The third of the web to build HTTPS

Source: Internet
Author: User
Tags openssl library ticket ssl certificate scp command



After the book, review One: Elinks-dump: Get to the page data and exit the process directly. Our keepalive are defined according to the requirements of different length of time, if busy, then shorten some.



How to use HTTP as https



Ssl:secure socket Layer Secure Sockets layers



Ssv1



Ssv2



Ssv3 ~TLS1



TLS Transport Layer Security



Because the HTTP protocol is plaintext, text-based encoding is required.



Telnet



Use Telnet to initiate the request, at which point our server is still 192.168.1.126



And our client has one more 192.168.1.134.



[[Email protected] cdrom]# Telnet 192.168.1.126 80
Trying 192.168.1.126 ...
Connected to 192.168.1.126.
Escape character is ' ^] '.
Get/index.html http/1.0
Host:www.bigfire.com



http/1.1 OK
Date:sun, 01:18:18 GMT
server:apache/2.2.15 (CentOS)
Last-modified:sat, 21:18:22 GMT
ETag: "A0008-e-50038dc9ae2ea"
Accept-ranges:bytes
Content-length:14
Connection:close
content-type:text/html; Charset=utf-8



This is host2 Web content
Connection closed by foreign host. This http1.0 does not support persistent connections, so once the Web resources are fully responsive, the service is completely disconnected.



If we want to use keepalive in Telnet, we need to find it in the config file and put it on. This also verifies that HTTP is clear text.



In the author's experiment when a little bit of a problem, the author of the server opened the KeepAlive service, but with Telnet connection due to the http/1.1 written in the HTTP space/1.1, the results of the output is broken. Here to share with you, hope warning.



In the TCP/IP model, if the application layer itself does not have the encryption function, then the entire TCP/IP transmission is clear text, if we want to encrypt the connection at the time of how to do?



1, the client and the server program between the two itself is encrypted, such as: The browser is encrypted, the program itself is also encrypted, but in this way, we have to do in the application layer protocol unification and specification is difficult.



Then 2, in the model, the application layer and the transport layer added half a layer, called the SSL layer. Its implementation is the implementation of the OpenSSL library file, called LIBSSL,HTTPD program development, once the interface of the OpenSSL library is called, then






HTTPD: Whether the SSL feature is enabled or not is httpd if the SSL module is loaded. SSL is a module that is individually wrapped.



We use the Yum list all mod*



You can find the MOD_SSL information and then use the Yum info mod_ssl as follows:



[email protected] ~]# Yum Info mod_ssl
Loaded Plugins:fastestmirror, Refresh-packagekit, security
Loading mirror speeds from cached hostfile
Available Packages
Name:mod_ssl
Arch:x86_64
Epoch:1
version:2.2.15
Release:29.el6.centos
Size:90 K
Repo:new1
SUMMARY:SSL/TLS module for the Apache HTTP Server
url:http://httpd.apache.org



...



If you want to use HTTPS, you need to install and load the Mod_ssl module before you can use it.



Review the SSL session again when the client and server side to be based on SSL, because SSL on the TCP/IP protocol, means the TCP protocol itself to achieve the transfer of SSL message, when the client sends a request to the server, then the next TCP three handshake handshake, The client enters the address in the browser, and DNS resolves the domain name to the IP address, at which point the IP address interacts. Before the three handshake was completed, the HTTP request message was not sent past. When the three-time handshake is successful, the server discovers that the HTTP request is HTTPS, it is based on SSL for the session, and it establishes the handshake based on the SSL session again, and the parties negotiate how to implement the encrypted communication. Negotiation content For example: Both sides support the use of what symmetric encryption method, the two sides support what public key encryption, the two sides use the version of the SSL protocol. Wait a minute



