一、https协议
http明文方式传输数据
https密文方式传输数据
二、数据的安全性如何保障
数据的安全
数据的完整性
身份的真实性
三、数据的安全
1.加密
(1)对称加密
典型加密算法
DES 、3DES、AES
例子:
编辑一个文档
[root@localhost ~]# vim /tmp/test.txt
查看里面写的内容
[root@localhost ~]# cat /tmp/test.txt
abc
加密
[root@localhost ~]# openssl enc -e -des -in /tmp/test.txt -out /tmp/test_e
enter des-cbc encryption password:
Verifying - enter des-cbc encryption password:
解密
[root@localhost ~]# openssl enc -d -des -in /tmp/test_e -out /root/test_d
enter des-cbc decryption password:
[root@localhost ~]# cat /root/test_d
abc
(2)非对称加密
密钥对:公钥和私钥
公钥:加密
私钥:解密
交换公钥
常用的算法
RSA 、DSA
四、数据的完整性
1.校验算法
MD5 SHA
哈希算法、确保数据的完整性
[root@localhost ~]# vim /tmp/file01
[root@localhost ~]# cat /tmp/file01
abc
[root@localhost ~]# md5sum /tmp/file01
0bee89b07a248e27c83fc3d5951213c1 /tmp/file01
五、身份真实性
找一个可以信任的三方机构(证书的颁发)
PKI公钥认证体系
工作流程
(1)电商服务器生产证书申请.csr的文件加上自己的公钥发送给CA
(2)CA验证信息,将自己的私钥加入生成证书.crt,然后将证书发给电商服务器
(3)客户端访问电商服务器时,服务器将会将证书发送给客户端
(4)客户端拿着证书去找CA验证,CA用自己的公钥进行解密,验证无误后将结果反馈给客户端
(5)客户端可以正常访问服务器
六、配置一个基于https协议的虚拟主机
1、搭建私有CA
生成密钥对
生成自签证书
(1)准备两台主机,主机名分别为CA和server
192.168.204.129 CA
192.168.204.130 server
(2)创建CA需要的数据库文件
[root@ca ~]# touch /etc/pki/CA/index.txt
[root@ca ~]# echo 01 > /etc/pki/CA/serial
(3) 创建CA 服务器的秘钥对
[root@ca ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
..................++++++
e is 65537 (0x10001)
(4)颁发自签证书(在CA虚拟机上面操作)
[root@ca ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:nmg
Locality Name (eg, city) [Default City]:hhht
Organization Name (eg, company) [Default Company Ltd]:jdxy
Organizational Unit Name (eg, section) []:xxx
Common Name (eg, your name or your server's hostname) []:ca.linux.com
Email Address []:jdxy@qq.com
2、在web server 上申请证书
(1)下载软件
[root@server ~]# yum -y install httpd
(2)创建秘钥
[root@server ~]# mkdir /etc/httpd/ssl
[root@server ~]# openssl genrsa -out /etc/httpd/ssl/www.linux.com.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
.................+++
e is 65537 (0x10001)
(3)生成证书申请在Server上面
[root@server ~]# openssl req -new -key /etc/httpd/ssl/www.linux.com.key -out /etc/httpd/ssl/www.linux.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:nmg
Locality Name (eg, city) [Default City]:hhht
Organization Name (eg, company) [Default Company Ltd]:jdxy
Organizational Unit Name (eg, section) []:xxx
Common Name (eg, your name or your server's hostname) []:www.linux.com
Email Address []:linux@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:www.linux.com
(4)将证书申请发给CA
[root@server ~]# scp /etc/httpd/ssl/www.linux.com.csr root@192.168.204.129:/tmp/
The authenticity of host '192.168.204.129 (192.168.204.129)' can't be established.
ECDSA key fingerprint is SHA256:xkCnZexe7EncS5zustvPA1/djiLIrxVZYkcJQVqovW0.
ECDSA key fingerprint is MD5:53:e0:51:50:e6:8d:b2:b8:6a:8f:9d:70:ff:e0:09:4b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.204.129' (ECDSA) to the list of known hosts.
root@192.168.204.129's password:
www.linux.com.csr
(5)CA签署证书
[root@ca ~]# openssl ca -in /tmp/www.linux.com.csr -out /etc/pki/tls/certs/www.linux.com.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 18 02:18:19 2024 GMT
Not After : Sep 16 02:18:19 2034 GMT
Subject:
countryName = cn
stateOrProvinceName = nmg
organizationName = jdxy
organizationalUnitName = xxx
commonName = www.k\08linux.com
emailAddress = linux@qq.cim\08\08o\1B[C
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EE:4A:EA:7A:39:C7:9D:CB:BE:E9:A1:F1:E6:8C:90:FD:0E:54:8A:CC
X509v3 Authority Key Identifier:
keyid:AA:87:93:F0:66:EA:1F:08:FB:61:3C:E7:58:A9:C9:6C:9D:97:65:F3
Certificate is to be certified until Sep 16 02:18:19 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(6)将证书颁发给web Server
[root@ca ~]# scp /etc/pki/tls/certs/www.linux.com.crt root@192.168.204.130:/etc/httpd/ssl
The authenticity of host '192.168.204.130 (192.168.204.130)' can't be established.
ECDSA key fingerprint is 39:07:01:af:1e:a1:0b:c7:f1:1e:0e:68:81:89:87:06.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.204.130' (ECDSA) to the list of known hosts.
root@192.168.204.130's password:
www.linux.com.crt
3.安装mod_ssl 模块
[root@server ~]# yum -y install mod_ssl
4.创建网页目录,测试文件
[root@server ~]# mkdir /linux
[root@server ~]# vim /linux/index.html
<h1>www.linux.cim</h1>
<h2>yun jisuan</h2>
5.配置ssl 虚拟主机
[root@server ~]# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot "/linux"
ServerName www.linux.com:443
SSLCertificateFile /etc/httpd/ssl/www.linux.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/www.linux.com.key
<Directory "/linux">
Require all granted
</Directory>
以上结束
接着重启服务
关闭防火墙和SElinux
加本地映射
6.测试访问
点高级,下面有继续访问,点进去 就是以下界面