https認證自簽

來源:互聯網
上載者:User

標籤:http   any   errors   bak   stat   ice   擴充   update   trie   

     https             http over ssl = https 443/tcp                ssl: v3                tls: v1                 https://             SSL會話的簡化過程                (1) 用戶端發送可供選擇的加密方式,並向伺服器請求認證;                (2) 伺服器端發送認證以及選定的加密方式給用戶端;                (3) 用戶端取得認證並進行認證驗正:                    如果信任給其發認證的CA:                        (a) 驗正認證來源的合法性;用CA的公開金鑰解密認證上數位簽章;                        (b) 驗正認證的內容的合法性:完整性驗正                        (c) 檢查認證的有效期間限;                        (d) 檢查認證是否被吊銷;                        (e) 認證中擁有者的名字,與訪問的目標主機要一致;                (4) 用戶端產生臨時工作階段金鑰(對稱金鑰),並使用伺服器端的公開金鑰加密此資料發送給伺服器,完成金鑰交換;                (5) 服務用此祕密金鑰加密使用者請求的資源,響應給用戶端;                 注意:SSL會話是基於IP地址建立;所以單IP的主機上,僅可以使用一個https虛擬機器主機;             回顧幾個術語:PKI,CA,CRL,X.509 (v1, v2, v3)             配置httpd支援https:                (1) 為伺服器申請數位憑證;                    測試:通過私建CA發認證                        (a) 建立私人CA                        (b) 在伺服器建立認證簽署請求                        (c) CA簽證                (2) 配置httpd支援使用ssl,及使用的認證;                    # yum -y install mod_ssl                     設定檔:/etc/httpd/conf.d/ssl.conf                        DocumentRoot                        ServerName                        SSLCertificateFile                        SSLCertificateKeyFile                (3) 測試基於https訪問相應的主機;                    # openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]測試執行個體過程:用centos7:192.168.244.101 作為CA伺服器[[email protected] ~]# cd /etc/pki/CA/[[email protected] CA]# lscerts  crl  newcerts  private[[email protected] CA]# (umask 077;openssl genrsa -out private//cakey.pem 2048)   #產生私密金鑰Generating RSA private key, 2048 bit long modulus...............................................................................................................................................+++........................+++e is 65537 (0x10001)[[email protected] CA]# lltotal 0drwxr-xr-x. 2 root root  6 Jun 29  2015 certsdrwxr-xr-x. 2 root root  6 Jun 29  2015 crldrwxr-xr-x. 2 root root  6 Jun 29  2015 newcertsdrwx------. 2 root root 22 May  9 22:00 private[[email protected] CA]# ll private/total 4-rw-------. 1 root root 1675 May  9 22:00 cakey.pem[[email protected] CA]# lscerts  crl  newcerts  private[[email protected] CA]# touch index.txt[[email protected] CA]# echo 01 > serial[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300  #給自己建立一個自簽認證You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:FuJianLocality Name (eg, city) [Default City]:XiaMenOrganization Name (eg, company) [Default Company Ltd]:wangsuOrganizational Unit Name (eg, section) []:TechCommon Name (eg, your name or your server‘s hostname) []:www.fush.comEmail Address []:[email protected]  [[email protected] CA]# lltotal 8-rw-r--r--. 1 root root 1407 May  9 22:05 cacert.pemdrwxr-xr-x. 2 root root    6 Jun 29  2015 certsdrwxr-xr-x. 2 root root    6 Jun 29  2015 crl-rw-r--r--. 1 root root    0 May  9 22:01 index.txtdrwxr-xr-x. 2 root root    6 Jun 29  2015 newcertsdrwx------. 2 root root   22 May  9 22:00 private-rw-r--r--. 1 root root    3 May  9 22:01 serial  到web(httpd)伺服器上192.168.244.100:[[email protected] conf]# cd /etc/httpd/[[email protected] httpd]# mkdir ssl[[email protected] httpd]# cd ssl/[[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 1024)   ###產生keyGenerating RSA private key, 1024 bit long modulus.++++++.............++++++e is 65537 (0x10001)[[email protected] ssl]# lltotal 4-rw------- 1 root root 891 Jun 13 07:35 httpd.key[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr  ###產生認證簽署請求You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:FuJianLocality Name (eg, city) [Default City]:XiaMenOrganization Name (eg, company) [Default Company Ltd]:wangsuOrganizational Unit Name (eg, section) []:TechCommon Name (eg, your name or your server‘s hostname) []:www.web1.comEmail Address []:[email protected] Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:[[email protected] ssl]# lltotal 8-rw-r--r-- 1 root root 696 Jun 13 07:38 httpd.csr-rw------- 1 root root 891 Jun 13 07:35 httpd.key接下來把httpd.csr 傳給ca伺服器[[email protected] ssl]# scp httpd.csr [email protected]:/tmp/在ca伺服器簽署認證[[email protected] CA]# openssl ca -in /tmp/httpd.csr -out certs/www.web1.com.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: May 10 02:30:52 2017 GMT            Not After : May 10 02:30:52 2018 GMT        Subject:            countryName               = CN            stateOrProvinceName       = FuJian            organizationName          = wangsu            organizationalUnitName    = Tech            commonName                = www.web1.com            emailAddress              = [email protected]        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            Netscape Comment:                OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                84:0F:DF:DE:6B:A2:CE:38:5E:E3:A4:8D:64:00:9B:0D:9B:AA:7B:16            X509v3 Authority Key Identifier:                keyid:AE:F2:75:4B:53:5B:9E:2E:30:1F:AE:09:48:EE:0C:87:D2:87:E8:D0 Certificate is to be certified until May 10 02:30:52 2018 GMT (365 days)Sign the certificate? [y/n]:y  1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[[email protected] CA]# lscacert.pem  certs  crl  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial  serial.old[[email protected] CA]# ls newcerts/01.pem[[email protected] CA]# ls certs/www.web1.com.crt再將簽署好的認證返回給httpd伺服器[[email protected] CA]# scp certs/www.web1.com.crt 192.168.244.100:/etc/httpd/ssl 接下來配置httpd,讓其支援使用ssl[[email protected] ssl]# yum install -y mod_ssl[[email protected] ssl]# httpd -M |grep ssl ssl_module (shared)[[email protected] ssl]# rpm -ql mod_ssl/etc/httpd/conf.d/ssl.conf/usr/lib64/httpd/modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ssl/scache.sem編輯前先複製一份[[email protected] conf.d]# cp ssl.conf{,.bak}[[email protected] conf.d]# lltotal 32-rw-r--r-- 1 root root  392 Jan 13  2017 README-rw-r--r-- 1 root root 9465 Dec 13  2016 ssl.conf-rw-r--r-- 1 root root 9465 Jun 13 08:11 ssl.conf.bak-rw-r--r-- 1 root root  299 Dec 13  2016 welcome.conf[[email protected] conf.d]# vim /etc/httpd/conf.d/ssl.conf主要修改如下幾項:<VirtualHost *:443>DocumentRoot "/vhost/web1/htdocs"ServerName www.web1.com:443SSLCertificateFile /etc/httpd/ssl/www.web1.com.crtSSLCertificateKeyFile /etc/httpd/ssl/httpd.key[[email protected] conf.d]# ss  -tnl|grep 443LISTEN     0      128                      :::443                     :::*      測試認證(用openssl s_client命令):# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename][[email protected] CA]# openssl s_client -connect 192.168.244.100:443 -CAfile /etc/pki/CA/cacert.pemGET / HTTP/1.1Host: www.web1.com   輸入紅色部分內容得到,連續斷行符號可以得到內容

