HTTPS configuration instances in Linux

HTTPS protocol: HTTPD whether SSL is supported depends on whether the SSL module is loaded

HTTP protocol: Text encoding format (Telnet can verify the transmission of plaintext.)

HTTPS protocol: SSL-based binary coded HTTPS monitor in 443/TCP

Httpd:ssl
SSL is created based on IP address, so that only one SSL reply is created for each IP;
(That is, an IP can only establish an SSL, if you use the host name to build multiple sites, only one site can support SSL communication)

The establishment of the HTTPD SSL session is quite occupying system resources, in order to not occupy the system resources the general manufacturer will add a hardware device to handle SSL authentication separately.

The work to be done by the SSL handshake:
Interchange Protocol version number
Select the encryption method supported by both parties
Client-side implementation of identity verification on server
Key exchange (the client chooses a temporary symmetric encryption method that is encrypted with the other's public key and transmitted to the other party for authentication)

Client Authentication Server Certificate:
Validity check: Whether the certificate is still within the validity period.
CA confidence Check: CA's public key decryption, can decrypt description is trusted CA
Certificate Integrity check: Verify integrity detection by calculating fingerprint code vs.
Identity detection of the holder: with its own name and the name of the other party in the certificate is consistent (the server uses the name of the client's request as the public key to encrypt the certificate, the client can use their own name as their own private key to decrypt, can be decrypted to confirm identity)

Configuration: httpd works on HTTPS configuration process:
(1) Installing the Mod_ssl module
(2) to generate a private key for the server side and to issue a certificate for the certificate CA, the client's certificate name is the name of the request itself
(3) Configuring a virtual host that uses HTTPS
(4) Server reload configuration.
(5) test

Example: HTTPS configuration installation process.
(1) Installing the Mod_ssl module
Installation module #yum Install mod_ssl-y-----
(2) Generate a private key for the server and provide it with a certificate;
# Mkdir/etc/httpd/ssl && Cd/etc/httpd/ssl
# (Umask 077; OpenSSL genrsa-out httpd.key 1024)
# OpenSSL Req-new-key httpd.key-out HTTPD.CSR

The signed certificate is:/ETC/HTTPD/SSL/HTTPD.CRT
(3) Configure the virtual host using HTTPS;
# vim/etc/httpd/conf.d/ssl.conf
<virtualhost _default_:443>-----------_default_ default server IP (if you want to create two you can add an IP address)
DocumentRoot "/var/www/host1"-----------The following directory for the specified site
ServerName www.ning.com:443--------------Specify the server name: (443 port can not be specified because the above virtualhost is specified)
SSLCERTIFICATEFILE/ETC/HTTPD/SSL/HTTPD.CRT------------The specified HTTPD certificate has been issued
Sslcertificatekeyfile/etc/httpd/ssl/httpd.key-------------Specify the private key of the HTTPD service

(4) Reload configuration
#httpd-t--------check the syntax
#service httpd Restart----------because the listening interface has changed, restart the service
(5) Test:
The test in window requires that the CA's certificate be downloaded to a local installation for normal use
Here we are self-built certificate, so it is so, (CACRT.PEM-----> Local---> and renamed to CACRT.CRT----> double-click Installation)

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" Install certificate "border=" 0 "alt=" Install certificate "src=" http://img1.51cto.com/attachment/201408/10/1384120_ 1407677916klmr.jpg "" 533 "height=" 552 "/>
Browser: https://www.ning.com

 650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" certificate issued successfully 1 "border=" 0 "alt=" Certificate issued successfully 1 "src=" http://img1.51cto.com/attachment/201408/10/1384120 _14076779169wol.jpg "" 324 "height=" 396 "/>
Test in Linux: Because of the reason for the self-built certificate, we need to copy the self-issued certificate from the CA (#scp 172.16.3.20:/etc/ pki/ca/cacert.pem/root/)
Test command: OpenSSL s_client
# OpenSSL S_client-connect 172.16.3.20:443-cafile/root/cacert . PEM
(Specify the IP and port-connect 172.16.3.20:443 to connect to that server; Specify the certificate you just copied:-CAFILE/ROOT/CACERT.PEM)
get/index.html http/1.0 br>host:www.ning.com
#openssl s_client-connect 172.16.3.20:443---If you do not specify a certificate
Verify return code:21 (Unable to Verif Y the first certificate)----will not be able to validate the certificate