zoukankan      html  css  js  c++  java

  • [svc]cfssl模拟https站点-探究浏览器如何校验证书

    准备cfssl环境

    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O     /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O      /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*

    生成ca证书

    cd;mkdir keys;cd keys
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "app": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
EOF


cat > ca-csr.json <<EOF
{
  "CN": "k8s",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF


cfssl gencert -initca ca-csr.json | cfssljson -bare ca

    生成server证书

    cd /root/keys
cat > app-csr.json <<EOF
{
  "CN": "app",
  "hosts": [
    "127.0.0.1",
    "192.168.1.11",
    "app",
    "app.ma.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem 
  -ca-key=/root/keys/ca-key.pem 
  -config=/root/keys/ca-config.json 
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem

    构建https webserver模拟测试

    cd /root/
cat > http-server.js <<EOF
var https = require('https');
var fs = require('fs');

var options = {
    key: fs.readFileSync('./keys/app-key.pem'),
    cert: fs.readFileSync('./keys/app.pem')
};

https.createServer(options, function (req, res) {
    res.writeHead(200);
    res.end('hello world');
}).listen(8000);
EOF

yum install nodejs -y
npm install https -g
node http-server.js

    访问服务端https://192.168.1.x:8000端口(域已添加本地hosts)

    发现

    opera浏览器

    处理浏览器安全问题

    1.导出ca.pem到win7,改名为ca.crt.

    2.运行 certmgr.msc 打开证书管理器

    3.浏览器访问8000端口(ctrl+shift+del清缓存)

    opera浏览器

    4.使用apps.ma.com访问,也报错

    无SAN(Subject Alternative Name)-CN: app.ma.com-即使地址栏的域名和CN一样也报错

    cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{
  "CN": "app.ma.com",  #将hosts字段去掉(SAN干掉)
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem 
  -ca-key=/root/keys/ca-key.pem 
  -config=/root/keys/ca-config.json 
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem

    无SAN(Subject Alternative Name)-CN: *.ma.com-即使地址栏的域名和CN一样也报错

    cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{
  "CN": "*.ma.com",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem 
  -ca-key=/root/keys/ca-key.pem 
  -config=/root/keys/ca-config.json 
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem

    SAN含app.ma.com(Subject Alternative Name)-CN: *.ma.com-仅app.ma.com域名可访问

    cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{
  "CN": "*.ma.com",
  "hosts": [
    "app.ma.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem 
  -ca-key=/root/keys/ca-key.pem 
  -config=/root/keys/ca-config.json 
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem
cd ..;node http-server.js


    SAN含*.ma.com(Subject Alternative Name)-CN: .ma.com-可用任意.ma.com来访问

    cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{
  "CN": "*.ma.com",
  "hosts": [
    "*.ma.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem 
  -ca-key=/root/keys/ca-key.pem 
  -config=/root/keys/ca-config.json 
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem
cd ..;node http-server.js

    查看互联网上一些证书

    • 汽车之家的通用型(*)证书(而且一个证书对应了多个域名)

    • 谷歌的 www证书

    wildcard和san两种证书的区别

    wildcard: 可变部分sub-domain:
*.maotai.com
www.maotai.com
bbs.maotai.com


san: 可变部分: subdomain和domain
subdomain
*.ma.com
*.ma.net
*.xx.net

    注:一般通用型证书比www证书价格贵一半左右.

    浏览器如何验证证书

    参考: http://www.cnblogs.com/iiiiher/p/8085698.html
    当浏览器使用HTTPS连接到您的服务器时,他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。

    浏览器有三种找到匹配的方法:

    • 1.主机名(在地址栏中)与证书主题(Subject)中的通用名称(Common Name)完全匹配。

    • 2.主机名称与通配符通用名称相匹配。例如,www.example.com匹配通用名称* .example.com。

    • 3.主机名主题备用名称(SAN: Subject Alternative Name)字段中列出

    • 1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.

    • 2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.

    • 3.The host name is listed in the Subject Alternative Name field.

    参考

    客户端使用服务端返回的信息验证服务器的合法性,包括:

    证书是否过期
    发型服务器证书的CA是否可靠
    返回的公钥是否能正确解开返回证书中的数字签名
    服务器证书上的域名是否和服务器的实际域名相匹配  -- 要核对CN或SAN,见上
    验证通过后,将继续进行通信,否则,终止通信

    在哪里可以查看到san

    参考: https://www.digicert.com/subject-alternative-name.htm

    小结: 正因为访问的域名在san列表,所以访问才能被通过校验.
  • 相关阅读:
    Redis面试题
    spring boot错误: 找不到或无法加载主类
    JAVA的高并发编程
    Redis多机多节点集群实验
    Redis单机多节点集群实验
    Redis集群概述
    Redis的持久化之AOF方式
    Redis的持久化之RDB方式
    Redis持久化介绍
    Redis Keys的通用操作
  • 原文地址:https://www.cnblogs.com/iiiiher/p/8094267.html
Copyright © 2011-2022 走看看