 

 HTTP/1.1 200 OKDate: Mon, 13 Jun 2016 00:47:59 GMTServer: Apache/2.2.15 (CentOS)Last-Modified: Sun, 12 Jun 2016 18:58:27 GMTETag: "216dd-13-535195b6de019"Accept-Ranges: bytesContent-Length: 19Vary: Accept-EncodingConnection: closeContent-Type: text/html; charset=UTF-8 192.168.244.100:80closed[[email protected] CA]# openssl s_client -connect 192.168.244.100:443 -servername www.web1.com  瀏覽器要先匯入ca通過瀏覽器測試:

 

        18、httpd內建的工具程式             htpasswd: basic認證基於檔案實現時,用到的帳號密碼檔案產生工具;            apachectl:httpd內建的服務控制指令碼,支援start, stop;            apxs:由httpd-devel包提供的,擴充httpd使用第三方模組的工具;            rotatelogs:日誌滾動工具;                access.log -->                access.log, access.1.log                access.log, access.1.log, access.2.log            suexec:                訪問某些有特殊許可權配置的資源時,臨時切換至指定使用者運行;             ab: apache benchmark         19、http壓力測試工具            ab            webbench            http_load             jmeter            loadrunner             tcpcopy             ab [OPTIONS] URL                -n: 總的請求數                -c:類比的並發數 (類似於多少個人同時請求)                -k: 以持久串連模式測試             ulimit -n #: 調整目前使用者所同時開啟的檔案數;測試例子:[[email protected] CA]# ab -c 100 -n 10000 http://192.168.244.100/deflate.htmlThis is ApacheBench, Version 2.3 <$Revision: 1430300 $>Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking 192.168.244.100 (be patient)Completed 1000 requestsCompleted 2000 requestsCompleted 3000 requestsCompleted 4000 requestsCompleted 5000 requestsCompleted 6000 requestsCompleted 7000 requestsCompleted 8000 requestsCompleted 9000 requestsCompleted 10000 requestsFinished 10000 requests  Server Software:        Apache/2.2.15Server Hostname:        192.168.244.100Server Port:            80 Document Path:          /deflate.htmlDocument Length:        20097 bytes Concurrency Level:      100Time taken for tests:   9.905 secondsComplete requests:      10000Failed requests:        0Write errors:           0Total transferred:      203920000 bytesHTML transferred:       200970000 bytesRequests per second:    1009.59 [#/sec] (mean)Time per request:       99.050 [ms] (mean)Time per request:       0.991 [ms] (mean, across all concurrent requests)Transfer rate:          20105.06 [Kbytes/sec] received Connection Times (ms)              min  mean[+/-sd] median   maxConnect:        0    2   7.6      0     122Processing:    15   96  56.9     76     443Waiting:        2   91  53.8     70     423Total:         47   98  57.8     77     443 Percentage of the requests served within a certain time (ms)  50%     77  66%     89  75%    108  80%    122  90%    163  95%    218  98%    297  99%    332 100%    443 (longest request)

https認證自簽

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.