SSL Build single-bidirectional HTTPS authentication

1.SSLBasic introduction

What we often see when using online banking is "https", so What is this https? This actually means that the current connection using SSL encryption, to ensure that the client-to-server communication is protected, then the browser is implemented? Let 's take a look at the basic implementation of SSL.

First of all we have two basic encryption and decryption algorithm types: Symmetric encryption, asymmetric encryption (public private key encryption), now introduce the characteristics of the two cryptographic algorithms:

symmetric encryption: The key is only one, the encryption is decrypted to the same password, and the decryption speed is fast, the typical symmetric encryption algorithm has DES,AES , etc., as follows:

Figure 1 symmetric encryption

Asymmetric encryption: The key in pairs appear (and according to the public key can not infer the private key, according to the private key can not infer the public key), encryption and decryption using different keys (public key encryption requires private key decryption, private key encryption requires public key decryption), relatively symmetric encryption speed is slow, the typical asymmetric encryption algorithm has RSA,DSA , etc., as follows:

Figure 2 asymmetric encryption

2. Introduction to HTTPS encrypted transmission

Based on the two encryption methods above, we can now design an encryption method that does not allow others to know about your communication on the Internet:

1. a public and private key exists on the server side

2. the client obtains this public key from the server

3. the client generates a random key

4. the client encrypts the key via the public key (asymmetric encryption)

5. client sends to server side

6. The server accepts this key and the data from the server side and the client are all encrypted by this key (symmetric encryption)

the timing diagram for the HTTPS communication process is as follows:

Figure 3 HTTPS Communication timing Diagram

As shown, we can guarantee the following points:

1. client-generated keys are available only to client and server

2. encrypted data can only be plaintext by the client and server side

3. client-to-server communication is secure

3. Two-way authentication / One-way authentication for HTTPS

Tomcat configuration HTTPS (bidirectional authentication)

1. Generate server-side certificates

Keytool-genkey-keyalg rsa-dname "CN=LOCALHOST,OU=SANGO,O=NONE,L=CHINA,ST=BEIJING,C=CN"-alias Server-keypass Password-keystore Server.jks-storepass password-validity 3650

2. Generate a client certificate

Keytool-genkey-keyalg rsa-dname "CN=SANGO,OU=SANGO,O=NONE,L=CHINA,ST=BEIJING,C=CN"-alias custom-storetype PKCS12- Keypass Password-keystore custom.p12-storepass password-validity 3650

The client's CN can be any value.

3, because it is two-way SSL authentication, the server must trust the client certificate, therefore, the client certificate must be added as the server's trust authentication. Since the PKCS12 format certificate library cannot be imported directly, we must first export the client certificate as a separate CER file, using the following command to export the client certificate as a separate CER file:

Keytool-export-alias custom-file custom.cer-keystore custom.p12-storepass password-storetype PKCS12-RFC

Then, add the client certificate to the server (import the signed digital certificate into the KeyStore)

Keytool-import-v-alias custom-file custom.cer-keystore server.jks-storepass Password

4. View the contents of the certificate

Keytool-list-v-keystore server.jks-storepass Password

5. Configuring the Tomcat Service.xml file

maxthreads= "Scheme=" "https" secure= "true"

Clientauth= "true" sslprotocol= "TLS"

Keystorefile= "D:/server.jks" keystorepass= "password"

Truststorefile= "D:/server.jks" truststorepass= "password"

/>

clientauth= "true" indicates two-way authentication  

6. Importing the client certificate to the browser two-way authentication requires a mandatory validation of the client certificate. Double-click "CUSTOM.P12" to import the certificate into IE.

Tomcat Configure HTTPS (one-way authentication)

1. Generate server-side certificates

Keytool-genkey-keyalg rsa-dname "CN=LOCALHOST,OU=SANGO,O=NONE,L=CHINA,ST=BEIJING,C=CN"-alias Server-keypass Password-keystore Server.jks-storepass password-validity 3650

2, because it is one-way authentication, there is no need to generate the client's certificate, directly into the configuration Tomcat Service.xml file

maxthreads= "Scheme=" "https" secure= "true"

Clientauth= "false" sslprotocol= "TLS"

Keystorefile= "D:/server.jks" keystorepass= "password"

/>

clientauth= "false" indicates one-way authentication , while removing the truststorefile= "D:/server.jks" truststorepass= "password" 2

  

4. Purchase of certificates

We can go to the Beijing Digital Certification Center and other CA manufacturers to purchase, the following is Shenzhen Wosign certificate related situation:

SSL Certificate renewal Price:

3 years: 3134 yuan, average down 1 1045 yuan,4 total 12536 yuan
5 years: 5150 yuan, average down 1 1030 yuan,4 total 20600 yuan

Now 1 years 1688 yuan, the renewal price is 1350 yuan. It's been a great deal for years, huh :)

And you don't have to renew the certificate every year. As long as it's a long-running website,

You can use multi-year certificates with confidence.

This is the certificate request file CSR Generation Guide: Wosign

Certificate Installation Guide: wosign

  

5. Deployment considerations:

1, to ensure that Server.key, SERVER.CRT, CA.CRT and other files as root readable permissions, enhance security. The operation is as follows:

chmod 400 file name

2, execute apachectl STARTSSL command, let Apache automatically enter "pass phrase" run, operation as follows:

Edit File

(1) VI/*/*/apache/conf/extra/httpd-ssl.conf

Comment out Sslpassphrasedialog builtin

Add Sslpassphrasedialog exec:/*/*/apache/conf/apache_pass.sh on the next line

(2) VI/*/*/apache/conf/apache_pass.sh

#!/bin/sh

echo "Pass phrase" # "pass phrase" is the pass phrase that needs to be entered for apachectl Startssl execution "

chmod/*/*/apache/conf/apache_pass.sh

(3) then launch Apache

[Email protected] jishubu]#/*/*/apache/bin/apachectl Startssl or/*/*/apache/bin/httpd-k Start-dssl

3, once the HTTPS service is turned on, the firewall must be 443 ports open to the outside.

SSL Build single-bidirectional HTTPS authentication