SSL交互简述及nginx双向认证配置
程序员文章站
2022-07-08 19:50:58
...
原文链接:https://www.cnblogs.com/small-office/p/9770896.html
一、证书生成。
1、SSL Server生成私钥/公钥对。server.key(加密)/server.pub(解密);
2、server.pub生成请求文件server.csr,包含server的一些信息,如域名/申请者/公钥等;
3、server将server.csr递交给CA,CA验证通过,用ca.key和csr加密生成server.cert;
4、server将证书server.cert传给client,client通过ca.crt解密server.cert。
附证书制作流程:https://m.aliyun.com/yunqi/articles/40398
二、认证交互
三、SSL认证数据包分析
1、客户端请求包
版本信息:
随机数:
加密套件列表:
压缩算法和扩展参数:
2、服务端响应包:
版本号:
随机数:
选择的加密套件,压缩算法,及扩展参数:
证书:
3、客户端随机数包
4、通知秘钥和加密算法
5、握手验证消息
6、通知客户端加密算法与握手限制消息
7、加密通信(3)
8、Encrypted Alert,SSL告警,这里出现通常是提示SSL传输完成
四、nginx代理证书配置(附测试脚本)
server {
listen 8000 ssl;
listen[::]:8000 ssl;
server_name *.*.*.*:8000;
ssl on;
ssl_certificate /home/nginx/conf/cert/ server.cert;
ssl_certificate_key /home/nginx/conf/cert/server.key;
ssl_client_certificate /home/nginx/conf/cert/ca.cert;
ssl_verify_client on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
error_log /var/log/nginx/error.log error;
location / {
proxy_ssl_certificate /home/nginx/conf/cert/client.cert;
proxy_ssl_certificate_key /home/nginx/conf/cert/client.key;
proxy_ssl_trusted_certificate /home/nginx/conf/cert/ca.cert;
proxy_ssl_verify on;
proxy_ssl_session_reuse on;
proxy_pass https://*.*.*.*:8080;
}
}关于其他参数请参见:http://nginx.org/en/docs/http/ngx_http_proxy_module.html
import httplib2
ca_cert = '/home/nginx/conf/cert/client/ca.cert'
client_key = '/home/nginx/conf/cert/client/client.key'
client_cert = '/home/nginx/conf/cert/client/client.cert'
full_url = 'https://*.*.*.*:8000/test_url'
headers = {
'content-type': 'application/json',
'accept': 'application/json'
}
http = httplib2.Http(timeout=120, ca_certs=ca_cert, disable_ssl_certificate_validation=False)
http.follow_all_redirects = True
http.add_certificate(client_key, client_cert, '')
resp, resp_content = http.request(full_url, method='GET', headers=headers)
print resp, resp_content
推荐阅读
-
nginx环境下配置ssl加密(单双向认证、部分https)
-
SSL交互简述及nginx双向认证配置
-
nginx环境下配置ssl加密(单双向认证、部分https)
-
NGINX 配置 SSL 双向认证
-
Nginx https(SSL)双向认证配置
-
Nginx配置ssl加密(单双向认证、部分https) nginx tomcat https nginx https 代理 nginx配置https代
-
详解Nginx SSL快速双向认证配置(脚本)
-
Nginx配置ssl加密(单双向认证、部分https) nginx tomcat https nginx https 代理 nginx配置https代
-
NGINX 配置 SSL 双向认证
-
Nginx SSL快速双向认证配置(脚本)