Implementation of OpenSSL-Based Secure sessions

I. Overview SSLSSL (Secure Socket Layer) Secure Socket Layer. In the early days, netscape wanted various protocols working at the application Layer to implement data security during data transmission, the half-layer structure introduced between the application layer and the tcp layer. SSL is not only a protocol, but also a library, the SSL function can be called before the application layer transmits data to the tcp layer. For example, the HTTP, SMTP, FTP, and other protocols at the application layer are called over SSL before the tcp layer, data is transmitted in the form of HTTPS, SMTPS, and FTPS on the tcp layer. Currently, the mainstream versions are SSLv2 and sslv3.2. Understand OpenSSLOpenSSL is an open-source SSL implementation and one of the most important tools in symmetric encryption. It consists of the following three parts: libcrypto: Universal encryption and decryption library, which provides various encryption functions, all kinds of software can achieve Encryption by calling the encryption library; libssl: TLS/SSL, TLS/SSL Based on session, implementing identity authentication, data confidentiality and session integrity; openssl: a multi-purpose command line tool that implements a private certificate authority. It is one of the basic tools used in linux. The OpenSSL configuration file is in/etc/pki/tls/openssl. conf, which mainly enables OpenSSL to work as a private CA. The subcommand used by OpenSSL: req: the tool used to generate certificates and apply for certificates;-new: generate a new certificate-x509: generate an x509 Certificate. Currently, the mainstream certificate storage format is-key: Specifies the key-out: Save to a file-days: Certificate retention time

1. # Openssl req-new-x509-key server1024.key-out server. crt-days 365

Genrsa: Use the RSA algorithm to generate a private key. Set the permission to 600 numbits: Optional. Set the key length. The default value is the file saved in 512-out.

1. # Openssl genrsa-out srever1024.key 1024

Iii. SSL session creation processPremise: After a tcp three-way handshake is established, Step 1: the client sends a request to the server Step 2: the client negotiates with the server to use the Protocol version (SSLv2, SSLv3, TLSv1) Step 3: after negotiation, the server sends a certificate to the client. The client checks the security of the Certificate. Step 4: the client randomly generates a symmetric password and uses the public key of the server to encrypt the password and send it to the server. Step 5: step 6: The server obtains the password and transmits the encrypted data to the client. After the communication is complete, the server withdraws the session channel and the tcp is disconnected four times. Iv. Establish session instance configuration based on OpenSSLPremise: a virtual machine acts as a CA, a virtual machine acts as a web server, and the configuration based on the virtual host domain name is planned as follows: CA Host address: 172.16.52.2web server host address: 172.16.52.3 virtual host domain name: www2.magedu. com1. Generate a private key for the CA itself on the CA Host
2. Modify the default information in the configuration file

1. [Root @ localhost CA] # vim ../tls/openssl. cnf
2. CountryName_default = CN
3. StateOrProvinceName_default = Henan
4. LocalityName_default = Zhengzhou
5. O. organizationName_default = MageEdu
6. OrganizationalUnitName_default = Tech
7. ###### The default information can be customized as needed

3. Generate a self-signed certificate 4. Prepare a directory and documents for the certificate

1. [Root @ localhost CA] # mkdir certs crl newcerts
2. [Root @ localhost CA] # touch index.txt
3. [Root @ localhost CA] # echo 01> serial

5. Install the httpd software package and mod_ssl module on the web server.

1. [Root @ ns2-] # Yum-y install httpd ##### you can configure the yum source by yourself and download the httpd software package from your own yum source. Here I download the software package from the yum source I configured myself.
2. [Root @ ns2-] # Yum install mod_ssl #### enable the web server to support the ssl function and install the ssl module

6. Generate server-side keys

1. [Root @ ns2-] # Cd/etc/httpd/
2. [Root @ nshttpd] # mkdir ssl
3. [Root @ nshttpd] # cd ssl/
4. [Root @ nsnsssl] # (umask 077; openssl genrsa 1024> httpd. key)

7. Set a virtual host domain name on the server

1. [Root @ ns2-] # Cd/etc/httpd/conf. d/
2. [Root @ nsconf. d] # vim vitual. conf
3. <VirtualHost 172.16.52.3: 80>
4. ServerName www2.magedu.com
5. DocumentRoot "/web/vhosts/www2"
6. </VirtualHost>
7. [Root @ nsconf. d] # mkdir/web/vhosts/www2-pv
8. [Root @ nsconf. d] # cd/web/vhosts/www2/
9. [Root @ nswww2] # vim index.html
10. Www2.magedu.com
11. /Web/vhosts/www2
12. Save and exit
13. [Root @ nswww2] # service httpd restart

8. Generate a certificate and visa request

9. Send a certificate request to the CA Host

1. [Root @ nsnsssl] # scp httpd. csr 172.16.52.2:/tmp

10. request a visa for the server certificate on the CA Host

11. view the post-Visa Information

12. Copy the generated certificate to the server.

1. [Root @ localhost CA] # scp/tmp/httpd. crt 172.16.52.3:/etc/httpd/ssl/

13. Delete the certificate information generated under/tmp

1. [Root @ localhost CA] # cd/tmp
2. [Root @ localhost tmp] # rm-rf httpd. c *
3. ####### To prevent others from stealing Certificate Information

14. Use the certificate generated on the server based on the host domain name

1. [Root @ nsconf. d] # vim ssl. conf
2. <VirtualHost 172.16.52.3: 443 >#### the address must be consistent with the address of the VM.
3. ServerName hello.magedu.com
4. DocumentRoot "/www/magedu.com"
5. SSLCertificateFile/etc/httpd/ssl/httpd. crt #### path based on the SSL Certificate file
6. SSLCertificateKeyFile/etc/httpd/ssl/httpd. key #### path of the private key file on the SSL server
7. Save and exit
8. [Root @ nsconf. d] # service httpd restart

15. view the listening port

16. Add the Virtual Host IP address and domain name to the host hosts file.

1. Path to the host hosts file: click "Local disk C"-> Windows-> System32-> drivers-> etc-> hosts
2. Add: 172.16.52.3 www2.magedu.com
3. ###### Test the site on IE browser to resolve the Domain Name of the VM

17. Drag the server certificate file to the physical machine

18. Install certificates


Click "Next" until the message "Import succeeded" appears.
19. Test Site www2.magedu.com

This configuration is complete for implementing https sessions based on OpenSSL.