一、原理
HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。 它是一个URI scheme(抽象标识符体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司进行,提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。 —— SSL认证过程
服务器认证阶段:
1)客户端向服务器发送一个开始信息“Hello”以便开始一个新的会话连接;
2)服务器根据客户的信息确定是否需要生成新的主**,如需要则服务器在响应客户的“Hello”信息时将包含生成主**所需的信息;
3)客户根据收到的服务器响应信息,产生一个主**,并用服务器的公开**加密后传给服务器;
4)服务器恢复该主**,并返回给客户一个用主**认证的信息,以此让客户认证服务器。
SSL协议的握手过程:
①客户端的浏览器向服务器传送客户端SSL 协议的版本号,加密算法的种类,产生的随机数,以及其他服务器和客户端之间通讯所需要的各种信息。
②服务器向客户端传送SSL 协议的版本号,加密算法的种类,随机数以及其他相关信息,同时服务器还将向客户端传送自己的证书。
③客户利用服务器传过来的信息验证服务器的合法性,服务器的合法性包括:证书是否过期,发行服务器证书的CA 是否可靠,发行者证书的公钥能否正确解开服务器证书的“发行者的数字签名”,服务器证书上的域名是否和服务器的实际域名相匹配。如果合法性验证没有通过,通讯将断开;如果合法性验证通过,将继续进行第四步。
④用户端随机产生一个用于后面通讯的“对称密码”,然后用服务器的公钥(服务器的公钥从步骤②中的服务器的证书中获得)对其加密,然后将加密后的“预主密码”传给服务器。
⑤如果服务器要求客户的身份认证(在握手过程中为可选),用户可以建立一个随机数然后对其进行数据签名,将这个含有签名的随机数和客户自己的证书以及加密过的“预主密码”一起传给服务器。
⑥如果服务器要求客户的身份认证,服务器必须检验客户证书和签名随机数的合法性,具体的合法性验证过程包括:客户的证书使用日期是否有效,为客户提供证书的CA 是否可靠,发行CA 的公钥能否正确解开客户证书的发行CA 的数字签名,检查客户的证书是否在证书废止列表(CRL)中。检验如果没有通过,通讯立刻中断;如果验证通过,服务器将用自己的私钥解开加密的“预主密码”,然后执行一系列步骤来产生主通讯密码(客户端也将通过同样的方法产生相同的主通讯密码)。
⑦服务器和客户端用相同的主密码即“通话密码”,一个对称**用于SSL 协议的安全数据通讯的加解密通讯。同时在SSL 通讯过程中还要完成数据通讯的完整性,防止数据通讯中的任何变化。
⑧客户端向服务器端发出信息,指明后面的数据通讯将使用的步骤⑦中的主密码为对称**,同时通知服务器客户端的握手过程结束。
⑨服务器向客户端发出信息,指明后面的数据通讯将使用的步骤⑦中的主密码为对称**,同时通知客户端服务器端的握手过程结束。
⑩SSL 的握手部分结束,SSL 安全通道的数据通讯开始,客户和服务器开始使用相同的对称**进行数据通讯,同时进行通讯完整性的检验。
服务器地址假定为192.168.145.100
客户端地址设为192.168.145.20
首先安装web服务器
[[email protected] ~]# mount /dev/cdrom /mnt/cdrom
[[email protected] ~]# yum install httpd
[[email protected] ~]# service httpd start
[[email protected] ~]# cd /var/www/html //网站主目录
[[email protected] html]# echo "welcome to here!!" >index.html //修改主页面
[[email protected] ~]# service httpd restart
客户端测试结果:
作为一个证书颁发机构,服务器必须有自己的证书和私钥。我们利用linux系统自带的openca来实现。
CA
[[email protected] ~]# vim /etc/pki/tls/openssl.cnf
45 dir = /etc/pki/CA # Where everything is kept //和证书有关的都放在此目录
46 certs = $dir/certs # Where the issued certs are kept //证书存放目录
47 crl_dir = $dir/crl # Where the issued crl are kept //证书吊销列表存放目录
48 database = $dir/index.txt # database index file. //数据库存放文件
49 #unique_subject = no # Set to 'no' to allow creation of
50 # several ctificates with same subject.
