标签:https加密详解
HTTPS会话的建立:
1、Server端监听在443端口上
2、客户端发起请求,先经过TCP三次握手,客户端和服务器端建立SSL会话。
3、双方协商使用的算法(单项加密算法,对称加密算法,公钥加密算法)
4、server端将证书发送给客户端
5、客户端验证证书,完成后,生成一个对称秘钥发送给服务器端
6、客户端要请求的内容发送给服务器端,
7、服务器端将客户端请求的内容将客户端发来的密码经过加密后发送给客户端
注意:SSL会话没办法基于主机名来区分的,因为客户端和服务器端通讯使用IP和端口号,跟主机名没有关系,这就意味着,如果主机只有一个IP地址,那么它就只能为这一个IP提供SSL的功能,如果这个主机提供了基于域名的虚拟主机,那么它只能为这一个域名提供SSL功能
测试:
自建证书验证HTTPS证书加密通讯的原理
1、使用openssl建立一个CA
2、CA需要有证书,叫自签发的证书
3、服务器端生成一对密钥,然后将密钥发送给CA,
4、CA负责签署服务器端发送过来的公钥,生成证书,发送给server端
5、Server配置服务器并使用证书,并且在客户端请求的时候发送给客户端
6、客户端使用自己本地保存好的CA的证书来验证这个证书
环境:
CA Server:172.16.206.130()
WEB SERVER:172.16.206.129
已经安装httpd,mod_ssl模块,
httpd服务已启动
网站域名为 hello.beyond.com
Client:172.16.206.131 (windows 10)
实验步骤:
1、WEB Server安装mod_ssl模块
2、CA Server创建私钥
3、CA Server生成自签发证书(给客户端导入用的,否则客户端不会信任CA颁发的证书)
4、WEB Server生成密钥
5、WEB Server生成证书颁发请求
6、CA Server为WEB Server颁发证书,并将证书拷贝到WEB Server
7、WEB Server配置ssl.conf文件以使用证书
8、客户端访问http://hello.beyond.com
9、客户端导入CA自签发证书后,再次访问https://hello.beyond.com
1、WEB Server安装mod_ssl模块
yum -y install mod_ssl
2、CA创建私钥
[root@localhost ~]# cd /etc/pki/ [root@localhost pki]# ls CA ca-trust java nssdb rpm-gpg rsyslog tls [root@localhost pki]# cd CA/ [root@localhost CA]# ls certs crl newcerts private [root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .......................................+++ ...........+++ e is 65537 (0x10001)
确保private目录权限为600
[root@localhost CA]# ls -ld private/ drwx------. 2 root root 4096 11月 3 22:16 private/
3、CA Server生成自签发证书
1)、修改openssl.conf配置文件,修改证书默认的相关设置
vim ../tls/openssl.cnf
在 [ req_distinguished_name ] 配置段下
将以下行的内容修改为如下配置(这个设置自己随意设置):
countryName_default = CN //国家 stateOrProvinceName_default = Shanghai //省份 localityName_default = Shanghai //城市 0.organizationName_default = Beyond //组织 organizationalUnitName_default = OPS //部门
2)、生成自签证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Shanghai]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [Beyond]: Organizational Unit Name (eg, section) [OPS]: Common Name (eg, your name or your server‘s hostname) []:ca.beyond.com Email Address []:admin@beyond.com
这里的域名应该无所谓,可以随意设置(不确定)
Common Name (eg, your name or your server‘s hostname) []:ca.beyond.com
3、确认/etc/pki/CA/tls/openssl.conf文件 [ CA_default ]段配置正确
[ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to ‘no‘ to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options
dir = /etc/pki/CA //CA的目录路径
certs = $dir/certs //生成的证书存放的目录
crl_dir = $dir/crl //吊销的证书存放目录
new_certs_dir = $dir/newcerts //新签署的证书存放的路径
serial = $dir/serial //序列号,表示证书签署到第几个了
database = $dir/index.txt //保存证书信息,如已经签署了哪些证书,每个证书的名称
默认/etc/pki/CA路径下没有serial 和index.txt文件,需要手动创建
[root@localhost CA]# touch index.txt [root@localhost CA]# echo 01 > serial
4、WEB服务器上生成密钥(申请证书需要用密钥加密)
[root@localhost pki]# cd /etc/httpd/ [root@localhost httpd]# ls conf conf.d logs modules run [root@localhost httpd]# mkdir ssl [root@localhost httpd]# ls conf conf.d logs modules run ssl [root@localhost httpd]# (umask 077; openssl genrsa 1024 > http^C [root@localhost httpd]# cd ssl/ [root@localhost ssl]# (umask 077; openssl genrsa 1024 > httpd.key) Generating RSA private key, 1024 bit long modulus ........++++++ .............++++++ e is 65537 (0x10001) [root@localhost ssl]# ll 总用量 4 -rw------- 1 root root 887 10月 31 20:32 httpd.key
