在linux系統中利用https訪問站點

https原理：

一、http叫超文本傳輸協議，使用TCP端口80，默認狀況下數據是明明文傳送的，數據能夠經過抓包工具捕獲到，所以在interner上，有些比較重要的站點的http服務器須要使用PKI（公鑰基礎結構）技術來對數據加密！這也就是https了；
https叫安全的超文本傳輸協議，使用TCP端口443，他的數據會用PKI中的公鑰進行加密，這樣抓包工具捕獲到的數據包也沒有辦法看包中的內容，安全性大大提升，要解密數據的話就要用到PKI中的私鑰。因此一些安全性比較高的網站如：網上銀行，電子商務網站都須要用https訪問！

HTTPS的安全基礎是SSL，所以加密的詳細內容就須要SSL。 它是一個URI scheme（抽象標識符體系），句法類同http:體系。用於安全的HTTP數據傳輸。https:URL代表它使用了HTTP，但HTTPS存在不一樣於HTTP的默認端口及一個加密/身份驗證層（在HTTP與TCP之間）。這個系統的最初研發由網景公司進行，提供了身份驗證與加密通信方法，如今它被普遍用於萬維網上安全敏感的通信，例如交易支付方面。 —— SSL認證過程

二、服務器認證階段：

1）客戶端向服務器發送一個開始信息「Hello」以便開始一個新的會話鏈接；

2）服務器根據客戶的信息肯定是否須要生成新的主密鑰，如須要則服務器在響應客戶的「Hello」信息時將包含生成主密鑰所需的信息；

3）客戶根據收到的服務器響應信息，產生一個主密鑰，並用服務器的公開密鑰加密後傳給服務器；

4）服務器恢復該主密鑰，並返回給客戶一個用主密鑰認證的信息，以此讓客戶認證服務器

三、ssl介紹

①客戶端的瀏覽器向服務器傳送客戶端SSL 協議的版本號，加密算法的種類，產生的隨機數，以及其餘服務器和客戶端之間通信所須要的各類信息。

②服務器向客戶端傳送SSL 協議的版本號，加密算法的種類，隨機數以及其餘相關信息，同時服務器還將向客戶端傳送本身的證書。

③客戶利用服務器傳過來的信息驗證服務器的合法性，服務器的合法性包括：證書是否過時，發行服務器證書的CA 是否可靠，發行者證書的公鑰可否正確解開服務器證書的「發行者的數字簽名」，服務器證書上的域名是否和服務器的實際域名相匹配。若是合法性驗證沒有經過，通信將斷開；若是合法性驗證經過，將繼續進行第四步。

④用戶端隨機產生一個用於後面通信的「對稱密碼」，而後用服務器的公鑰（服務器的公鑰從步驟②中的服務器的證書中得到）對其加密，而後將加密後的「預主密碼」傳給服務器。

⑤若是服務器要求客戶的身份認證（在握手過程當中爲可選），用戶能夠創建一個隨機數而後對其進行數據簽名，將這個含有簽名的隨機數和客戶本身的證書以及加密過的「預主密碼」一塊兒傳給服務器。

⑥若是服務器要求客戶的身份認證，服務器必須檢驗客戶證書和簽名隨機數的合法性，具體的合法性驗證過程包括：客戶的證書使用日期是否有效，爲客戶提供證書的CA 是否可靠，發行CA 的公鑰可否正確解開客戶證書的發行CA 的數字簽名，檢查客戶的證書是否在證書廢止列表（CRL）中。檢驗若是沒有經過，通信馬上中斷；若是驗證經過，服務器將用本身的私鑰解開加密的「預主密碼」，而後執行一系列步驟來產生主通信密碼（客戶端也將經過一樣的方法產生相同的主通信密碼）。

⑦服務器和客戶端用相同的主密碼即「通話密碼」，一個對稱密鑰用於SSL 協議的安全數據通信的加解密通信。同時在SSL 通信過程當中還要完成數據通信的完整性，防止數據通信中的任何變化。

⑧客戶端向服務器端發出信息，指明後面的數據通信將使用的步驟⑦中的主密碼爲對稱密鑰，同時通知服務器客戶端的握手過程結束。

⑨服務器向客戶端發出信息，指明後面的數據通信將使用的步驟⑦中的主密碼爲對稱密鑰，同時通知客戶端服務器端的握手過程結束。

⑩SSL 的握手部分結束，SSL 安全通道的數據通信開始，客戶和服務器開始使用相同的對稱密鑰進行數據通信，同時進行通信完整性的檢驗。

 

web服務器(ip 192.168.10.1):