The next step is to implement data encryption, but there is a premise, the need for key exchange, how to implement key exchange, such as your new access to a site, how to obtain the key? To verify the server-side certificate, the server to send a service-side certificate to the client, the name of the service-side certificate must be the name you entered in the browser, the service side to send a certificate, to see which CA sent the certificate to the server, and then verify the validity of the certificate, such as checking the CA's public key can decrypt the signature Then use the same one-way encryption algorithm to calculate the fingerprint information of the certificate, compare the signature, no problem, the integrity has been verified. You also need to verify that the certificate is valid, and also verify that the certificate is not in the revocation list, and that when everything is properly checked, SSL establishes the session. Our client chooses a symmetric encrypted key to be sent to the server side with the server-side public key encryption, so the server decrypts its own private key to obtain a symmetric encrypted key, and then encrypts the network file with this key and sends it to the client.



SSL session is based on IP address, only the host name to verify your certificate, so that only after the SSL channel is established, the user's request to reach the server side. If you access a virtual host, all virtual hosts can only use the same SSL for communication. So, if a company to do three sites, three sites are an IP address, three sites have no way to use SSL for the call, only one can use SSL calls. Otherwise the certificate will be completely chaotic.


















Therefore, only one SSL session can be created per IP address.



After the session is established, if it is still working in a non-persistent state, each of the three handshake and the establishment of an SSL session channel, encryption and decryption, etc., will be particularly consumed.



SSL is a lot more steps than HTTP, both the server side and the client have great pressure, in order to speed up the session speed and CPU consumption, there are now a lot of itself to complete the SSL session support encryption hardware chip.



The HTTP session and the SSL channel-based HTTPS session are compared.



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903398chhc.png "width=" 649 "height=" 603 "/>



An unencrypted HTTP transaction, both TCP sends and responds to the request, and then shuts down.



HTTPS has more SSL connections and disconnects, consumes a lot of resources, the CPU pressure is very high.



It is important to have a certificate in HTTPS with the following certificate format:



Certificate version number



Certificate serial Number



Certificate signing algorithm



Certificate issuer



Certificate Validity period



The name of the object (which needs to be consistent with the server's host name)



The public key of the object



Additional Information



Digital signature of the CA






Ra CA CTL also has a certificate access library collectively known as PKI, the core is the CA






The work to be done by the SSL handshake



Exchange Protocol version number, select the encryption method supported by both sides, the client to the server side of the authentication, (decryption of the other side of the certificate signing) key exchange (the client to select a symmetric encryption key exchange, and then encrypted with the other party's public key to pass to the other). So HTTP is called Https,http is text encoding, and HTTPS is based on SSL for binary encoding.



So our server is HTTPS, our client wants to authenticate based on SSL, and use Openssl+s_client's tools to interact with the server side. Can prove the validity of the certificate, be able to negotiate with the other party and data encryption and decryption transmission.



HTTPS will be listening on port 443 and cannot be authenticated in the FQDN.



The client authenticates the server-side certificate,



1. Validity of the test



2.CA validity Detection (decryption of the CA's signature with a local CA, success is possible)



3. Certificate Signature Detection



4. Identity verification of the holder. (see if the name entered by the browser is consistent with the hostname on the certificate issued by the CA)



Start simulation to build HTTPS



First, install the Mod_ssl module
# yum Install Mod_ssl



RPM-QL Mod_ssl
/etc/httpd/conf.d/ssl.conf



Check the ssl.conf, see if the configuration file is open called Sslengine



# SSL Engine Switch:
# enable/disable SSL for this virtual host.
Sslengine on



<virtualhost _default_:443> Default on 443



# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html" here, the root file is commented out by default.
#ServerName www.example.com:443



A web site is likely to be HTTP-based at the time of browsing, and once the payment page appears, HTTPS will be turned on.



Second, generate the private key for the service terminal (demonstration process on the same host)


1. Generating a private key for a CA


[[Email protected] ca]# (umask 077; OpenSSL genrsa-out Private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
....................................................................+++
............................................................+++
E is 65537 (0x10001)



View the CA private key, whether it is 600 permissions.



