SSL交互简述及nginx双向认证配置

一、证书生成。

1、SSL Server生成私钥/公钥对。server.key(加密)/server.pub(解密);
2、server.pub生成请求文件server.csr,包含server的一些信息,如域名/申请者/公钥等;
3、server将server.csr递交给CA,CA验证通过,用ca.key和csr加密生成server.cert;
4、server将证书server.cert传给client,client通过ca.crt解密server.cert。

附证书制作流程:https://m.aliyun.com/yunqi/articles/40398

二、认证交互

三、SSL认证数据包分析

1、客户端请求包

版本信息:

随机数:

加密套件列表:

压缩算法和扩展参数:

2、服务端响应包:

版本号:

随机数:

选择的加密套件,压缩算法,及扩展参数:

证书:

3、客户端随机数包

 

4、通知秘钥和加密算法

 

5、握手验证消息

 

6、通知客户端加密算法与握手限制消息

 

 

7、加密通信(3

8Encrypted AlertSSL告警,这里出现通常是提示SSL传输完成

 

 

 四、nginx代理证书配置(附测试脚本)

server {
    listen 8000 ssl;
    listen[::]:8000 ssl;
    server_name *.*.*.*:8000;
    ssl on;
    ssl_certificate /home/nginx/conf/cert/ server.cert;
    ssl_certificate_key /home/nginx/conf/cert/server.key;
    ssl_client_certificate /home/nginx/conf/cert/ca.cert;
    ssl_verify_client on;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;

    ssl_protocols TLSv1.2;
    ssl_ciphers  ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;


    error_log /var/log/nginx/error.log error;


    location / {
        proxy_ssl_certificate /home/nginx/conf/cert/client.cert;
        proxy_ssl_certificate_key /home/nginx/conf/cert/client.key;
        proxy_ssl_trusted_certificate /home/nginx/conf/cert/ca.cert;
        proxy_ssl_verify on;
        proxy_ssl_session_reuse on;
        proxy_pass https://*.*.*.*:8080;
    }
}

关于其他参数请参见:http://nginx.org/en/docs/http/ngx_http_proxy_module.html

import httplib2

ca_cert = '/home/nginx/conf/cert/client/ca.cert'
client_key = '/home/nginx/conf/cert/client/client.key'
client_cert = '/home/nginx/conf/cert/client/client.cert'
full_url = 'https://*.*.*.*:8000/test_url'
headers = {
    'content-type': 'application/json',
    'accept': 'application/json'
}

http = httplib2.Http(timeout=120, ca_certs=ca_cert, disable_ssl_certificate_validation=False)
http.follow_all_redirects = True
http.add_certificate(client_key, client_cert, '')
resp, resp_content = http.request(full_url, method='GET', headers=headers)
print resp, resp_content

 

posted @ 2019-05-06 10:48  Small_office  阅读(2736)  评论(0编辑  收藏  举报