[root@localhost ~]# mount /dev/cdrom /mnt/cdrom

[root@localhost ~]# yum install httpd

[root@localhost ~]# service httpd start

[root@localhost ~]# cd /var/www/html //網站主目錄

[root@localhost html]# echo "welcome to here!!" >index.html //修改主頁面

[root@localhost ~]# service httpd restart

測試：

建CA:

[root@localhost ~]# vim /etc/pki/tls/openssl.cnf

45 dir = /etc/pki/CA # Where everything is kept //和證書有關的都放在此目錄
46 certs = $dir/certs # Where the issued certs are kept //證書存放目錄
47 crl_dir = $dir/crl # Where the issued crl are kept //證書吊銷列表存放目錄
48 database = $dir/index.txt # database index file. //數據庫存放文件
49 #unique_subject = no # Set to 'no' to allow creation of
50 # several ctificates with same subject.
51 new_certs_dir = $dir/newcerts # default place for new certs. //新證書存放目錄
52
53 certificate = $dir/cacert.pem # The CA certificate //發證機關的證書
54 serial = $dir/serial # The current serial number //證書序列號
55 crlnumber = $dir/crlnumber # the current crl number
56 # must be commented out to leave a V1 CRL
57 crl = $dir/crl.pem # The current CRL
58 private_key = $dir/private/cakey.pem# The private key //證書私鑰文件
59 RANDFILE = $dir/private/.rand # private random number file
60
61 x509_extensions = usr_cert # The extentions to add to the cert

因此須要建立 certs,crl,newcerts目錄和index.txt,serial 文件

[root@localhost ~]# cd /etc/pki
[root@localhost pki]# ll
總計 32
drwx------ 3 root root 4096 2012-08-11 CA
drwxr-xr-x 2 root root 4096 2012-08-11 nssdb
drwxr-xr-x 2 root root 4096 2012-08-11 rpm-gpg
drwxr-xr-x 5 root root 4096 2012-08-11 tls
[root@localhost pki]# cd CA/
[root@localhost CA]# mkdir certs crl newcerts
[root@localhost CA]# touch index.txt serial
[root@localhost CA]# ll
總計 20
drwxr-xr-x 2 root root 4096 08-11 16:00 certs
drwxr-xr-x 2 root root 4096 08-11 16:00 crl
-rw-r--r-- 1 root root 0 08-11 16:01 index.txt
drwxr-xr-x 2 root root 4096 08-11 16:00 newcerts
drwx------ 2 root root 4096 2009-06-30 private
-rw-r--r-- 1 root root 0 08-11 16:01 serial
[root@localhost CA]# echo "01" >;serial //給一個初始序列號

[root@localhost CA]# openssl genrsa 1024 >;private/cakey.pem //生成私鑰文件，rsa算法，1024位加密。
Generating RSA private key, 1024 bit long modulus
.......++++++
.++++++
e is 65537 (0x10001)

[root@localhost CA]# ll private/cakey.pem
-rw-r--r-- 1 root root 887 08-11 16:21 private/cakey.pem

爲了安全考慮，須要修改私鑰文件的權限。
[root@localhost CA]# chmod 600 private/cakey.pem

[root@localhost CA]# ll private/cakey.pem
-rw------- 1 root root 887 08-11 16:21 private/cakey.pem

[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650 //利用私鑰生成證書，類型x509，有效期10年。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
You have mail in /var/spool/mail/root

爲了方便。能夠修改默認值。

[root@localhost CA]# vim /etc/pki/tls/openssl.cnf

87 [ policy_match ]
88 countryName = optional //容許和頒發機構不一樣的國家進行證書申請。
89 stateOrProvinceName = optional //容許和頒發機構不一樣的省市進行證書申請。
90 organizationName = optional //容許和頒發機構不一樣的單位進行證書申請。
91 organizationalUnitName = optional
92 commonName = supplied
93 emailAddress = optional
94

133
134 [ req_distinguished_name ]
135 countryName = Country Name (2 letter code)
136 countryName_default = CN //國家 設爲中國
137 countryName_min = 2
138 countryName_max = 2
139
140 stateOrProvinceName = State or Province Name (full name)
141 stateOrProvinceName_default = HENAN //省 設爲北京
142
143 localityName = Locality Name (eg, city)
144 localityName_default = ZHENGZHOU //市 設爲北京
145
146 0.organizationName = Organization Name (eg, company)
147 0.organizationName_default = My Company Ltd
148

[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HENAN]:
Locality Name (eg, city) [ZHENGZHOU]:
Organization Name (eg, company) [My Company Ltd]:ZZDX //公司
Organizational Unit Name (eg, section) []:XINXI //部門
Common Name (eg, your name or your server's hostname) []:zzdx.abc.com //頒發機構主機名
Email Address []:
[root@localhost CA]#

