HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。该系统提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。
SSL会话建立过程:
1. 客户端和服务器端进行交互,协商加密方式进行秘钥交互
2. 服务器端给客户端发送证书
3. 双方生成对称秘钥,并使用服务器的公钥加密后发给服务器
4. 客户端就可以访问服务器端的网页,用户的请求也以加密方式传送
下面就来详细介绍基于SSL的Apache的配置
使用rpm安装的httpd不支持ssl,需要安装mod_ssl 模块就可以支持SSL。
Yum install mod_ssl
Vim /etc/httpd/ conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt 证书列表
AddType application/x-pkcs7-crl ./crl 证书吊销列表
SLPassPhraseDialog builtin 内部会话建立机制
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) 会话缓存
SSLSessionCacheTimeout 300 缓存超时时间
SSLRandomSeed startupfile:/dev/urandom 256 随机数的种子
SSLRandomSeed connect builtin
SSLCryptoDevice builtin SSL的加密设备
只能为一个基于主机名的虚拟主机提供SSL
<VirtualHost _default_:443>
DocumentRoot "/vhosts/magedu.com"
ServerName www.magedu.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log 定义SSL会话的日志
LogLevel warn
SSLEngine on是否启用SSL
SSLProtocol all -SSLv2 SSL协议的版本(默认禁用SSLv2,all –SSLv2表示使用所有的,但不包括SSLv2)
SLCipherSuiteALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW 加密方式
SSLCertificateFile/etc/pki/tls/certs/localhost.crt 证书文件
SSLCertificateKeyFile/etc/pki/tls/private/localhost.key 私钥文件
现在先建立CA
Cd /etc/pki/CA
Vim ../tls/openssl.cnf
修改内容
dir = /etc/pki/CA
[ req_distinguished_name ]
countryName = Country Name (2 lettercode)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =Henan
localityName = Locality Name (eg, city)
localityName_default =ZhengZhou
0.organizationName = Organization Name (eg, company)
0.organizationName_default = magedu.com
# we can do this but it is not needednormally :-)
#1.organizationName = Second Organization Name (eg,company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Tech
commonName = Common Name (eg, yourname or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = admin@magedu.com
生成CA的私钥
[root@yangyue2 CA]# (umask 077; opensslgenrsa 1024 > private/cakey.pem)
Generating RSA private key, 1024 bit longmodulus
................................................++++++
.++++++
e is 65537 (0x10001)
[root@yangyue2 CA]# ll private/
总用量 4
-rw-------. 1 root root 887 4月 19 08:01 cakey.pem
生成自签证书
[root@yangyue2 CA]# openssl req -new -x509-key private/cakey.pem -out cacert.pem
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter'.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Henan]:
Locality Name (eg, city) [ZhengZhou]:
Organization Name (eg, company)[magedu.com]:
Organizational Unit Name (eg, section)[Tech]:
Common Name (eg, your name or your server'shostname) []:ca.magedu.com
Email Address [admin@magedu.com]:
创建几个目录
[root@yangyue2 CA]# mkdir newcerts certscrl
[root@yangyue2CA]# touch index.txt
[root@yangyue2 CA]# echo 01 > serial
[root@yangyue2 CA]# echo 01 > crlnumber
为HTTP服务发证书:
[root@yangyue2 CA]# cd /etc/httpd/conf
[root@yangyue2 conf]# mkdir ssl
[root@yangyue2 conf]# cd ssl
[root@yangyue2 ssl]# (umask 077; opensslgenrsa 1024 > httpd.key)
Generating RSA private key, 1024 bit longmodulus
...........................++++++
.......++++++
e is 65537 (0x10001)
证书签署请求
[root@yangyue2 ssl]# openssl req -new -key httpd.key-out httpd.csr
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be leftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Henan]:
Locality Name (eg, city) [ZhengZhou]:
Organization Name (eg, company)[magedu.com]:
Organizational Unit Name (eg, section)[Tech]:
Common Name (eg, your name or your server'shostname) []:www.magedu.com
Email Address [admin@magedu.com]:
Please enter the following 'extra'attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
签署证书:
[root@yangyue2 ssl]# openssl ca -inhttpd.csr -out httpd.crt
Using configuration from/etc/pki/tls/openssl.cnf
Check that the request matches thesignature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 19 00:11:46 2014 GMT
Not After : Apr 19 00:11:46 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = magedu.com
organizationalUnitName = Tech
commonName =www.magedu.com
emailAddress =admin@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CA:8B:7D:A1:67:2D:E7:A8:8B:A4:D7:AD:FE:11:9D:F2:AF:48:C1:05
X509v3 Authority Key Identifier:
keyid:CF:6B:CE:CB:9F:F4:67:84:24:79:DF:2D:04:5A:7F:59:20:AE:CF:6C
Certificate is to be certified until Apr 1900:11:46 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified,commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
修改配置文件:
Vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile/etc/httpd/conf/ssl/httpd.crt
SSLCertificateKeyFile/etc/httpd/conf/ssl/httpd.key
开启服务:
Service httpd restart
将证书复制在本地机器上
/etc/pki/CA/cacert.pem
将其名称改为cacert.crt
导入到浏览器中,这时在浏览器中输入Https://www.magedu.com就可以进行访问了。
