HTTPS Secure Access Overview

Principle

The HTTP protocol (hypertext Transfer Protocol, Hypertext Transfer Protocol) is one of the most widely used network transport protocols on the Internet, and all WWW files must comply with this standard. is the core of www. The basic protocol of Internet is TCP/IP protocol, the main protocol used by WWW Server is HTTP protocol, that is hyper-stylistic transfer protocol. HTTP is a standard (TCP) for both client and server-side requests and responses. The client is the end user and the server side is the Web site. By using a Web browser, web crawler, or other tool, the client initiates an HTTP request to the specified port on the server (the default port is 80).

HTTPS (full name: Hypertext Transfer Protocol over secure Socket Layer), is a security-targeted HTTP channel, simply speaking, the secure version of HTTP. HTTP, SSL is the security basis for HTTPS, so the details of encryption require SSL. It is a URI scheme (abstract identifier system), syntax similar to http: System. Used for secure HTTP data transfer. Https:url indicates that it uses HTTP, but HTTPS has a default port that differs from HTTP and an encryption/authentication layer (between HTTP and TCP)

The handshake process for the SSL protocol:

The ① client's browser transmits the version number of the client-side SSL protocol to the server, the type of encryption algorithm, the random number generated, and the information required for communication between other servers and clients.

The ② server transmits the SSL protocol version number to the client, the type of encryption algorithm, the random number and other related information, and the server will also send its own certificate to the client.

③ customers use server-transmitted information to verify the legality of the server, the legality of the server includes whether the certificate expires, whether the CA for the issuing server certificate is reliable, and whether the public key of the publisher certificate correctly unlocks the "digital signature of the publisher" of the server certificate, and whether the domain name on the server certificate matches the actual domain name of the server. If the legality verification fails, the communication will be disconnected, and if the validity verification is passed, the fourth step will continue.

The ④ client randomly generates a "symmetric password" for subsequent communications, encrypts it with the server's public key (the server's public key is obtained from the server's certificate in step ②), and then passes the encrypted "pre-master password" to the server.

⑤ If the server requires the client's authentication (which is optional during the handshake), the user can create a random number and then sign the data to the server with the signed random number and the customer's own certificate and the encrypted "pre-master password".

⑥ if the server asks the customer for authentication, the server must verify the legality of the client certificate and the signature random number, and the validation process includes the validity of the customer's certificate use date, the reliability of the CA providing the certificate to the customer, and the ability of the public key of the issuing CA to correctly unlock the digital signature of the issuing CA for the client certificate, Check that the customer's certificate is in the certificate revocation list (CRL). If the test fails, the communication is interrupted immediately; if validation passes, the server will unlock the encrypted "Pre-master password" with its own private key, and then perform a series of steps to generate the primary communication password (the client will also produce the same master communication password in the same way).

The ⑦ server and the client use the same master password as the "Call password", and a symmetric key is used to encrypt and decrypt the secure data communication of the SSL protocol. At the same time, in the process of SSL communication, the integrity of data communication should be completed to prevent any change in data communication.

The ⑧ client sends a message to the server indicating that the primary password in the step ⑦ to be used in the subsequent data communication is a symmetric key and notifies the server client that the handshake process is over.

The ⑨ server sends a message to the client indicating that the primary password in the step ⑦ to be used in the subsequent data communication is a symmetric key and notifies the client that the end of the handshake process is over.

The ⑩ssl handshake part ends, the SSL secure channel data communication begins, the client and the server begin to use the same symmetric key to carry on the data communication, simultaneously carries on the verification of the communication integrity.

Steps

Installing packages

[Root@host ~]# Mount/dev/cdrom/mnt/cdrom

Mount:block Device/dev/cdrom is write-protected, mounting read-only

[Root@host ~]# Cd/mnt/cdrom/server

[Root@host server]# RPM-IVH httpd-2.2.3-31.el5.i386.rpm

Preparing ... ########################################### [100%]

1:HTTPD ########################################### [100%]

[Root@host server]#

Establish encrypted access HTTP

1 CA

Vim TSL/OPENSSL.CNF