Conclusion Pre-placement:
A Authentication
Certificate, server Certificate
B Key Negotiation
RSA Dhe/ecdhe PSK
C Encrypted communication
Encrypted communication uses symmetric encryption, using a key negotiated in stage B.
B Stage If you use RSA negotiation, you can use the server certificate to decrypt the key in the C procedure during negotiation. Thus decrypting the communication content. (In this way, bypass mode is available).
B Stage If you use dhe/ecdhe negotiation, you need at least the number of server enchantments at the time of the link (and perhaps the private key as the server certificate) to calculate the encryption key. In short, the negotiation process is also a one-time secret.
Therefore, there should be two cases of decrypting HTTPS.
Situation one: Communication with the server, real-time access to two information: 1,session information. 2,server magic number. In this case, you just need to bypass it.
Situation two: Serial in the network, do the middleman. Need server certificate to do authentication and signature, process I haven't figured it out yet. Then, you need to handshake with both ends and negotiate the key, then do both sides plus decrypt and content forwarding.
Cite a useful piece of content [1]
A WAF applies filter rules on traffic in an"Application"Level (e.g. it tries to detect SQL injection attempts). This requires is the WAF sees the traffic, i.e. whatever SSL which may has happened on the client side must stop at the WAF. But you usually want some SSL to protect the traffic between the client and the WAF (inchfact, you usually want it more on that link than between the WAF and the server itself, since WAF and server is Usua Lly nearby to all other). There is ways forA WAF to see ssl-protectedtraffic:the WAF has a copy of thePrivateKey used by the (Ssl-aware) server, and thus can decrypt the data asit flows. (This can imply some restrictions on the cipher suites used by the server; namely, no DHE). The WAF itself runs a SSL server, and that isThe one which the client sees. The WAF decrypt the data, runs its magic in it, and then forwards it to the server over aNewConnection which may or could not be ssl-protected. Which one depends on what your WAF instance can DoAnd how you configured it.
Concept:
http://www.guokr.com/post/114121/
http://www.guokr.com/post/116169/
http://www.guokr.com/post/148613/
Https://en.wikipedia.org/wiki/HTTPS
Two-way certification, single certification:
http://www.jianshu.com/p/0a7b028e2465
http://edison0663.iteye.com/blog/996526
Browser security controls:
The main function is to prevent the client operating system Trojan interception of user key information input (bank card account/password).
Http://wiki.mbalib.com/wiki/%E5%AE%89%E5%85%A8%E6%8E%A7%E4%BB%B6
Fully forward secrecy PFS (perfect forward secrecy)
Http://baike.baidu.com/item/%E5%AE%8C%E5%85%A8%E6%AD%A3%E5%90%91%E4%BF%9D%E5%AF%86
Https://en.wikipedia.org/wiki/Forward_secrecy
https://www.sslchina.com/deploying-forward-secrecy/
Https://zh.wikipedia.org/wiki/%E5%89%8D%E5%90%91%E5%AE%89%E5%85%A8%E6%80%A7
PFS Key Negotiation:
Https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Https://zh.wikipedia.org/wiki/%E8%BF%AA%E8%8F%B2-%E8%B5%AB%E7%88%BE%E6%9B%BC%E5%AF%86%E9%91%B0%E4%BA%A4%E6%8F%9B
* * https://program-think.blogspot.com/2016/09/https-ssl-tls-3.html
Tls:
Https://en.wikipedia.org/wiki/Transport_Layer_Security
Https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake
Other:
1190000004985253
http://www.admin5.com/special/https/
[1] Https://security.stackexchange.com/questions/44563/is-ssl-required-for-sites-hosted-behind-waf
Free Certificate:
https://letsencrypt.org/
Rfc:
https://tools.ietf.org/html/rfc5246
Outside content: TOR
Https://en.wikipedia.org/wiki/Tor_ (Anonymity_network)
Todo:
STARTTLS
[Skill] [HTTPS] [SSL/TLS] HTTPS Related Knowledge Summary