51 new_certs_dir = $dir/newcerts # default place for new certs. //新证书存放目录
52
53 certificate = $dir/cacert.pem # The CA certificate //发证机关的证书
54 serial = $dir/serial # The current serial number //证书***
55 crlnumber = $dir/crlnumber # the current crl number
56 # must be commented out to leave a V1 CRL
57 crl = $dir/crl.pem # The current CRL
58 private_key = $dir/private/cakey.pem# The private key //证书私钥文件
59 RANDFILE = $dir/private/.rand # private random number file
60
61 x509_extensions = usr_cert # The extentions to add to the cert
所以需要创建 certs,crl,newcerts目录和index.txt,serial 文件
[[email protected] ~]# cd /etc/pki
[[email protected] pki]# ll
总计 32
drwx------ 3 root root 4096 2012-08-11 CA
drwxr-xr-x 2 root root 4096 2012-08-11 nssdb
drwxr-xr-x 2 root root 4096 2012-08-11 rpm-gpg
drwxr-xr-x 5 root root 4096 2012-08-11 tls
[[email protected] pki]# cd CA/
[[email protected] CA]# mkdir certs crl newcerts
[[email protected] CA]# touch index.txt serial
[[email protected] CA]# ll
总计 20
drwxr-xr-x 2 root root 4096 08-11 16:00 certs
drwxr-xr-x 2 root root 4096 08-11 16:00 crl
-rw-r--r-- 1 root root 0 08-11 16:01 index.txt
drwxr-xr-x 2 root root 4096 08-11 16:00 newcerts
drwx------ 2 root root 4096 2009-06-30 private
-rw-r--r-- 1 root root 0 08-11 16:01 serial
[[email protected] CA]# echo "01" >serial //给一个初始***
[[email protected] CA]# openssl genrsa 1024 >private/cakey.pem //生成私钥文件,rsa算法,1024位加密。
Generating RSA private key, 1024 bit long modulus
.......++++++
.++++++
e is 65537 (0x10001)
[[email protected] CA]# ll private/cakey.pem
-rw-r--r-- 1 root root 887 08-11 16:21 private/cakey.pem
为了安全考虑,需要修改私钥文件的权限。
[[email protected] CA]# chmod 600 private/cakey.pem
[[email protected] CA]# ll private/cakey.pem
-rw------- 1 root root 887 08-11 16:21 private/cakey.pem
[[email protected] CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650 //利用私钥生成证书,类型x509,有效期10年。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
You have mail in /var/spool/mail/root
为了方便。可以修改默认值。
[[email protected] CA]# vim /etc/pki/tls/openssl.cnf
87 [ policy_match ]
88 countryName = optional //允许和颁发机构不同的国家进行证书申请。
89 stateOrProvinceName = optional //允许和颁发机构不同的省市进行证书申请。
90 organizationName = optional //允许和颁发机构不同的单位进行证书申请。
91 organizationalUnitName = optional
92 commonName = supplied
93 emailAddress = optional
94
133
134 [ req_distinguished_name ]
135 countryName = Country Name (2 letter code)
136 countryName_default = CN //国家 设为中国
137 countryName_min = 2
138 countryName_max = 2
139
140 stateOrProvinceName = State or Province Name (full name)
141 stateOrProvinceName_default = BEIJING //省 设为北京
142
143 localityName = Locality Name (eg, city)
144 localityName_default = BEIJING //市 设为北京
145
146 0.organizationName = Organization Name (eg, company)
147 0.organizationName_default = My Company Ltd
148
[[email protected] CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:LINUX //公司
Organizational Unit Name (eg, section) []:TEC //部门
Common Name (eg, your name or your server's hostname) []:WWW.ZZ.NET //颁发机构主机名
Email Address []:
[[email protected] CA]#
WEB服务器
[[email protected] CA]# mkdir -pv /etc/httpd/certs //为服务器创建存放证书的目录
[[email protected] CA]# cd /etc/httpd/certs/
[[email protected] certs]# ll
总计 0
[[email protected] certs]# openssl genrsa 1024 >httpd.key //生成私钥文件,rsa算法,1024位加密。
Generating RSA private key, 1024 bit long modulus
......++++++
.........................++++++
e is 65537 (0x10001)
[[email protected]lhost certs]# openssl req -new -key httpd.key -out httpd.csr //利用私钥文件申请证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:henan
Locality Name (eg, city) [BEIJING]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:zzu
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:www.zzu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //挑战报文密码
An optional company name []:
[[email protected] certs]# ll
总计 8
-rw-r--r-- 1 root root 643 08-11 16:53 httpd.csr