WEB服務器

[root@localhost CA]# mkdir -pv /etc/httpd/certs //爲服務器建立存放證書的目錄

[root@localhost CA]# cd /etc/httpd/certs/
[root@localhost certs]# ll
總計 0
[root@localhost certs]# openssl genrsa 1024 >;httpd.key //生成私鑰文件，rsa算法，1024位加密。

Generating RSA private key, 1024 bit long modulus
......++++++
.........................++++++
e is 65537 (0x10001)
[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr //利用私鑰文件申請證書
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:henan
Locality Name (eg, city) [BEIJING]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:zzdx
Organizational Unit Name (eg, section) []:xinxi
Common Name (eg, your name or your server's hostname) []:zzdx.abc.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //挑戰報文密碼
An optional company name []:
[root@localhost certs]# ll
總計 8
-rw-r--r-- 1 root root 643 08-11 16:53 httpd.csr
-rw-r--r-- 1 root root 887 08-11 16:51 httpd.key
[root@localhost certs]# openssl ca -in httpd.csr -out httpd.cert //生成證書
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 11 08:54:04 2012 GMT
Not After : Aug 11 08:54:04 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = zzdx
organizationalUnitName = xinxi
commonName = zzdx.abc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AA:38:0C:7F:6A:6D:88:6E:EE:5A:F5:BF:D7:C7:C5:8D:4E:92:AE:85
X509v3 Authority Key Identifier:
keyid:3D:60:9D:7A:34:73:89:5C:50:7A:DC:FF:82:98:D3:F8:1F:A1:A8:D8

Certificate is to be certified until Aug 11 08:54:04 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@localhost certs]# chmod 600 * //安全考慮
[root@localhost certs]# ll
總計 12
-rw------- 1 root root 3053 08-11 16:54 httpd.cert
-rw------- 1 root root 643 08-11 16:53 httpd.csr
-rw------- 1 root root 887 08-11 16:51 httpd.key

SSL:

[root@localhost certs]# cd /mnt/cdrom/Server/
[root@localhost Server]# yum install mod_ssl
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-31.el5 set to be updated
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Running transaction check
---> Package distcache.i386 0:1.4.5-14.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================
Package Arch Version Repository Size
=========================================================================================
Installing:
mod_ssl i386 1:2.2.3-31.el5 rhel-server 88 k
Installing for dependencies:
distcache i386 1.4.5-14.1 rhel-server 120 k

Transaction Summary
=========================================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 208 k
Is this ok [y/N]: y
Downloading Packages:
-----------------------------------------------------------------------------------------
Total 24 MB/s | 208 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : distcache 1/2
Installing : mod_ssl 2/2

Installed:
mod_ssl.i386 1:2.2.3-31.el5

Dependency Installed:
distcache.i386 0:1.4.5-14.1

Complete!

[root@localhost Server]# cd /etc/httpd/conf.d/
[root@localhost conf.d]# ll
總計 24
-rw-r--r-- 1 root root 566 2009-07-15 proxy_ajp.conf
-rw-r--r-- 1 root root 392 2009-07-15 README
-rw-r--r-- 1 root root 9677 2009-07-15 ssl.conf
-rw-r--r-- 1 root root 299 2009-07-15 welcome.conf
[root@localhost conf.d]# vim ssl.conf

咱們須要指明證書，私鑰的文件所在

107 # Server Certificate:
108 # Point SSLCertificateFile at a PEM encoded certificate. If
109 # the certificate is encrypted, then you will be prompted for a
110 # pass phrase. Note that a kill -HUP will prompt again. A new
111 # certificate can be generated using the genkey(1) command.
112 SSLCertificateFile /etc/httpd/certs/httpd.cert //證書存放目錄
113
114 # Server Private Key:
115 # If the key is not combined with the certificate, use this
116 # directive to point at the key file. Keep in mind that if
117 # you've both a RSA and a DSA private key you can configure
118 # both in parallel (to also allow the use of DSA ciphers, etc.)
119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key //私鑰存放目錄

SSLCertificateChainFile /etc/pki/CA/cacert.pem //指明證書鏈目錄

[root@localhost conf.d]# service httpd configtest //檢測語法
Syntax OK
[root@localhost conf.d]# service httpd restart
中止 httpd： [肯定]
啓動 httpd： [肯定]

測試：

解決dns的問題。能夠再dns服務器添加主機記錄。也能夠編輯hosts文件

安裝證書：

 

測試：