一 https介绍以及实现机制
1. https协议:
在传统的http协议中,文档是明文传送的,网页涉及敏感信息是,将变得很不安全。为了保证敏感信息的安全,httpd结合加密库openssl或openssh 产生了https 协议。这就好比两个黑社会团伙交易,都怕出事被抓,于是在交易之前先又各自派出去的打手保证现场治安,保证对方的货没问题并且对面来的不是警察卧底。
基本上https协议可以理解为,在TCP/IP协议上面再加半层openssl会话协议,用于进行身份认证,加密算法协商,密钥交换,协商数据加密使用的密码等工作。openssl会话完成后,再继续进行httpd会话。
由于openssl会话是发生在http会话之前,此时还不存在http首部的概念,所以基于主机名(FQDN)的虚拟主机将不适用,因此如果使用https协议,一个ip只能有一个主机。
不得不说的是,https传输的方式是二进制传输,就算传输的二进制流被截获了也无法再次还原成有意义的信息,由此保证了信息安全。
2. x509.3证书格式
3. PKI;Public Key Infrastructure, 在openssl中用于实现证书签发相关工作: 具体工作如下
端实体(申请者)
注册机构(RC)
签证机构(CA)–>签证机构(CA)
证书撤消列表(CRL)发布机构
证书存取库
4. SSL握手要完成的工作:
交换协议版本号
选择双方都支持的加密方式
对两端实现身份验正
密钥交换
5. 客户端验正服务器证书时:
日期检测:证书是否在有效期内
证书颁发者的可信度:
证书的签名检测:
持有者的身份检测:
二 https的配置过程
1. 准备服务器的私钥和证书,为了方便起见,本机将作为CA同时也作为被发证者
1) 自封为CA, 创建自签证书
在/etc/pki/CA/private目录下创建CA私钥 # cd /etc/pki/CA/ # (umask 077; openssl genrsa 2048 > private/cakey.pem) Generating RSA private key, 2048 bit long modulus .......+++ ......................................+++ e is 65537 (0x10001) 创建子签CA证书 # openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:SG State or Province Name (full name) []:Singapore Locality Name (eg, city) [Default City]:Singapore Organization Name (eg, company) [Default Company Ltd]:DUKE-NUS Organizational Unit Name (eg, section) []:CVMD Common Name (eg, your name or your server's hostname) []:www.playground.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 创建openssl需要的文件 # cd /etc/pki/CA # touch index.txt serial crlnumber # echo 01 > serial 为web服务器创建秘钥 # mkdir /etc/httpd/conf/ssl # cd /etc/htpd/conf/ssl # (umask 077; openssl genrsa 1024 > httpd.key) Generating RSA private key, 1024 bit long modulus .......................................................++++++ ..........................................................................................++++++ e is 65537 (0x10001) 为web服务器创建证书签署请求 # openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:SG State or Province Name (full name) []:Singapore Locality Name (eg, city) [Default City]:Singapore Organization Name (eg, company) [Default Company Ltd]:DUKE-NUS Organizational Unit Name (eg, section) []:CVMD Common Name (eg, your name or your server's hostname) []:www.playground.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 用之前创建的CA子签证书,做证书签署 # openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 18 18:00:55 2014 GMT Not After : Oct 18 18:00:55 2015 GMT Subject: countryName = SG stateOrProvinceName = Singapore organizationName = DUKE-NUS organizationalUnitName = CVMD commonName = www.playground.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:CD:C2:E2:39:D4:8E:3C:3E:6B:18:3D:54:23:7E:D8:32:55:42:7A X509v3 Authority Key Identifier: keyid:9A:30:36:6E:2C:EA:2C:DD:D8:A9:67:F7:28:41:8F:81:20:F6:75:F2 Certificate is to be certified until Oct 18 18:00:55 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
2. 安装mod_ssl模块,是的httpd支持https
# yum -y install mod_ssl # rpm -ql mod_ssl /etc/httpd/conf.d/ssl.conf /usr/lib64/httpd/modules/mod_ssl.so /var/cache/mod_ssl /var/cache/mod_ssl/scache.dir /var/cache/mod_ssl/scache.pag /var/cache/mod_ssl/scache.sem
3. 配置mod_ssl模块配置文件,使得支持https功能
/etc/httpd/conf.d/ssl.conf 配置下面几行 ServerName www.playground.com:443 DocumentRoot "/var/www/html" SSLCertificateFile /etc/httpd/conf/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/conf/ssl/httpd.key
4. 重启服务,在宿主机windows中hosts中添加,服务器解析条目,并且CA安装到windows上(cacert.pem改改为cacert.crt),尝试浏览。
