https介绍

      HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。 它是一个URI scheme(抽象标识符体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司进行,提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。

采用https的服务器必须从CA (Certificate Authority)申请一个用于证明服务器用途类型的证书。该证书只有用于对应的服务器的时候,客户端才信任此主机。所以目前所有的银行系统网站,关键部分应用都是https 的。客户通过信任该证书,从而信任了该主机。其实这样做效率很低,但是银行更侧重安全。这一点对我们没有任何异议,我们的服务器,采用的证书不管是自己发布的还是从公众的地方发布的,其客户端都是自己人,所以我们也就肯定信任该服务器。

HTTP和HTTPS的区别

     HTTP和HTTPS使用的是完全不同的连接方式,用的端口也不一样,前者是80,后者是443。HTTP的连接很简单,是无状态的, HTTPS协议是由SSL+HTTP协议构建

的可进行加密传输、身份认证的网络协议要比HTTP协议安全。

 

SSL介绍

     SSL (Secure Socket Layer)  为Netscape所研发,用以保障在Internet上数据传输之安全,利用数据加密(Encryption)技术,可确保数据在网络上之传输过程中不会被截取及窃听。目前一般通用之规格为40 bit之安全标准,美国则已推出128 bit之更高安全标准,但限制出境。只要3.0版本以上之I.E.或Netscape浏览器即可支持SSL。

当前版本为3.0。它已被广泛地用于Web浏览器与服务器之间的身份认证和加密数据传输。

     SSL协议位于TCP/IP协议与各种应用层协议之间,为数据通讯提供安全支持。SSL协议可分为两层:SSL记录协议(SSL Record Protocol):它建立在可靠的传输协议(如TCP)之上,为高层协议提供数据封装、压缩、加密等基本功能的支持。SSL握手协议(SSL Handshake Protocol):它建立在SSL记录协议之上,用于在实际的数据传输开始前,通讯双方进行身份认证、协商加密算法、交换加密密钥等。

      SSL协议提供的服务主要有哪些? 1)认证用户和服务器,确保数据发送到正确的客户机和服务器2)加密数据以防止数据中途被窃取3)维护数据的完整性,确保数据在传输过程中不被改变。

     SSL协议的工作流程 服务器认证阶段:1)客户端向服务器发送一个开始信息“Hello”以便开始一个新的会话连接;2)服务器根据客户的信息确定是否需要生成新的主密钥,如需要则服务器在响应客户的“Hello”信息时将包含生成主密钥所需的信息;3)客户根据收到的服务器响应信息,产生一个主密钥,并用服务器的公开密钥加密后传给服务器;4)服务器恢复该主密钥,并返回给客户一个用主密钥认证的信息,以此让客户认证服务器。

     用户认证阶段 在此之前,服务器已经通过了客户认证,这一阶段主要完成对客户的认证。经认证的服务器发送一个提问给客户,客户则返回(数字)签名后的提问和其公开密钥,从而向服务器提供认证。 从SSL 协议所提供的服务及其工作流程可以看出,SSL协议运行的基础是商家对消费者信息保密的承诺,这就有利于商家而不利于消费者。在电子商务初级阶段,由于运作电子商务的企业大多是信誉较高的大公司,因此这问题还没有充分暴露出来。但随着电子商务的发展,各中小型公司也参与进来,这样在电子支付过程中的单一认证问题就越来越突出。虽然在SSL3.0中通过数字签名数字证书可实现浏览器和Web服务器双方的身份验证,但是SSL协议仍存在一些问题,比如,只能提供交易中客户与服务器间的双方认证,在涉及多方的电子交易中,SSL协议并不能协调各方间的安全传输和信任关系。在这种情况下,Visa和MasterCard两大信用卡公组织制定了SET协议,为网上信用卡支付提供了全球性的标准。

配置

web服务器(ip 192.168.10.1):

[root@localhost ~]# mount /dev/cdrom /mnt/cdrom

[root@localhost ~]# yum install httpd

[root@localhost ~]# service httpd start

[root@localhost ~]# cd /var/www/html      //网站主目录

[root@localhost html]# echo "welcome to here!!"  >index.html    //修改主页面

[root@localhost ~]# service httpd restart

测试:

image

建CA:

