SSL工作原理
SSL的四次握手的過程
以http+ssl爲例!
用戶使用個人PC,想上招行的網銀,將輸入比較重要的卡號,密碼信息。此時,肯定要加密方式傳輸數據(對稱加密大量信息),並且要確定對方確定是招行網站。
ClientHTTPS Server
1、首先客戶端向服務器發送一個SSL的請求包,要求進行安全的會話,請證明你的身份,並且我們雙方來協商一下一會將用對對稱加密算法,數字簽名算法。。。。。。
----------------->
2、HTTPS server收到請求後,響應client,把S證書傳給client
<----------------
3、Client需要驗證S證書,client會有CA的證書,可以對S證書進行驗證(看是否可以解密,再看標識[服務器域名/主機名]是否對得上)。
Client需要產生一把對稱加密的KEY,通過S公鑰把KEY加密,然後傳給Server
------------------->
4、HTTPS Server用自己的私鑰解密得到KEY。隨機產生一些信息,用KEY加密,傳給Client。
<--------------------
接下來,雙方通過KEY加密頁面數據,安全傳輸
<--------------------->
自簽發證書實現過程:
1.首先要生成服務器端的私鑰(key文件):
Cd /usr/local/nginx/conf/ssl
Shell#openssl genrsa -des3 -out server.key 2048
運行時會提示輸入密碼,此密碼用於加密key文件(參數des3便是指加密算法,當然也可以選用其他你認爲安全的算法.),以後每當需讀取此文件(通過openssl提供的命令或API)都需輸入口令.如果覺得不方便,也可以去除這個口令,但一定要採取其他的保護措施!
去除key文件口令的命令:
#openssl rsa -in server.key -out server.key
注:執行這個命令時啓動NGINX 不需要輸入密碼
2.用server.key生成一個證書:
[root@mail ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:cn
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:uplooking
Organizational Unit Name (eg, section) []:uplooking
Common Name (eg, your name or your server's hostname) []:lvs.xxx.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
生成Certificate Signing Request(CSR),生成的csr文件交給CA簽名後形成服務端自己的證書.按照提示提供服務器證書基本信息
3. 對客戶端也作同樣的命令生成key及csr文件
[root@mail ssl]# openssl genrsa -des3 -out client.key 2048
[root@mail ssl]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:cn
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:uplooking
Organizational Unit Name (eg, section) []:uplooking
Common Name (eg, your name or your server's hostname) []:lvs.xxx.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
4. 生成的CSR證書文件必須有CA的簽名纔可形成證書.這裏製作自己的CA 這時生成一個KEY文件ca.key 和根證書ca.crt
[root@mail ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
.............++++++
...........++++++
writing new private key to 'sfnca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:cn
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:ca
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:mail.ca.cn
Email Address []:[email protected]
簽署證書準備工作:
[root@mail ssl]# vim /etc/pki/tls/openssl.cnf
#dir = ../../CA //修改如下
dir = /etc/pki/CA
[root@mail ssl]# touch /etc/pki/CA/{index.txt,serial} //根據openssl.cnf生成配置文件
[root@mail ssl]#echo 01 > /etc/pki/CA/serial
[root@mail ssl]#mkdir /etc/pki/CA/newcerts
5. 用生成的CA的證書(ca.crt)爲剛纔生成的server.csr,client.csr文件簽名
[root@mail ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Nov 29 03:48:44 2010 GMT
Not After : Nov 29 03:48:44 2011 GMT
Subject:
countryName = cn
stateOrProvinceName = cn
organizationName = uplooking
organizationalUnitName = uplooking
commonName = lvs.xxx.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
02:B3:76:13:64:EB:04:D2:6C:9E:72:86:F5:A3:CE:84:19:EA:C6:DB
X509v3 Authority Key Identifier:
keyid:25:F6:E6:C4:5D:AD:02:DA:76:9F:74:FF:E4:0F:CC:45:55:CC:06:A7
Certificate is to be certified until Nov 29 03:48:44 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail ssl]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key //簽署步驟同上
另外,這個certificate是BASE64形式的,要轉成PKCS12才能裝到IE,/NETSCAPE上.轉換如下:
雙擊安裝就行
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
這個是ISO 需要的證書格式
openssl x509 -in client.crt -out client.cer
這個是android 需要的證書格式。
[root@mail ssl]# openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key: //客戶端私鑰密碼
Enter Export Password: //pfx文件導入要求的密碼
Verifying - Enter Export Password:
client使用的文件有:ca.crt,client.crt,client.key,client.pfx
server使用的文件有:ca.crt, server.crt,server.key
配置nginx如下:
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
#ssl_client_certificate ssl/client/client.crt ;
ssl_client_certificate ssl/ca.crt ; //CA證書
ssl_verify_client on; //開啓客戶端雙向認證
#ssl_protocols SSLv2 SSLv3 TLSv1;
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
#ssl_prefer_server_ciphers on;
證書安裝及使用把剛纔生成的證書:根證書ca.crt和客戶證書client.crt(client.pfx)安裝到客戶端,
ca.crt安裝到信任的機構,client.crt直接在windows安裝或安裝到個人證書位置,
然後用IP訪問HTTP和https服務器。在IE中我們一般導入client.pfx證書,
導入時會提示上面設置的密碼。 123456
測試https://lvs.xxx.com