zoukankan      html  css  js  c++  java

  • SSL交互简述及nginx双向认证配置

    一、证书生成。

    1、SSL Server生成私钥/公钥对。server.key(加密)/server.pub(解密);
    2、server.pub生成请求文件server.csr,包含server的一些信息,如域名/申请者/公钥等;
    3、server将server.csr递交给CA,CA验证通过,用ca.key和csr加密生成server.cert;
    4、server将证书server.cert传给client,client通过ca.crt解密server.cert。

    附证书制作流程:https://m.aliyun.com/yunqi/articles/40398

    二、认证交互

    三、SSL认证数据包分析

    1、客户端请求包

    版本信息:

    随机数:

    加密套件列表:

    压缩算法和扩展参数:

    2、服务端响应包:

    版本号:

    随机数:

    选择的加密套件,压缩算法,及扩展参数:

    证书:

    3、客户端随机数包

    4、通知秘钥和加密算法

    5、握手验证消息

    6、通知客户端加密算法与握手限制消息

     

    7、加密通信(3

    8Encrypted AlertSSL告警,这里出现通常是提示SSL传输完成

     

     四、nginx代理证书配置(附测试脚本)

    server {
    listen 8000 ssl;
    listen[::]:8000 ssl;
    server_name *.*.*.*:8000;
    ssl on;
    ssl_certificate /home/nginx/conf/cert/ server.cert;
    ssl_certificate_key /home/nginx/conf/cert/server.key;
    ssl_client_certificate /home/nginx/conf/cert/ca.cert;
    ssl_verify_client on;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;

    ssl_protocols TLSv1.2;
    ssl_ciphers  ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;


    error_log /var/log/nginx/error.log error;


    location / {
        proxy_ssl_certificate /home/nginx/conf/cert/client.cert;
        proxy_ssl_certificate_key /home/nginx/conf/cert/client.key;
        proxy_ssl_trusted_certificate /home/nginx/conf/cert/ca.cert;
        proxy_ssl_verify on;
            proxy_ssl_session_reuse on;
        proxy_pass https:    //*.*.*.*:8080;
    }
}

    关于其他参数请参见:http://nginx.org/en/docs/http/ngx_http_proxy_module.html

    import httplib2

ca_cert = '/home/nginx/conf/cert/client/ca.cert'
client_key = '/home/nginx/conf/cert/client/client.key'
client_cert = '/home/nginx/conf/cert/client/client.cert'
full_url = 'https://*.*.*.*:8000/test_url'
headers = {
    'content-type': 'application/json',
    'accept': 'application/json'
}

http = httplib2.Http(timeout=120, ca_certs=ca_cert, disable_ssl_certificate_validation=False)
http.follow_all_redirects = True
http.add_certificate(client_key, client_cert, '')
resp, resp_content = http.request(full_url, method='GET', headers=headers)
print resp, resp_content
  • 相关阅读:
    基础很重要~~04.表表达式-上篇
    【T-SQL基础】03.子查询
    【T-SQL基础】02.联接查询
    【T-SQL基础】01.单表查询-几道sql查询题
    【.Net底层剖析】3.用IL来理解属性
    SQL-基础知识
    IL指令速查
    黑客成长之路-01.新手篇-设置路由器
    《拆掉思维里的墙》~~想跳槽的同学可以先看看这本书!
    【解决方案】安装vssdk_full.exe遇到的问题
  • 原文地址:https://www.cnblogs.com/small-office/p/9770896.html
Copyright © 2011-2022 走看看