[root@localhost ~]# vim /etc/pki/tls/openssl.cnf

45 dir             = /etc/pki/CA           # Where everything is kept                  //和证书有关的都放在此目录
46 certs           = $dir/certs            # Where the issued certs are kept       //证书存放目录
47 crl_dir         = $dir/crl              # Where the issued crl are kept              //证书吊销列表存放目录
48 database        = $dir/index.txt        # database index file.                      //数据库存放文件
49 #unique_subject = no                    # Set to 'no' to allow creation of
50                                         # several ctificates with same subject.
51 new_certs_dir   = $dir/newcerts         # default place for new certs.         //新证书存放目录
52
53 certificate     = $dir/cacert.pem       # The CA certificate                         //发证机关的证书
54 serial          = $dir/serial           # The current serial number                   //证书序列号
55 crlnumber       = $dir/crlnumber        # the current crl number
56                                         # must be commented out to leave a V1 CRL
57 crl             = $dir/crl.pem          # The current CRL
58 private_key     = $dir/private/cakey.pem# The private key                       //证书私钥文件
59 RANDFILE        = $dir/private/.rand    # private random number file
60
61 x509_extensions = usr_cert              # The extentions to add to the cert

所以需要创建 certs,crl,newcerts目录和index.txt,serial 文件

[root@localhost ~]# cd /etc/pki
[root@localhost pki]# ll
总计 32
drwx------ 3 root root 4096 2012-08-11 CA
drwxr-xr-x 2 root root 4096 2012-08-11 nssdb
drwxr-xr-x 2 root root 4096 2012-08-11 rpm-gpg
drwxr-xr-x 5 root root 4096 2012-08-11 tls
[root@localhost pki]# cd CA/
[root@localhost CA]# mkdir certs crl newcerts
[root@localhost CA]# touch index.txt   serial
[root@localhost CA]# ll
总计 20
drwxr-xr-x 2 root root 4096 08-11 16:00 certs
drwxr-xr-x 2 root root 4096 08-11 16:00 crl
-rw-r--r-- 1 root root    0 08-11 16:01 index.txt
drwxr-xr-x 2 root root 4096 08-11 16:00 newcerts
drwx------ 2 root root 4096 2009-06-30 private
-rw-r--r-- 1 root root    0 08-11 16:01 serial
[root@localhost CA]# echo "01" >;serial             //给一个初始序列号

[root@localhost CA]# openssl genrsa 1024  >;private/cakey.pem     //生成私钥文件,rsa算法,1024位加密。
Generating RSA private key, 1024 bit long modulus
.......++++++
.++++++
e is 65537 (0x10001)

[root@localhost CA]# ll private/cakey.pem
-rw-r--r-- 1 root root 887 08-11 16:21 private/cakey.pem

为了安全考虑,需要修改私钥文件的权限。
[root@localhost CA]# chmod 600 private/cakey.pem

[root@localhost CA]# ll private/cakey.pem
-rw------- 1 root root 887 08-11 16:21 private/cakey.pem

[root@localhost CA]# openssl req -new -key private/cakey.pem  -x509 -out  cacert.pem -days 3650  //利用私钥生成证书,类型x509,有效期10年。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
You have mail in /var/spool/mail/root

为了方便。可以修改默认值。

[root@localhost CA]# vim /etc/pki/tls/openssl.cnf

87 [ policy_match ]
88 countryName             = optional             //允许和颁发机构不同的国家进行证书申请。
89 stateOrProvinceName     = optional         //允许和颁发机构不同的省市进行证书申请。
90 organizationName        = optional          //允许和颁发机构不同的单位进行证书申请。
91 organizationalUnitName  = optional
92 commonName              = supplied
93 emailAddress            = optional
94

133
134 [ req_distinguished_name ]
135 countryName                     = Country Name (2 letter code)
136 countryName_default             = CN       //国家   设为中国
137 countryName_min                 = 2
138 countryName_max                 = 2
139
140 stateOrProvinceName             = State or Province Name (full name)
141 stateOrProvinceName_default     = HENAN        //省  设为北京
142
143 localityName                    = Locality Name (eg, city)
144 localityName_default            = ZHENGZHOU            //市  设为北京
145
146 0.organizationName              = Organization Name (eg, company)
147 0.organizationName_default      = My Company Ltd
148

[root@localhost CA]# openssl req -new -key private/cakey.pem  -x509 -out  cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HENAN]:
Locality Name (eg, city) [ZHENGZHOU]:
Organization Name (eg, company) [My Company Ltd]:ZZDX      //公司
Organizational Unit Name (eg, section) []:XINXI                          //部门
Common Name (eg, your name or your server's hostname) []:zzdx.abc.com   //颁发机构主机名
Email Address []:
[root@localhost CA]#

