Introduction of SSL
Secure Sockets Layer (SSL) is the most widely known protocol that offers privacy and good reliability for client-server communication over the Internet. SSL itself is conceptually quite simple: it negotiates the cryptography algorithms and keys between two sides of a communication, and establishes an encrypted tunnel through which other protocols (like HTTP) can be transported. Optionally, SSL can also authenticate both sides of communication through the use of certificates.SSL is a layered protocol and consists of four sub-protocols:
- SSL Handshake Protocol
- SSL Change Cipher Spec Protocol
- SSL Alert Protocol
- SSL Record Layer
The position of the above protocols according to the TCP/IP model has been illustrated on the following diagram in Figure 1.
Figure 1. SSL sub-protocols in the TCP/IP model
As the above diagrams shows, SSL is found in the application layer of the TCP/IP model. By dint of this feature, SSL can be implemented on almost every operating system that supports TCP/IP, without the need to modify the system kernel or the TCP/IP stack. This gives SSL a very strong advantage over other protocols like IPSec (IP Security Protocol), which requires kernel support and a modified TCP/IP stack. SSL can also be easily passed through firewalls and proxies, as well as through NAT (Network Address Translation) without issues.
How does SSL work? The diagram below, Figure 2, shows the simplified, step-by-step process of establishing each new SSL connection between the client (usually a web browser) and the server (usually an SSL web server).
Figure 2. How SSL established connections, step-by-step.
As you can see from Figure 2, the process of establishing each new SSL connection starts with exchanging encryption parameters and then optionally authenticating the servers (using the SSL Handshake Protocol). If the handshake is successful and both sides agree on a common cipher suite and encryption keys, the application data (usually HTTP, but it can be another protocol) can be sent through encrypted tunnel (using the SSL Record Layer).
In reality, the above process is in fact a little bit more complicated. To avoid unnecessary handshakes, some of the encryption parameters are being cached. Alert messages may be sent. Ciphers suites can be changed as well. However, regardless of the SSL specification details, the most common way this process actually works is very similar to the above.
配置apache+ssl
apache 惯例 .crt 扩展名表示证书文件,.key 扩展名表示私钥。私钥文件必须安全保管。证书文件可以自由发布共享。
证书颁发流程
CSR:Certificate Singning Request,签发证书请求。
CA:Certificate Authority,证书授权机构。
CRT:CA签发过的CSR文件,即证书文件。
key:私钥文件。
1.首先创建一个私钥文件
openssl genrsa -des3 -out server.key 1024
查看密钥参数:openssl rsa -noout -text -in server.key
2.导入私钥文件到CSR中,csr提示输入common name时,输入主机的完全合格域名。
openssl req -new -key server.key -out server.csr
查看csr详细内容:openssl req -noout -text -in server.csr
3.如果不是使用自己创建的CA,直接将.csr提交到选择的CA机构即可,如果使用自己创建的CA,首先需要先生成根证书和私钥文件,见下面的“关于生成根证书”。
openssl req -nodes -new -x509 -keyout ca.key -out ca.crt -days 3650
4.将csr文件提交到CA,CA返回的签发过的CSR应该以.crt为扩展名。
openssl ca -out server.crt -in server.csr -days 3650
正确生成crt文件时应该是下面的提示,如果提示不是这样的话,请修改与ca不同的地方,如countryName等。
Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 17 01:05:09 2008 GMT Not After : Nov 17 01:05:09 2009 GMT Subject: countryName = bj stateOrProvinceName = beijing organizationName = wamo organizationalUnitName = wamo commonName = emailAddress = xiaca@test.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DD:A9:0D:D2:E2:00:77:E9:57:87:A4:C1:99:98:EE:60:AA:64:C7:CB X509v3 Authority Key Identifier: keyid:C0:34:E9:1E:E0:90:75:6B:24:A0:A4:7A:E3:4A:E0:4B:D9:10:74:45
Certificate is to be certified until Nov 17 01:05:09 2009 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
|
关于生成根证书
1.编辑/usr/local/ssl/openssl.cnf(对于rpm安装的,可以用 locate openssl.cnf 命令找到它)
1)建立一个目录作为密钥的“工作目录”,将 dir 指向它。如:dir = /usr/local/ssl/CA
2)考虑增加有限期限 default_days 以免你的 VPN 在工作整一年后莫名其妙的终止。我更改为3650,十年。
3)设定 certificate 和 private_key 指向你的根证书和私钥文件(我们马上要生成它)根证书文件名为ca.crt,私钥文件名为 ca.key。
4)注意文件 index.txt 和 serial。在CA目录下新建空文件index.txt,新建serial文件,初始化为包含一个数字序列比如 01,
关于错误:
wrong number of fields on line 1 (looking for field 6, got 1, '' left)
原因是你的index.txt文件不为空,改为空文件即可。
5)如果你狂热的追求密钥长度,那可以将 default_bits 增加到2048。 对于打开 pthread 支持的 OpenVPN 处理2048位的 RSA 密钥是毫无问题的。
2.openssl.cnf 编辑完后,创建根证书/私钥对
Remember to use a unique Common Name for the server and each of the client certificates(**使用唯一的common name)
/usr/local/ssl/bin/openssl req -nodes -new -x509 -keyout ca.key -out ca.crt -days 3650
3.这将会创建一对有效期为十年的根证书/私钥对,将生成的myca.crt和ca.key拷到密钥的“工作目录”
mv ca.crt ca.key /usr/local/ssl/CA/
配置apache使用SSL
注:SSL不能使用给予域名的虚拟主机,每个虚拟主机必须有一个专门的IP地址(这个限制源自于SSL的设计)
apache-2.*源程序中包含ssl模块。
apache-1.*需要到下面的网站中下载:
1.编译时启用ssl模块。
./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-mods-shared="proxy proxy_http proxy_ftp proxy_connect headers"
2.配置虚拟主机。
打开httpd.conf中关于ssl的注释。
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
<VirtualHost 128.123.43.125:443>
ServerName
ServerAdmin webmaster@company.com
DocumentRoot /var/www
ErrorLog logs/-ssl-error-log
CustomLog logs/-ssl-access-log combined
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/server.key
</VirtualHost>
|
如果对于server.key文件使用了非空的密码,启动apache时会要求输入密码,使用下面的步骤去掉私钥的密码:
cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
chmod 400 server.key server.key.orig
nginx配置ssl
upstream ssl { server 10.254.223.82:443 weight=5; }
server { listen 443; server_name 174.129.188.25 localhost;
ssl on; ssl_certificate /opt/server.crt; ssl_certificate_key /opt/server.key;
location / { proxy_pass
}
} |
|
|
阅读(5988) | 评论(0) | 转发(0) |