5、WEB服务器上生成证书颁发请求(csr:证书签署请求)
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:Beyond Organizational Unit Name (eg, section) []:OPS Common Name (eg, your name or your server‘s hostname) []:hello.beyond.com Email Address []:hello@beyond.com Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
注意:
1、在上面生成证书请求时,国家、城市这些信息必须与CA上填写的一致
2、下面的信息不能填错,证书给哪个域名用,必须填写正确
Common Name (eg, your name or your server‘s hostname) []:hello.beyond.com
[root@localhost ssl]# ls httpd.csr httpd.key
将WEB服务器上的csr证书签署请求文件拷贝到CA服务器
[root@localhost ssl]# scp httpd.csr 172.16.42.130:/tmp
6、CA服务器上为WEB服务器签署证书
[root@localhost CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 3 15:31:25 2016 GMT Not After : Nov 1 15:31:25 2026 GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = Beyond organizationalUnitName = OPS commonName = hello.beyond.com emailAddress = hello@beyond.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AD:7C:28:55:E8:FA:EE:17:4A:6E:00:A5:73:C5:42:DF:6B:EF:F6:DE X509v3 Authority Key Identifier: keyid:74:0D:C7:EF:A2:E7:97:36:D0:0C:81:D9:1F:1D:8D:1E:22:59:93:02 Certificate is to be certified until Nov 1 15:31:25 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
证书颁发成功后,可以看到CA服务器上/etc/pki/CA目录下serial文件和index.txt文件更新了
[root@localhost CA]# pwd /etc/pki/CA [root@localhost CA]# ls cacert.pem crl index.txt.attr newcerts serial certs index.txt index.txt.old private serial.old [root@localhost CA]# cat index.txt V261101153125Z01unknown/C=CN/ST=Shanghai/O=Beyond/OU=OPS/CN=hello.beyond.com/emailAddress=hello@beyond.com [root@localhost CA]# cat serial 02 [root@localhost CA]# ls newcerts/ 01.pem
将CA颁发的证书拷贝到WEB服务器
[root@localhost ssl]# scp 172.16.42.130:/tmp/httpd.crt ./ root@172.16.42.130‘s password: httpd.crt 100% 3865 3.8KB/s 00:00
7、WEB Server配置服务器使用证书
[root@localhost ssl]# cd /etc/httpd/conf.d/ [root@localhost conf.d]# ls README ssl.conf welcome.conf [root@localhost conf.d]# cp ssl.conf ssl.conf.bk
编辑/etc/httpd/conf.d/ssl.conf文件
修改证书的路径,WEB服务器私钥的路径等信息
<VirtualHost 172.16.42.129:443> //修改虚拟主机的地址
ServerName hello.beyond.com //修改服务器的域名,这里必须和证书中的域名一样
DocumentRoot "/var/www/html" //站点根目录,必须和http访问方式的目录一样
SSLEngine on //确认SSL功能开启,默认是开启的
SSLCertificateFile /etc/httpd/ssl/httpd.crt //证书路径
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //私钥的路径
检查语法
httpd -t httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain for ServerName Syntax OK
启动WEB服务器
service httpd restart
查看443端口是否开启
[root@localhost conf.d]# netstat -tunlp | grep 443 tcp 0 0 :::443 :::* LISTEN 2300/httpd
8、windows 客户端访问http://hello.beyond.com
通过https方式访问
CA的自签发证书拷贝到客户端上,并修改文件名字为cacert.crt后导入
9、导入证书后用HTTPS方式访问
本文出自 “zengestudy” 博客,请务必保留此出处http://zengestudy.blog.51cto.com/1702365/1869179
标签:https加密详解
原文地址:http://zengestudy.blog.51cto.com/1702365/1869179