[email protected] ca]# ll private/
Total 4
-RW-------1 root root 1679 17:42 Cakey.pem


2, generate self-visa, but to ensure that the certificate before the format consistent.


OpenSSL req-new-x509 (express self-signed, only for personal CA test)-key private/cakey.pem-out Cacert.pem-days
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]: until you are prompted to enter the CA certificate format information


3. Create serial and Index.txt, and echo > serial

4.CD to the httpd directory, generate an SSL directory for httpd in/etc/httpd, to generate the key for our server itself. 650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_14079034187tgs.png "width=" 613 "height=" 103 "/>



Also generate a certificate signing software, let CA sign us.






650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903429rgtq.png "width=" 656 "height=" 175 "/>



OpenSSL Req–new–key Httpd.key (for the currently generated key) –out HTTPD.CSR (Generating a signing request) 1024 (1024 length)



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903435qxkv.png "width=" 661 "height="/> at the time of signing this key, to be consistent with the hostname of your server.






Since this machine is also a CA, it is self-signed. 650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903439ahrz.png "width=" 465 "height="/>



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903505ij49.png "width=" 668 "height=" 463 "/> Press Y to continue.



ll view current directory, discover build-rw-r--r--1 root root 3716 19:52 httpd.crt



Then go back to the HTTPD directory and CD to the CONF.D directory, edit ssl.conf, find the SSL certificate that



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903530q5zz.png "width=" 665 "height=" 167 "/>



Fill in the path file that you just generated. Because the host name that was used when signing the certificate is our www.aaabig.com, so the/etc/httpd/conf/ Locate the corresponding virtual host in the httpd.conf, and then locate the DocumentRoot in the ssl.conf file, and then change the root file directory to match the virtual host. Note An IP address can only have one SSL session connection!



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_14079035399cu8.png "width=" 244 "height=" ""/> Change after restart service 650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903552krp7.png "width=" 687 "height=" 142 "/>



Enter https://www.aaabig.com in the browser



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_14079035894ip4.png "width=" 655 "height=" 226 "/> Obviously has a certificate, but the client does not have the CA's public key and cannot verify the validity of the certificate. Point lock Query 650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_140790362571mj.png "width=" 208 "height=" 244 "/> Certificate information. So, using XFTP to pass the certificate to Windows, it's best to keep it in a good place and then rename it to Cacert.crt.



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903682cd2k.png "width=" 651 "height=" "/> Import successfully, locate the certificate file, install the certificate into the trusted certificate.



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903694xzsi.png "width=" 244 "height=" 106 "/> 650" this.width=650; "style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903719pt1c.png "width=" 244 "height=" 211 "/> Description begins the session based on SSL.



You want to verify the server's certificate, you as the client first want to have the CA's certificate. Let's try it using the command line:


[email protected] ~]# OpenSSL s_client-connect 192.168.1.121:443
CONNECTED (00000003)
Depth=0 C = cn, ST = Hebei, O = mageedu, OU = Ops, CN = www.aaabig.com
Verify error:num=20:unable to get local issuer certificate
Verify Return:1
Depth=0 C = cn, ST = Hebei, O = mageedu, OU = Ops, CN = www.aaabig.com
Verify Error:num=27:certificate Not trusted
Verify Return:1
Depth=0 C = cn, ST = Hebei, O = mageedu, OU = Ops, CN = www.aaabig.com
Verify error:num=21:unable to verify the first certificate
Verify Return:1
---
Certificate Chain
0 s:/c=cn/st=hebei/o=mageedu/ou=ops/cn=www.aaabig.com
I:/c=cn/st=hebei/l=baoding/o=mageedu/ou=ops/cn=caserver.mageedu.com
---
Server Certificate
-----BEGIN CERTIFICATE-----
Miidnjccah6gawibagibatanbgkqhkig9w0baqufadbumqswcqydvqqgewjdtjeo
Mawga1uecawfagvizwkxedaobgnvbacmb2jhb2rpbmcxedaobgnvbaomb21hz2vl
zhuxddakbgnvbasma29wczedmbsga1ueawwuy2fzzxj2zxiubwfnzwvkds5jb20w
Hhcnmtqwodeymte1mjuwwhcnmtuwmji4mte1mjuwwjbwmqswcqydvqqgewjdtjeo
Mawga1uecawfagvizwkxedaobgnvbaomb21hz2vlzhuxddakbgnvbasma29wczex
Q+jhvpz7hkpoxoenxeeircr+dxpvcqjzjjfp70jdepb3jj/aidrzmh716rndsrhf
lod/w9sid4niwg==
-----END CERTIFICATE-----
Subject=/c=cn/st=hebei/o=mageedu/ou=ops/cn=www.aaabig.com
Issuer=/c=cn/st=hebei/l=baoding/o=mageedu/ou=ops/cn=caserver.mageedu.com
---
No client certificate CA names sent
---
SSL handshake has read 1575 bytes and written 499 bytes
---
New, Tlsv1/sslv3, Cipher is dhe-rsa-aes256-gcm-sha384
Server Public key is a 1024x768 bit
Secure renegotiation is supported
Compression:none
Expansion:none
Ssl-session:
protocol:tlsv1.2
cipher:dhe-rsa-aes256-gcm-sha384
Session-id:0129f689ab259250e90701fc73ff0b79dd7b62d9bbf7c7c475a48eaa63dc8fd9
Session-id-ctx:
master-key:9dd25205b672fd9a6ecf51dc8df2ceee1f9dbd49962972dd01e6231b1f8a3b4aa6909fbb1ba33cbf36d6ad665b550976
Key-arg:none
Krb5 Principal:none
PSK Identity:none
PSK Identity Hint:none
TLS Session ticket Lifetime hint:300 (seconds)
TLS Session Ticket:
0000-1D 5e F8 d1 0a 81-8d B6 AB 3c E1 4a A3. ^....q....<c.j.
0010-4C ef c6 fe 0d 6e-e0 9e f5 [email protected]
0020-D9 bb c5 0f 96-22 e5 3c 7a fd C4 ... r8) ... ". 4<z ...
0030-55 FC BD 9d d3-71 e3 d4 F1 EE 2a 0b u....q0.q....*.
0040-23 eb to FA B8 7e 39-BC 8a E9-B5-D2
0050-e5 ae b7, 51-b3 bb d7 e6 7c, D4 b3. 2....q....| Y..
0060-3e 2f A0 5b, BB 30-e9 a6, d5, FC F5 >/. [W.. 0..R ". (..
0070-B2 3c 5c CE 06-7d C9 4b 24 02. (<\ ...}. 9H. k$.
0080-8c a6 DC 4d 65-FD 7d C7 98 C7 FB ... R.mde. .} ....
0090-F2 AC A9 7a ca c5 da-9b 4d f0 ..... z .... Mx.....
00a0-17 b5 0c fa 52-41 ae D8 2e + 2b C2. &amp .....
00b0-85 Ed 0b 6a f4 93-50-ee ba ee 9a ..... P (...)


Start time:1407901775
timeout:300 (SEC)
Verify return code:21 (Unable to Verify the first certificate) here says that the certificate cannot be verified. Only the other server identity cannot be verified, but the session can be established.



If we still want to validate the book, we can use the SCP command



[Email protected] ~]# SCP 192.168.1.121:/etc/pki/ca/cacert.pem ./Locate the location of the other CA certificate and place it locally.



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903752julo.png "width=" 569 "height=" 304 "/> indicates that data can be obtained. SSL session communication is successful, we can use get HTTP host to get information



650) this.width=650; "Style=" border-right-0px; border-top-width:0px; border-bottom-width:0px; border-left-width:0px "title=" image "border=" 0 "alt=" image "src=" http://img1.51cto.com/attachment/201408/13/ 6249823_1407903770phkb.png "width=" 572 "height=" 364 "/> can also set keepalive!


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.