端发起DNS查询请求-先查看本机hosts文件,如有记录,返回,如无,继续查询-DNS服务器缓存(DNS服务器亦会先检查本地的缓存,如缓存有数据,就返回,如无,则继续)-DNS服务器查询
(DNS查询分几种情况,视乎DNS的服务器类别,下面分别介绍)
当服务器为主DNS服务器时:先查询客户端查询的是否是本机域,如是,则返回结果,如不是,则到根服务器发起递归查询,查询到结果后,返回给客户端,同时保存至自己的缓存记录中
当服务器为辅助DNS服务器时:前面的动作均与主DNS相同,先查询客户端查询的是否是本机域,如是,则返回结果,如不是,则到根服务器发起递归查询,查询到结果后,返回给客户端
当服务器为缓存服务器时:
当服务器为转发器时:前面的动作均与主DNS相同,先查询客户端查询的是否是本机域,如是,则返回结果,如不是,则将请求转发到指定的服务器上,由该服务器将请求进行查询,在取得转发
服务器的查询到结果后,再保存在本地缓存,返回给客户端。
4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
搭建DNS服务器
父域IP:172.16.10.10
子域IP:172.16.20.20
##编辑named.conf主配置文件
[root@lvs1 named]# vim /etc/named.conf
##增加监听的IP地址
listen-on port 53 { 172.16.10.10;127.0.0.1; };
##dnssecurity设置成关闭状态
dnssec-enable no;
dnssec-validation no;
##编辑rfc1912文件,增加两个zone
[root@lvs1 named]# vim /etc/named.rfc1912.zones
##正向
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
##反向
zone "0.0.16.172.in-addr.arpa" IN {
type master;
file "17216.zone";
};
##创建两个区域文件
[root@lvs1 named]# vim /var/named/magedu.com.zone
$TTL 1D
$ORIGIN magedu.com.
@ IN SOA magedu.com. admin.magedu.com (
2016072201
1H
5M
7D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.10.10
ns2 IN A 172.16.20.20
mx1 IN A 172.16.10.10
mx2 IN A 172.16.20.20
www IN A 172.16.10.10
web IN A 172.16.20.20
ftp IN CNAME www
* IN CNAME www
[root@lvs1 named]# vim /var/named/17216.zone
$TTL 1D;
@ 86400 IN SOA magedu.com. admin.magedu.com (
2016072201
1H
5M
7D
1D )
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
10.10 IN PTR www.magedu.com.
20.20 IN PTR web.magedu.com.
##更改文件权限
[root@lvs1 named]# chown :named magedu.com.zone
[root@lvs1 named]# chmod 640 magedu.com.zone
[root@lvs1 named]# chmod 640 17216.zone
[root@lvs1 named]# chown :named 17216.zone
##重新载入
[root@lvs1 named]# rndc reload
##测试检查:
[root@www named]# dig -t A www.magedu.com @172.16.10.10
; <<>> DiG 9.11.0b1 <<>> -t A www.magedu.com @172.16.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15528
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 172.16.200.201
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 172.16.200.201
ns2.magedu.com. 86400 IN A 172.16.200.202
;; Query time: 0 msec
;; SERVER: 172.16.10.10#53(172.16.10.10)
;; WHEN: Fri Jul 22 23:26:18 CST 2016
;; MSG SIZE rcvd: 127
[root@www named]# dig -t A smtp.magedu.com @172.16.10.10
; <<>> DiG 9.11.0b1 <<>> -t A smtp.magedu.com @172.16.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23224
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;smtp.magedu.com. IN A
;; ANSWER SECTION:
smtp.magedu.com. 86400 IN CNAME www.magedu.com.
www.magedu.com. 86400 IN A 172.16.200.201
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns2.magedu.com.
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 172.16.200.201
ns2.magedu.com. 86400 IN A 172.16.200.202
;; Query time: 0 msec
;; SERVER: 172.16.10.10#53(172.16.10.10)
;; WHEN: Fri Jul 22 23:26:26 CST 2016
;; MSG SIZE rcvd: 146
//查询正常
//子域DNS的配置
##在父域中定义子域
vim /var/named/magedu.com.zone
##添加
ops IN NS ns1.ops
ops IN NS ns2.ops
ns1.ops IN A 172.16.20.20
ns2.ops IN A 172.16.20.21
rndc reload
##子域DNS服务器配置
vim /etc/named.conf
options {
listen-on port 53 { 172.16.20.20;127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
– If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
– If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
– If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
/// dnssec-enable no;
// dnssec-validation no;
/* Path to ISC DLV key */
/// bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
##增加ops.magedu.com的zone
vim /etc/named.rfc1912.zones
zone "ops.test.net" IN {
type master;
file "ops.magedu.com.zone";
// allow-update { none; };
};
vim ops.magedu.com.zone
$TTL 1D
$ORIGIN ops.magedu.com.
@ IN SOA ns1.ops.magedu.com. admin.ops.magedu.com. (
2016071501
1H
5M
3D
1D )
IN NS ns1
IN NS ns2
ns1 IN A 172.16.20.20
ns2 IN A 172.16.20.21
www IN A 172.16.20.20
web IN A 172.16.20.22
* IN A 172.16.20.20
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# rndc status
version: 9.9.4-RedHat-9.9.4-29.el7_2.3 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 102
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@localhost named]#
DNS服务系统的高可用性,简要方案为:
两台DNS服务器,搭建主从服务,一台为主DNS服务器,另一台为从DNS服务器。客户端设置这两台服务器为自己的DNS服务器,一旦主DNS失效,会到第二个服务器(即从DNS)上进行DNS查询操作。
原创文章,作者:马哥Net19_小斌斌,如若转载,请注明出处:http://www.178linux.com/26043
评论列表(2条)
写的很好,排版还可以在漂亮一点,加油,问你一个问题吧,如果主的DNS死了,从的可以用吗?
@马哥教育:我的理解,从DNS只有主DNS的只读副本,自己不能更新记录,但如果客户端设置了从DNS服务器的指向,在向主DNS查询超时后,会向从DNS发起查询请求,对客户端来说,从的也可用。备用。