-rw-r--r-- 1 root root 887 08-11 16:51 httpd.key
[[email protected] certs]# openssl ca -in httpd.csr -out httpd.cert //生成证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 11 08:54:04 2012 GMT
Not After : Aug 11 08:54:04 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = zzu
organizationalUnitName = tec
commonName = www.zzu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AA:38:0C:7F:6A:6D:88:6E:EE:5A:F5:BF:D7:C7:C5:8D:4E:92:AE:85
X509v3 Authority Key Identifier:
keyid:3D:60:9D:7A:34:73:89:5C:50:7A:DC:FF:82:98:D3:F8:1F:A1:A8:D8
Certificate is to be certified until Aug 11 08:54:04 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] certs]# chmod 600 * //安全考虑
[[email protected] certs]# ll
总计 12
-rw------- 1 root root 3053 08-11 16:54 httpd.cert
-rw------- 1 root root 643 08-11 16:53 httpd.csr
-rw------- 1 root root 887 08-11 16:51 httpd.key
ssl与apache的结合是通过模块的。所以操作如下:
[[email protected] certs]# cd /mnt/cdrom/Server/
[[email protected] Server]# yum install mod_ssl
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-31.el5 set to be updated
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Running transaction check
---> Package distcache.i386 0:1.4.5-14.1 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================
Package Arch Version Repository Size
=========================================================================================
Installing:
mod_ssl i386 1:2.2.3-31.el5 rhel-server 88 k
Installing for dependencies:
distcache i386 1.4.5-14.1 rhel-server 120 k
Transaction Summary
=========================================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 208 k
Is this ok [y/N]: y
Downloading Packages:
-----------------------------------------------------------------------------------------
Total 24 MB/s | 208 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : distcache 1/2
Installing : mod_ssl 2/2
Installed:
mod_ssl.i386 1:2.2.3-31.el5
Dependency Installed:
distcache.i386 0:1.4.5-14.1
Complete!
[[email protected] Server]# cd /etc/httpd/conf.d/
[[email protected] conf.d]# ll
总计 24
-rw-r--r-- 1 root root 566 2009-07-15 proxy_ajp.conf
-rw-r--r-- 1 root root 392 2009-07-15 README
-rw-r--r-- 1 root root 9677 2009-07-15 ssl.conf
-rw-r--r-- 1 root root 299 2009-07-15 welcome.conf
[[email protected] conf.d]# vim ssl.conf
我们需要指明证书,私钥的文件所在
107 # Server Certificate:
108 # Point SSLCertificateFile at a PEM encoded certificate. If
109 # the certificate is encrypted, then you will be prompted for a
110 # pass phrase. Note that a kill -HUP will prompt again. A new
111 # certificate can be generated using the genkey(1) command.
112 SSLCertificateFile /etc/httpd/certs/httpd.cert //证书存放目录
113
114 # Server Private Key:
115 # If the key is not combined with the certificate, use this
116 # directive to point at the key file. Keep in mind that if
117 # you've both a RSA and a DSA private key you can configure
118 # both in parallel (to also allow the use of DSA ciphers, etc.)
119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key //私钥存放目录
[[email protected] conf.d]# service httpd configtest //检测语法
Syntax OK
[[email protected] conf.d]# service httpd restart
停止 httpd: [确定]
启动 httpd: [确定]
[[email protected] conf.d]# netstat -tupln |grep http //查看与http有关的端口
tcp 0 0 :::80 :::* LISTEN 1412/httpd
tcp 0 0 :::443 :::* LISTEN 1412/httpd
客户机测试
点击继续浏览网站,仍然可以浏览网站。
由于不是一个可信任的颁发机构颁发的证书。而且网站名是www.zzu.com.而输入的地址是一个IP。所以出现上述的错误。采用以下方法解决。
1.我们只需要把它添加信任颁发机构即可
点击证书错误,查看证书。
[[email protected] conf.d]# vim ssl.conf
128 SSLCertificateChainFile /etc/pki/CA/cacert.pem //证书链打开
[[email protected] conf.d]# service httpd restart
点击查看证书,安装证书。然后查看IE属性。
2.解决dns的问题。可以再dns服务器添加主机记录。也可以编辑hosts文件
当然我们不希望客户通过http访问站点。禁用80端口访问。
[[email protected] conf.d]# vim /etc/httpd/conf/httpd.conf
[[email protected] conf.d]# service httpd restart
客户端测试
转载于:https://blog.51cto.com/zhangzhenzz/968624