## windows hosts 文件中添加解析条目 192.168.233.128
使用命令行工具s_client 测试,一下结果说明验证成功 # openssl s_client -CAfile /etc/pki/CA/cacert.pem -connect www.playground.com:443 CONNECTED(00000003) depth=1 C = SG, ST = Singapore, L = "Singapore ", O = DUKE-NUS, OU = CVMD, CN = www.playground.com verify return:1 depth=0 C = SG, ST = Singapore, O = DUKE-NUS, OU = CVMD, CN = www.playground.com verify return:1 --- Certificate chain 0 s:/C=SG/ST=Singapore/O=DUKE-NUS/OU=CVMD/CN=www.playground.com i:/C=SG/ST=Singapore/L=Singapore /O=DUKE-NUS/OU=CVMD/CN=www.playground.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDRzCCAi+gAwIBAgIBATANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJTRzES MBAGA1UECAwJU2luZ2Fwb3JlMRMwEQYDVQQHDApTaW5nYXBvcmUgMREwDwYDVQQK DAhEVUtFLU5VUzENMAsGA1UECwwEQ1ZNRDEbMBkGA1UEAwwSd3d3LnBsYXlncm91 bmQuY29tMB4XDTE0MTAxODE4MDA1NVoXDTE1MTAxODE4MDA1NVowYDELMAkGA1UE BhMCU0cxEjAQBgNVBAgMCVNpbmdhcG9yZTERMA8GA1UECgwIRFVLRS1OVVMxDTAL BgNVBAsMBENWTUQxGzAZBgNVBAMMEnd3dy5wbGF5Z3JvdW5kLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA6GFOKs1SpbFyI/D7yflpOIhnpj0CxP+sY39M eCszdoetwSS3YtSf0/6yEpqbn0v+kh49y4Ngm1mBPZsXnilR+YoLwS8aBN7Gq40F MwS8pvWbZ0q8DzuUQF6UiNFyHnpZaHPuSom5Ytwgl5+ouEqW/4LbSZnnbRf7nnWK 69A3o20CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAjNwuI51I48PmsYPVQj ftgyVUJ6MB8GA1UdIwQYMBaAFJowNm4s6izd2Kln9yhBj4Eg9nXyMA0GCSqGSIb3 DQEBBQUAA4IBAQCfFDO8r9UxfqBogokCYtoOlWEmuMeEZ0Phzrb52k2KgvWSOtY0 Lz5fdcpPw51PAqxPrS0Bk6vYq9vxJ/nyJjspCdUny8oqxTFEvFjYYUT1c2YwVR3k Se4bjLaK0A+neIXe+zrWfje5Zs/lvvbNhKTRus9GlyldhvausRWfuYgXX547gBZI 1uU+CUe8fJp5I165rWi9VgQFXidre6+/KUBEHWQtfSAaYC0rlOopM6MWpNsWr5KM XLPoeDWL0msH3b44dDq1KBOTtEjhtcjTCMtwnBr8yvt2PFrX5sDcxTFea25NT0Hp nDjidvHMbE5OAcpBwwGPG/NGdR0k80aGOoh9 -----END CERTIFICATE----- subject=/C=SG/ST=Singapore/O=DUKE-NUS/OU=CVMD/CN=www.playground.com issuer=/C=SG/ST=Singapore/L=Singapore /O=DUKE-NUS/OU=CVMD/CN=www.playground.com --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 1406 bytes and written 375 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: E63943DDDF517B0DC893F360F707DF4695BA494E225DC452B6CCD3F2EB38F2BF Session-ID-ctx: Master-Key: 92C9392B907FCB8C939EEA296BD5260EBD877FF71E62BCBE26320FBED3E4B737F350A4D7531D5E14DB7F0153569DDBC9 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - e1 ac 2f b2 0b db 8a 97-62 7a 03 f5 02 a0 b2 6e ../.....bz.....n 0010 - f3 4e d5 ec ce a1 90 09-ce 4a 58 39 e5 80 96 d5 .N.......JX9.... 0020 - 0d df 7a 92 fd 56 70 cc-2a 29 39 e3 b3 15 a1 96 ..z..Vp.*)9..... 0030 - 0c d5 0d 4d 9e 29 4c 36-9e 97 8c c6 7d bd 63 93 ...M.)L6....}.c. 0040 - 34 79 f0 d3 e9 99 4d eb-64 bd cc 8e a5 56 ab a9 4y....M.d....V.. 0050 - 9e 4c c7 79 da 4d 25 e4-1c 03 8f 2d 50 e0 e7 c2 .L.y.M%....-P... 0060 - 57 d6 b6 1c 32 b4 02 f0-9f aa f3 64 b6 36 82 c5 W...2......d.6.. 0070 - 26 e5 b7 76 fe a8 37 6f-df af 00 c2 27 01 c6 cf &..v..7o....'... 0080 - 9b 46 8c 61 9e d0 a3 e6-1f b1 fe d6 30 5b 64 81 .F.a........0[d. 0090 - 78 03 a2 f8 ba 74 79 4b-76 9e e6 52 65 09 fa 15 x....tyKv..Re... 00a0 - 6c ce b5 ed 1e 7c 2e dc-83 7f 1f 56 c6 98 01 e7 l....|.....V.... 00b0 - be 4e dd 9e b9 16 cf 7f-13 70 ed 1c 84 ed c8 b7 .N.......p...... Start Time: 1413657128 Timeout : 300 (sec) Verify return code: 0 (ok) --- GET /index.html <html> <head> <title>hello World </title> </head> <body> hello World! </body> </html> closed
原创文章,作者:以马内利,如若转载,请注明出处:http://www.178linux.com/4671
