标签:服务 hand 转发 串行 item ide 简单 计算 rest
结论前置:
A 身份验证
证书, 服务器证书
B 密钥协商
RSA DHE / ECDHE PSK
C 加密通信
加密通信采用对称加密,使用B阶段协商出来的密钥。
B 阶段如果使用 RSA 协商,可以用服务器证书在协商过程中解密到 C过程中的密钥。从而解密通信内容。(此方式下,采用旁路方式就可以)。
B 阶段如果使用DHE/ECDHE协商,至少需要建立链接时的server魔数(也许还需要私钥即服务器证书)才能计算出加密密钥。简单来说协商过程也是一次一密。
于是,应该有两种情况可以解密https。
情况一:与server 通信,实时获得两个信息:1,session 信息。2,server魔数。 这种情况下,只需要旁路就可以了。
情况二:串行在网络中,做中间人。需要服务器证书做认证与签名,流程我暂时还没搞清楚。然后,需要与两端握手并协商密钥,然后做两端加解密,并内容转发。
引用一段有用的内容[1]
A WAF applies filter rules on traffic at an "application" level (e.g. it tries to detect SQL injection attempts). This requires that the WAF sees the traffic, i.e. whatever SSL which may have happened on the client side must stop at the WAF. But you usually want some SSL to protect the traffic between the client and the WAF (in fact, you usually want it more on that link than between the WAF and the server itself, since WAF and server are usually nearby to each other). There are two ways for a WAF to see SSL-protected traffic: The WAF has a copy of the private key used by the (SSL-aware) server, and thus can decrypt the data as it flows. (This can imply some restrictions on the cipher suites used by the server; namely, no DHE). The WAF itself runs a SSL server, and that is the one which the client sees. The WAF decrypt the data, runs its magic on it, and then forwards it to the server over a new connection which may or may not be SSL-protected. Which one you use depends on what your WAF instance can do and how you configured it.
概念:
http://www.guokr.com/post/114121/
http://www.guokr.com/post/116169/
http://www.guokr.com/post/148613/
https://en.wikipedia.org/wiki/HTTPS
双向认证,单项认证:
http://www.jianshu.com/p/0a7b028e2465
http://edison0663.iteye.com/blog/996526
浏览器安全控件:
最主要的功能就是防止客户端操作系统木马程序截取用户关键信息的输入(银行卡帐号/密码)。
http://wiki.mbalib.com/wiki/%E5%AE%89%E5%85%A8%E6%8E%A7%E4%BB%B6
完全正向保密 PFS(perfect forward secrecy)
http://baike.baidu.com/item/%E5%AE%8C%E5%85%A8%E6%AD%A3%E5%90%91%E4%BF%9D%E5%AF%86
https://en.wikipedia.org/wiki/Forward_secrecy
https://www.sslchina.com/deploying-forward-secrecy/
https://zh.wikipedia.org/wiki/%E5%89%8D%E5%90%91%E5%AE%89%E5%85%A8%E6%80%A7
PFS 密钥协商:
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
https://zh.wikipedia.org/wiki/%E8%BF%AA%E8%8F%B2-%E8%B5%AB%E7%88%BE%E6%9B%BC%E5%AF%86%E9%91%B0%E4%BA%A4%E6%8F%9B
** https://program-think.blogspot.com/2016/09/https-ssl-tls-3.html
TLS:
https://en.wikipedia.org/wiki/Transport_Layer_Security
https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake
其他:
https://segmentfault.com/a/1190000004985253
http://www.admin5.com/special/https/
**** [1] https://security.stackexchange.com/questions/44563/is-ssl-required-for-sites-hosted-behind-waf
免费证书:
https://letsencrypt.org/
RFC:
https://tools.ietf.org/html/rfc5246
题外内容:TOR
https://en.wikipedia.org/wiki/Tor_(anonymity_network)
TODO:
STARTTLS
[skill][https][ssl/tls] HTTPS相关知识汇总
标签:服务 hand 转发 串行 item ide 简单 计算 rest
原文地址:http://www.cnblogs.com/hugetong/p/6670083.html