[skill][https][ssl/tls] HTTPS相关知识汇总

标签：服务   hand   转发   串行   item   ide   简单   计算   rest   

结论前置：

　　A 身份验证

　　　　证书， 服务器证书

　　B 密钥协商

　　　　RSA   DHE / ECDHE   PSK

　　C 加密通信

加密通信采用对称加密，使用B阶段协商出来的密钥。

B 阶段如果使用 RSA 协商，可以用服务器证书在协商过程中解密到 C过程中的密钥。从而解密通信内容。（此方式下，采用旁路方式就可以）。

B 阶段如果使用DHE/ECDHE协商，至少需要建立链接时的server魔数（也许还需要私钥即服务器证书）才能计算出加密密钥。简单来说协商过程也是一次一密。

于是，应该有两种情况可以解密https。

情况一：与server 通信，实时获得两个信息：1，session 信息。2，server魔数。 这种情况下，只需要旁路就可以了。

情况二：串行在网络中，做中间人。需要服务器证书做认证与签名，流程我暂时还没搞清楚。然后，需要与两端握手并协商密钥，然后做两端加解密，并内容转发。

引用一段有用的内容[1] 

A WAF applies filter rules on traffic at an "application" level (e.g. it tries to detect SQL injection attempts). This requires that the WAF sees the traffic, i.e. whatever SSL which may have happened on the client side must stop at the WAF. But you usually want some SSL to protect the traffic between the client and the WAF (in fact, you usually want it more on that link than between the WAF and the server itself, since WAF and server are usually nearby to each other).

There are two ways for a WAF to see SSL-protected traffic:

The WAF has a copy of the private key used by the (SSL-aware) server, and thus can decrypt the data as it flows. (This can imply some restrictions on the cipher suites used by the server; namely, no DHE).
The WAF itself runs a SSL server, and that is the one which the client sees. The WAF decrypt the data, runs its magic on it, and then forwards it to the server over a new connection which may or may not be SSL-protected.
Which one you use depends on what your WAF instance can do and how you configured it.

概念：

http://www.guokr.com/post/114121/

http://www.guokr.com/post/116169/

http://www.guokr.com/post/148613/

https://en.wikipedia.org/wiki/HTTPS

双向认证，单项认证：

http://www.jianshu.com/p/0a7b028e2465

http://edison0663.iteye.com/blog/996526

浏览器安全控件：

最主要的功能就是防止客户端操作系统木马程序截取用户关键信息的输入（银行卡帐号/密码）。

http://wiki.mbalib.com/wiki/%E5%AE%89%E5%85%A8%E6%8E%A7%E4%BB%B6

完全正向保密  PFS（perfect forward secrecy）

　　http://baike.baidu.com/item/%E5%AE%8C%E5%85%A8%E6%AD%A3%E5%90%91%E4%BF%9D%E5%AF%86

　　https://en.wikipedia.org/wiki/Forward_secrecy

　　https://www.sslchina.com/deploying-forward-secrecy/

　　https://zh.wikipedia.org/wiki/%E5%89%8D%E5%90%91%E5%AE%89%E5%85%A8%E6%80%A7

PFS 密钥协商：

　　https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

　　https://zh.wikipedia.org/wiki/%E8%BF%AA%E8%8F%B2-%E8%B5%AB%E7%88%BE%E6%9B%BC%E5%AF%86%E9%91%B0%E4%BA%A4%E6%8F%9B

　　** https://program-think.blogspot.com/2016/09/https-ssl-tls-3.html

TLS:

　　https://en.wikipedia.org/wiki/Transport_Layer_Security

　　https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake

其他：

　　https://segmentfault.com/a/1190000004985253 

　　http://www.admin5.com/special/https/

　　**** [1] https://security.stackexchange.com/questions/44563/is-ssl-required-for-sites-hosted-behind-waf

免费证书：

　　https://letsencrypt.org/

RFC：

　　https://tools.ietf.org/html/rfc5246 

题外内容：TOR

https://en.wikipedia.org/wiki/Tor_(anonymity_network)

TODO：

 STARTTLS

[skill][https][ssl/tls] HTTPS相关知识汇总

标签：服务   hand   转发   串行   item   ide   简单   计算   rest   

原文地址：http://www.cnblogs.com/hugetong/p/6670083.html