Introduction to the use of HTTPS

HTTPS overview

HTTPS 可以认为是 HTTP + TLS。TLS 是传输层加密协议，它的前身是 SSL 协议，最早由netscape公司发布，后改名为 TLS。如果没有特别说明，SSL 和 TLS 说的都是同一个协议。

Communication process

1).浏览器将自己支持的一套加密规则发送给网站。2).网站从中选出一组加密算法与HASH算法，并将自己的身份信息以证书的形式发回给浏览器。3).获得网站证书之后浏览器要做以下工作：4) 验证证书的合法性，如果证书受信任，则浏览器栏里面会显示一个小锁头，否则会给出证书不受信的提示。5) 如果证书受信任，或者是用户接受了不受信的证书，浏览器会生成一串随机数的密码，并用证书中提供的公钥加密。6) 使用约定好的HASH计算握手消息，并使用生成的随机数密码对消息进行加密，最后将之前生成的所有信息发送给网站。   7).网站接收浏览器发来的数据之后要做以下的操作：8) 使用自己的私钥将信息解密取出密码，使用密码解密浏览器发来的握手消息，并验证HASH是否与浏览器发来的一致。9) 使用密码加密一段握手消息，发送给浏览器。10).浏览器解密并计算握手消息的HASH，如果与服务端发来的HASH一致，此时握手过程结束，之后所有的通信数据将由之前浏览器生成的随机密码并利用对称加密算法进行加密。

Key concepts:

CA (Certificate Authority): Certification authority or certification center, the main purpose is to issue digital certificates for users. The certification authority (CA) features: Certificate issuance, certificate renewal, certificate revocation, and certificate validation. Key negotiation: Each new session of the browser and the server uses the asymmetric key exchange algorithm to negotiate the symmetric key, using these symmetric keys to complete the application data encryption and decryption and validation, the entire session of the key is only generated and saved in memory, and each session of the symmetric key is not the same (unless the session is reused), The middle cannot steal. The common key exchange algorithms are Rsa,ecdhe,Dh,dhe and other algorithms. Their characteristics are as follows: RSA: The algorithm is simple, it was born in 1977, it has a long history, and it has been tested with high security. The disadvantage is that it takes a large number of primes (currently 2048-bit) to ensure security intensity and consumes CPU computing resources. RSA is currently the only algorithm that can be used for both key exchange and certificate signing. Dh:diffie-hellman key exchange algorithm, the birth time is earlier (1977), but 1999 years before the public. The disadvantage is that CPU performance is more consumed. ECDHE: The DH algorithm using Elliptic curve (ECC) has the advantage of being able toachieve the same security level as RSA with a smaller prime number (256 bits). The disadvantage is that the algorithm is complex and the history of the key exchange is not long, and it has not been tested for long time security attack. ECDH: PFS is not supported, security is low, and false start cannot be implemented. DHE: ECC is not supported. Consumes CPU resources very much. Symmetric encryption: A symmetric key encrypted communication obtained by using the key negotiation. Digital certificate: A, identity authorization. Make sure that the Web site that your browser accesses is a trusted, CA-verified site. b, distribute the public key. Each digital certificate contains the public key generated by the registrant. The SSL handshake is transmitted to the client through the certificate message. 

Certificate

根证书：用于验证CA机构的身份。网站证书：用于验证网站身份。验证过程为从证书链从下往上找到根证书，然后通过根证书 逐级向下验证证书的真实性。

Nginx Configuration

server {Listen80;server_name www.acme.com;Location/{Rewrite^/(.*)https://www.acme.com/$Permanent }}server {Listen443 SSL;server_name www.acme.com;Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; SSL_CERTIFICATE/HOME/NGINX/CER/ACME.COM.CRT; Ssl_certificate_key/home/nginx/cer/device.key; ssl_session_cache Shared:ssl:1m; ssl_session_timeout 1440m; ssl_ciphers high:!anull:! MD5; ssl_prefer_server_ciphers on ; Access_log Logs/www.acme.com.access.log Main; error_log logs/www.acme.com. error.log Debug; Location /{ proxy_pass http://192.168.198.132:8080;}}        

Using scripts

参考download目录下：HTTPS-Turorial-Package.rar

Introduction to the use of HTTPS