Discussion on the implementation of OpenSSL security session

First, overview SSL

SSL (Secure Socket Layer) Secure Sockets Layer, early Netscape wanted to make the various protocols in the application layer to the purpose of data security for data transmission, a half layer structure was introduced between the application layer and the TCP layer; SSL is not only a protocol, but also a library, The ability to invoke SSL before a protocol of the application layer transmits data to the TCP layer; For example, HTTP, SMTP, FTP, and so on at the application layer, before the TCP layer, via SSL, the TCP layer transmits data in HTTPS, Smtps, FTPs , now the mainstream version is SSLv2, SSLv3.

Second, understand OpenSSL

OpenSSL is an open source implementation of SSL and one of the most important tools in symmetric encryption, consisting of three parts:

Libcrypto: Universal encryption and decryption library, providing a variety of encryption functions, all kinds of software as long as the encryption library to achieve encryption;

The implementation of LIBSSL:TLS/SSL, based on the session, the realization of identity authentication, data confidentiality and session integrity of the TLS/SSL;

OpenSSL: Multipurpose command-line tool, implementing private certification authority, one of the common basic Tools on Linux;

OpenSSL configuration file in/etc/pki/tls/openssl.conf, mainly let OpenSSL work as a private CA;

OpenSSL commonly used subcommand:

Req: a tool for generating certificates and certificate applications;

-new: Generate a new certificate

-x509: Generates certificates in the X509 format, the current mainstream certificate storage format

-key: Specify key

-out: Saving to a file

-days: Certificate Save time

#openssl Req-new-x509-key server1024.key-out server.crt-days 365

GENRSA: Use the RSA algorithm to help generate a private key with permission set to 600

Numbits: Optional option, set key length, default is 512-bit

Files Saved by-out

#openssl Genrsa-out Srever1024.key 1024

Third, the process of SSL establishment session

Prerequisite: The establishment of TCP three times after shaking hands;

First step: The client makes a request to the server side

Step two: Client and server-side negotiation using protocol versions (SSLV2, SSLv3, TLSV1)

Step three: After negotiation, the server sends the certificate to the client, and the client detects the security of the certificate.

Fourth step: The client randomly generates a symmetric password to use the server-side public key encryption to send to the server side

Fifth step: The server-side to get the password encrypted data sent to the client

Sixth step: After the communication completes the exit session channel, TCP four times disconnects

Iv. establishing session instance configuration based on OpenSSL

Prerequisites: A virtual machine as a CA, a virtual machine as a Web server and configured on this server based on the virtual host domain name

The plan is as follows:

CA Institution host Address: 172.16.52.2

Web server host Address: 172.16.52.3

Virtual Host domain name: www2.magedu.com

1. Generate private key for CA organization itself in CA host

2, modify the default information in the configuration file

[Root@localhost CA] #vim. /TLS/OPENSSL.CNF countryname_default =cn stateorprovincename_default =henan localityname_default =Zhengzhou O.or Ganizationname_default =mageedu organizationalunitname_default =tech ##### #这些默认信息可以根据自己需求自定义

3. Generate self-signed certificate