WEB服务器

[root@localhost CA]# mkdir -pv /etc/httpd/certs    //为服务器创建存放证书的目录

[root@localhost CA]# cd  /etc/httpd/certs/
[root@localhost certs]# ll
总计 0
[root@localhost certs]# openssl genrsa 1024 >;httpd.key          //生成私钥文件,rsa算法,1024位加密。

Generating RSA private key, 1024 bit long modulus
......++++++
.........................++++++
e is 65537 (0x10001)
[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr   //利用私钥文件申请证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:henan
Locality Name (eg, city) [BEIJING]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:zzdx
Organizational Unit Name (eg, section) []:xinxi
Common Name (eg, your name or your server's hostname) []:zzdx.abc.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   //挑战报文密码
An optional company name []:   
[root@localhost certs]# ll
总计 8
-rw-r--r-- 1 root root 643 08-11 16:53 httpd.csr
-rw-r--r-- 1 root root 887 08-11 16:51 httpd.key
[root@localhost certs]# openssl ca -in httpd.csr -out httpd.cert     //生成证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 11 08:54:04 2012 GMT
            Not After : Aug 11 08:54:04 2013 GMT
Subject:
            countryName               = CN
            stateOrProvinceName       = henan
            organizationName          = zzdx
            organizationalUnitName    = xinxi 
            commonName                = zzdx.abc.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AA:38:0C:7F:6A:6D:88:6E:EE:5A:F5:BF:D7:C7:C5:8D:4E:92:AE:85
            X509v3 Authority Key Identifier:
                keyid:3D:60:9D:7A:34:73:89:5C:50:7A:DC:FF:82:98:D3:F8:1F:A1:A8:D8

Certificate is to be certified until Aug 11 08:54:04 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@localhost certs]# chmod 600 *     //安全考虑
[root@localhost certs]# ll
总计 12
-rw------- 1 root root 3053 08-11 16:54 httpd.cert
-rw------- 1 root root  643 08-11 16:53 httpd.csr
-rw------- 1 root root  887 08-11 16:51 httpd.key

SSL:

[root@localhost certs]# cd /mnt/cdrom/Server/
[root@localhost Server]# yum install mod_ssl
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-31.el5 set to be updated
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Running transaction check
---> Package distcache.i386 0:1.4.5-14.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================
Package             Arch           Version                  Repository             Size
=========================================================================================
Installing:
mod_ssl             i386           1:2.2.3-31.el5           rhel-server            88 k
Installing for dependencies:
distcache           i386           1.4.5-14.1               rhel-server           120 k

Transaction Summary
=========================================================================================
Install      2 Package(s)        
Update       0 Package(s)        
Remove       0 Package(s)      

Total download size: 208 k
Is this ok [y/N]: y
Downloading Packages:
-----------------------------------------------------------------------------------------
Total                                                     24 MB/s | 208 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : distcache                                                         1/2
  Installing     : mod_ssl                                                           2/2

Installed:
  mod_ssl.i386 1:2.2.3-31.el5                                                         

Dependency Installed:
  distcache.i386 0:1.4.5-14.1                                                         

Complete!

[root@localhost Server]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# ll
总计 24
-rw-r--r-- 1 root root  566 2009-07-15 proxy_ajp.conf
-rw-r--r-- 1 root root  392 2009-07-15 README
-rw-r--r-- 1 root root 9677 2009-07-15 ssl.conf
-rw-r--r-- 1 root root  299 2009-07-15 welcome.conf
[root@localhost conf.d]# vim ssl.conf

我们需要指明证书,私钥的文件所在

107 #   Server Certificate:
108 # Point SSLCertificateFile at a PEM encoded certificate.  If
109 # the certificate is encrypted, then you will be prompted for a
110 # pass phrase.  Note that a kill -HUP will prompt again.  A new
111 # certificate can be generated using the genkey(1) command.
112 SSLCertificateFile /etc/httpd/certs/httpd.cert         //证书存放目录
113
114 #   Server Private Key:
115 #   If the key is not combined with the certificate, use this
116 #   directive to point at the key file.  Keep in mind that if
117 #   you've both a RSA and a DSA private key you can configure
118 #   both in parallel (to also allow the use of DSA ciphers, etc.)
119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key     //私钥存放目录

SSLCertificateChainFile /etc/pki/CA/cacert.pem        //指明证书链目录

[root@localhost conf.d]# service httpd configtest        //检测语法
Syntax OK
[root@localhost conf.d]# service httpd restart
停止 httpd:                                               [确定]
启动 httpd:                                               [确定]

测试:

image

 

安装证书:

image

测试:

image