1、详细描述一次加密通讯的过程,结合图示最佳。
TCP/IP协议组件可以使不同网络,不同操作系统的主机之间进行通信。TCP模型共分为四层,如下
1.应用层 (Application):应用层是个很广泛的概念,有一些基本相同的系统级 TCP/IP 应用以及应用协议,也有许多的企业商业应用和互联网应用,如http协议。
2.传输层 (Transport):传输层包括 UDP 和 TCP,UDP 几乎不对报文进行检查,而 TCP 提供差错检查机制,TCP三次握手建立连接,四次握手断开连接
3.网络层 (Network):网络层协议由一系列协议组成,包括 ICMP、IGMP、RIP、OSPF、IP(v4,v6)、BGP、ISIS 等
4.数据链路层 (Link):又称为物理数据网络接口层,负责报文传输,定义物理接口的规范
如上,我们可以看到,在TCP/IP模型中,定义了数据通信的规范,但TCP/IP并不提供更为安全的加密机制,因此在网络通信中,需要加入SSL协议,为数据通信提供更高的安全性。SSL协议能够保证交互双方的数据按密文方式传输,第三方在没有私钥的情况下几乎无法破解,从而到达保密的目的。下面我们来看看SSL双向认证是如何工作的吧。
一:浏览器发送一个连接请求给服务器;服务器将自己的证书(包含服务器公钥S_PuKey)、对称加密算法种类及其他相关信息返回客户端;
二:客户端浏览器检查服务器传送到CA证书是否由自己信赖的CA中心签发。若是,执行4步;否则,给客户一个警告信息:询问是否继续访问。
三:客户端浏览器比较证书里的信息,如证书有效期、服务器域名和公钥S_PK,与服务器传回的信息是否一致,如果一致,则浏览器完成对服务器的身份认证。
四:服务器要求客户端发送客户端证书(包含客户端公钥C_PuKey)、支持的对称加密方案及其他相关信息。收到后,服务器进行相同的身份认证,若没有通过验证,则拒绝连接;
五:服务器根据客户端浏览器发送到密码种类,选择一种加密程度最高的方案,用客户端公钥C_PuKey加密后通知到浏览器;
六:客户端通过私钥C_PrKey解密后,得知服务器选择的加密方案,并选择一个通话密钥key,接着用服务器公钥S_PuKey加密后发送给服务器;
七:服务器接收到的浏览器传送到消息,用私钥S_PrKey解密,获得通话密钥key
之后的数据通信都是通过对称加密来进行通信的了。
图示:
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
建立CA服务器
1.初始化环境
[root@jymlinux ~]# cd /etc/pki/CA/ [root@jymlinux CA]# touch /etc/pki/CA/{index.txt,serial} [root@jymlinux CA]# echo 01 > /etc/pki/CA/serial
2.生成密钥
[root@jymlinux CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .................................+++ ................................................................................................................................................................................................................................+++ e is 65537 (0x10001)
3.自签证书
openssl命令:
req: 生成证书签署请求
-news: 新请求
-key /path/to/keyfile: 指定私钥文件
-out /path/to/somefile:
-x509: 生成自签署证书
-days n: 有效天数
[root@jymlinux CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家名 State or Province Name (full name) []:XJ #省份 Locality Name (eg, city) [Default City]:WS #城市名 Organization Name (eg, company) [Default Company Ltd]:YTJ #公司名 Organizational Unit Name (eg, section) []:OPS #部门名 Common Name (eg, your name or your server‘s hostname) []:JYM #主机名 Email Address []:614949750@qq.com #邮箱
客户端申请证书
4.客户端生成密钥对
[root@linus ~]# mkdir /etc/httpd/ssl/ [root@linus ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .......+++ .....................+++ e is 65537 (0x10001)
5.生成证书签署请求
[root@linus ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:XJ Locality Name (eg, city) [Default City]:WS Organization Name (eg, company) [Default Company Ltd]:YTJ Organizational Unit Name (eg, section) []:OPS Common Name (eg, your name or your server‘s hostname) []:JYM Email Address []:110@qq.com Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []:123456 #一个加密的密码 An optional company name []:RA #可选公司
6.把签署请求文件发送给CA服务器
[root@linus ssl]# scp httpd.csr root@192.168.101.129:/root The authenticity of host ‘192.168.101.129 (192.168.101.129)‘ can‘t be established. RSA key fingerprint is e5:84:6c:f7:c0:60:3d:0b:39:b6:1e:12:0d:48:8b:07. Are you sure you want to continue connecting (yes/no)? y root@192.168.101.129‘s password: httpd.csr 100% 1066 1.0KB/s 00:00
7.CA服务器验证信息并签署证书
[root@jymlinux ~]# openssl ca -in /root/httpd.csr -out /root/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 31 20:07:58 2016 GMT Not After : Oct 31 20:07:58 2017 GMT Subject: countryName = CN stateOrProvinceName = XJ organizationName = YTJ organizationalUnitName = OPS commonName = JYM emailAddress = 110@qq.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C4:ED:C0:CE:98:5A:B9:AF:FE:E0:59:54:DB:E1:2A:96:99:A4:B7:28 X509v3 Authority Key Identifier: keyid:C2:1A:DE:02:69:35:41:AF:98:EB:72:69:EB:AE:74:49:72:52:2B:C6 Certificate is to be certified until Oct 31 20:07:58 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
8.将CA服务器签署好的证书发还客户端
[root@jymlinux ~]# scp /root/httpd.crt root@192.168.101.130:/etc/httpd/ssl/ The authenticity of host ‘192.168.101.130 (192.168.101.130)‘ can‘t be established. RSA key fingerprint is ef:85:f8:aa:1c:de:41:5a:fd:93:8d:9f:83:f7:a2:ff. Are you sure you want to continue connecting (yes/no)? y Please type ‘yes‘ or ‘no‘: yes Warning: Permanently added ‘192.168.101.130‘ (RSA) to the list of known hosts. Nasty PTR record "192.168.101.130" is set up for 192.168.101.130, ignoring root@192.168.101.130‘s password: httpd.crt 100% 4491 4.4KB/s 00:00
3、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
http://jiayimeng.blog.51cto.com/10604001/1852025
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
本文出自 “linux启航” 博客,请务必保留此出处http://jiayimeng.blog.51cto.com/10604001/1868015
原文地址:http://jiayimeng.blog.51cto.com/10604001/1868015