SSL - 走看看

zoukankan html css js c++ java

SSL

SSL
ssl secure socket layer 安全套接层
tls transfer layer secure 传输层安全
http+ssl/tls=https
做ssl加密的优点:
安全传输
　缺点:
影响性能，需要花费一定费用维护证书
https = http + ssl　　　（端口为443)
1，安装ssl包
# yum install httpd httpd-devel openssl* mod_ssl -y
# ls /etc/httpd/conf.d/ssl.conf --安装成功后，会产生一个http支持ssl的子配置文件
/etc/httpd/conf.d/ssl.conf
# ls /etc/httpd/modules/mod_ssl.so --也会有一个支持ssl的模块
/etc/httpd/modules/mod_ssl.so
2，使用rpm版的ssl创建证书和密钥
# cd /etc/pki/tls/certs/
# make httpd.crt --证书名字可以随意写，扩展名用crt（不一定）
umask 77 ;
/usr/bin/openssl genrsa -des3 1024 > httpd.key
Generating RSA private key, 1024 bit long modulus
....................++++++
.........................++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase: --两次密码，自己设定，以后有用
umask 77 ;
/usr/bin/openssl req -utf8 -new -key httpd.key -x509 -days 365 -out httpd.crt -set_serial 0
Enter pass phrase for httpd.key: --输密码
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:guangdong
Locality Name (eg, city) [Newbury]:shenzhen
Organization Name (eg, company) [My Company Ltd]:haha
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:li.cluster.com
Email Address []:li@126.com
3,编译httpd配置文件，让它支持ssl
# vim /etc/httpd/conf.d/ssl.conf
105 SSLCertificateFile /etc/pki/tls/certs/httpd.crt --证书，就是公钥，散发到网上的
112 SSLCertificateKeyFile /etc/pki/tls/certs/httpd.key --私钥，自己保存的
4,重启apache
# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost.localdomain:443 (RSA)
Enter pass phrase: --输入创建证书时的密码
OK: Pass Phrase Dialog successful.
[ OK ]
# netstat -ntlup |grep httpd
tcp 0 0 :::80 :::* LISTEN 5821/httpd
tcp 0 0 :::443 :::* LISTEN 5821/httpd
5,测试
使用另一台机器打开firefox
使用下面的url来访问，下载并确认证书
https://serverIP/
===============================================================
nginx+ssl
如果是源码编译的版本，则nginx在源码编译时要加--with-http_ssl_module编译参数来支持SSL
下面在centos7.3上使用rpm版来做
# cd /etc/pki/tls/certs/
# make nginx.crt --创建证书，得到nginx.crt和nginx.key
# yum install nginx*
# vim /etc/nginx/nginx.conf --在server { } 配置段里加上下面四句
listen 443　ssl;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/certs/nginx.key;
然后重启nginx就可以了
# systemctl stop httpd
# systemctl start nginx --启动报错
解决方法:
# cd /etc/pki/tls/certs/
# cp nginx.key nginx.key.bak
# openssl rsa -in nginx.key.bak -out nginx.key
# systemctl start nginx --再次启动ok
问题:比如我输入www.baidu.com会自动转成https://www.baidu.com
用rewrite规则可以实现
------------------------------------------------------------------------------------------------------------------
https
华为本部　华为外包公司
ftp+ssl(自签)
smtp+ssl=smtps 465
pop3+ssl=pop3s 995
ftp+ssl=ftps
samba+ssl=smbs
tomcat+ssl=https
dns+ssl --没有
nfs+ssl --没有
rsync+ssl --没有
总结:一般ssl的应用主要是https,smtps和ftps也有应用。

查看全文

相关阅读:
%u编码
 总结
 windows7 安装PHP7 本地网站搭建
 统计某个端口的链接数
 mysql连结查询
 mysql in
读书笔记<白帽子讲web安全>
Web攻防系列教程之文件上传攻防解析（转载）
攻防：文件上传漏洞的攻击与防御
 weblogic检查项

原文地址：https://www.cnblogs.com/skyzy/p/9201395.html