精华内容
下载资源
问答
  • Apache服务器SSL配置

    千次阅读 2015-06-08 10:16:35
    Apache服务器SSL配置 Apache服务器SSL配置 笔者不久前参与了某系统代理服务器配置的研究,查阅了大量关于Apache的SSL配置的资料。本文即是笔者学习这些资料后的经验总结,以Win32版Apache与OpenSSL为例,介绍从...

    Apache服务器SSL配置

    Apache服务器SSL配置

    笔者不久前参与了某系统代理服务器配置的研究,查阅了大量关于ApacheSSL配置的资料。本文即是笔者学习这些资料后的经验总结,以Win32ApacheOpenSSL为例,介绍从创建数字证书到Apache配置的整个过程,希望对读者有所帮助。

    Apache是目前最流行的WEB服务器之一,借助OpenSSL库,我们可以在Apache上建立SSL通道,提供SSL连接服务。OpenSSL库除提供ApacheSSL模块外,还提供了一套数字证书工具,可以创建、转换数字证书。

    1       环境准备

    软件下载

    apache_2.2.4-win32-x86-openssl-0.9.8d.msi是一个捆绑的软件包,包含了apacheopenssl必选组件,apache的版本是2.2.4OpenSSL版本是0.9.8d。如不必使用最新的openssl,则仅下载此软件包即可。

    软件安装

    1   运行Win32OpenSSL-0_9_8e.exe安装OpenSSL

    2   运行apache_2.2.4-win32-x86-openssl-0.9.8d.msi安装apache

    如果想使用最新版的OpenSSL,则应删除apache安装目录下的libeay32.dllssleay32.dll两个文件,迫使Apache使用OpenSSL安装在c:"windows"system32下的两个最新文件。

    软件配置

    1.3.1            Apache配置

    编辑apacheconf目录下的httpd.conf文件,将#LoadModule ssl_module modules/mod_ssl.so前的#删除,使得Apache启动时加载mod_ssl.so模块。重新启动apache,如果看到下列画面,说明mod_ssl.so已经加载成功。

     

    1.3.2            OpenSSL配置

    1)创建证书管理目录与文件;

    创建C:"CA作为证书管理主目录;

    •  C:"CA下创建certskeys两个目录,存储证书与私钥;
    • C:"CA下创建crl目录,存储证书注销列表文件;
    •  C:"CA下创建一个空文件index.txt,存储证书清单;
    • C:"CA下创建一个index.txt.attr文件,内容为unique_subject = no
    •  C:"CA下创建证书序列号文件serial,内容为01
    •  C:"CA下创建证书注销列表序号文件crlnumber,内容为01

    2)编辑OpenSSLbin/openssl.cnf文件,修改下列内容:

    #
    # OpenSSL example configuration file.
    # This is mostly being used for generation of certificate requests.
    #
    # This definition stops the following lines choking if HOME isn't
    # defined.
    HOME          = .
    RANDFILE      = $ENV::HOME/.rnd
    # Extra OBJECT IDENTIFIER info:
    #oid_file     = $ENV::HOME/.oid
    oid_section        = new_oids
    # To use this configuration file with the "-extfile" option of the
    # "openssl x509" utility, name here the section containing the
    # X.509v3 extensions to use:
    # extensions       =
    # (Alternatively, use a configuration file that has only
    # X.509v3 extensions in its main [= default] section.)
    [ new_oids ]
    # We can add new OIDs in here for use by 'ca' and 'req'.
    # Add a simple OID like this:
    # testoid1=1.2.3.4
    # Or use config file substitution like this:
    # testoid2=${testoid1}.5.6
    ####################################################################
    [ ca ]
    default_ca    = CA_default       # The default ca section
    ####################################################################
    [ CA_default ]
    dir      = C:/CA       # Where everything is kept
    certs         = $dir/certs       # Where the issued certs are kept
    crl_dir       = $dir/crl         # Where the issued crl are kept
    database= $dir/index.txt   # database index file.
    #unique_subject    = no          # Set to 'no' to allow creation of
                           # several ctificates with same subject.
    new_certs_dir= $dir/certs       # default place for new certs.
    certificate   = $dir/certs/CA.YOUR.COM.crt     # The CA certificate
    serial        = $dir/serial          # The current serial number
    crlnumber= $dir/crlnumber   # the current crl number
                           # must be commented out to leave a V1 CRL
    crl      = $dir/crl.pem         # The current CRL
    private_key   = $dir/keys/CA.YOUR.COM.key    # The private key
    RANDFILE= $dir/keys/.rand       # private random number file
    x509_extensions    = usr_cert         # The extentions to add to the cert
    # Comment out the following two lines for the "traditional"
    # (and highly broken) format.
    name_opt = ca_default       # Subject Name options
    cert_opt = ca_default       # Certificate field options
    # Extension copying option: use with caution.
    # copy_extensions = copy
    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crlnumber must also be commented out to leave a V1 CRL.
    # crl_extensions   = crl_ext
    default_days = 365              # how long to certify for
    default_crl_days= 30             # how long before next CRL
    default_md    = sha1             # which md to use.
    preserve= no          # keep passed DN ordering
    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy        = policy_match
    # For the CA policy
    [ policy_match ]
    countryName        = match
    stateOrProvinceName    = match
    organizationName   = match
    organizationalUnitName= optional
    commonName         = supplied
    emailAddress       = optional
    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName        = optional
    stateOrProvinceName    = optional
    localityName       = optional
    organizationName   = optional
    organizationalUnitName= optional
    commonName         = supplied
    emailAddress       = optional
    ####################################################################
    [ req ]
    default_bits       = 1024
    default_keyfile    = privkey.pem
    distinguished_name= req_distinguished_name
    attributes         = req_attributes
    x509_extensions    = v3_ca # The extentions to add to the self signed cert
    # Passwords for private keys if not present they will be prompted for
    # input_password = secret
    # output_password = secret
    # This sets a mask for permitted string types. There are several options.
    # default: PrintableString, T61String, BMPString.
    # pkix   : PrintableString, BMPString.
    # utf8only: only UTF8Strings.
    # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    # MASK:XXXX a literal mask value.
    # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
    # so use this option with caution!
    string_mask = nombstr
    # req_extensions = v3_req # The extensions to add to a certificate request
    [ req_distinguished_name ]
    countryName            = Country Name (2 letter code)
    countryName_default         = CN
    countryName_min             = 2
    countryName_max             = 2
    stateOrProvinceName         = State or Province Name (full name)
    stateOrProvinceName_default= BeiJing
    localityName           = Locality Name (eg, city)
    0.organizationName     = Organization Name (eg, company)
    0.organizationName_default = COM
    # we can do this but it is not needed normally :-)
    #1.organizationName         = Second Organization Name (eg, company)
    #1.organizationName_default= World Wide Web Pty Ltd
    organizationalUnitName      = Organizational Unit Name (eg, section)
    organizationalUnitName_default   = YOUR
    commonName             = Common Name (eg, YOUR name)
    commonName_max              = 64
    emailAddress           = Email Address
    emailAddress_max       = 64
    # SET-ex3          = SET extension number 3
    [ req_attributes ]
    challengePassword      = A challenge password
    challengePassword_min       = 4
    challengePassword_max       = 20
    unstructuredName       = An optional company name
    [ usr_cert ]
    # These extensions are added when 'ca' signs a request.
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    basicConstraints=CA:FALSE
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    # This is OK for an SSL server.
    # nsCertType           = server
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    # For normal client use this is typical
    # nsCertType = client, email
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    # This will be displayed in Netscape's comment listbox.
    nsComment          = "OpenSSL Generated Certificate"
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    # Copy subject details
    # issuerAltName=issuer:copy
    #nsCaRevocationUrl     = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    [ v3_req ]
    # Extensions to add to a certificate request
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    [ v3_ca ]
    # Extensions for a typical CA
    # PKIX recommendation.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid:always,issuer:always
    # This is what PKIX recommends but some broken software chokes on critical
    # extensions.
    #basicConstraints = critical,CA:true
    # So we do this instead.
    basicConstraints = CA:true
    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign
    # Some might want this also
    # nsCertType = sslCA, emailCA
    # Include email address in subject alt name: another PKIX recommendation
    # subjectAltName=email:copy
    # Copy issuer details
    # issuerAltName=issuer:copy
    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF
    [ crl_ext ]
    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always,issuer:always
    [ proxy_cert_ext ]
    # These extensions should be added when creating a proxy certificate
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    basicConstraints=CA:FALSE
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    # This is OK for an SSL server.
    # nsCertType           = server
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    # For normal client use this is typical
    # nsCertType = client, email
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    # This will be displayed in Netscape's comment listbox.
    nsComment          = "OpenSSL Generated Certificate"
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer:always
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    # Copy subject details
    # issuerAltName=issuer:copy
    #nsCaRevocationUrl     = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    # This really needs to be in place for it to be a proxy certificate.
    proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo


    3)创建随机数种子rand文件:

    cd c:"openssl"bin
    openssl rand -out c:/ca/keys/.rand 1024

    2       创建数字证书

    创建根证书(CA.COM

    1)创建根证书的私钥与证书申请;

    openssl genrsa -des3 -out c:/ca/keys/CA.COM.key 2048
    ** 创建时需要指定根私钥保护密码,请牢记此密码。
    openssl req -new -out CA.COM.csr -key c:/ca/keys/CA.COM.key -config openssl.cnf
    ** 创建时需要指定下列内容,其他内容使用默认值。
    Country Name : CN
    State or Province Name: BeiJing
    Organization Name:COM
    Organizational Unit Name:COM
    Common Name:CA.COM


    或:

    openssl req -newkey rsa:2048 -keyout c:/ca/Keys/CA.COM.key -out CA.COM.csr -config openssl.cnf
    ** 创建时需要指定下列内容,其他内容使用默认值。
    Country Name : CN
    State or Province Name: BeiJing
    Organization Name:COM
    Organizational Unit Name:COM
    Common Name:CA.COM


    2)使用根私钥对根证书自签名;

    openssl ca -in CA.COM.csr -out c:/ca/certs/CA.COM.crt -selfsign -keyfilec:/ca/keys/CA.COM.key -days 7305 -extensions v3_ca -config openssl.cnf
    ** 确认证书主题是:
                countryName               = CN
                stateOrProvinceName       = BeiJing
                organizationName          = COM
                organizationalUnitName    = COM
                commonName                = CA.COM


    或:

    openssl x509 -in CA.COM.csr -out c:/ca/certs/CA.COM.crt -req -signkeyc:/ca/keys/CA.COM.key -days 7305 -extensions v3_ca -config openssl.cnf
    ** 确认证书主题是:
                countryName               = CN
                stateOrProvinceName       = BeiJing
                organizationName          = COM
                organizationalUnitName    = COM
                commonName                = CA.COM

    3)删除根证书申请文件CA.COM.csr

    创建二级根证书(CA.YOUR.COM

    创建完根证书后,我们可以使用根证书创建二级根证书。

    1)创建二级根证书的证书申请;

    openssl req -newkey rsa:2048 -keyout c:/ca/keys/CA.YOUR.COM.key -outCA.YOUR.COM.csr -config openssl.cnf
    ** 创建时需要指定二级证书私钥的保护密码,请牢记此密码;
    ** 创建时需要指定下列内容,其他内容使用默认值。
    Country Name : CN
    State or Province Name: BeiJing
    Organization Name:COM
    Organizational Unit Name:YOUR
    Common Name:CA.YOUR.COM

    2)使用根证书对二级根证书进行签名;

    openssl ca -in CA.YOUR.COM.csr -out c:/ca/certs/CA.YOUR.COM.crt -keyfilec:/ca/keys/CA.COM.key -cert c:/ca/certs/CA.COM.crt -days 7305 -extensions v3_ca -config openssl.cnf
    ** 输入根私钥的保护密码;
    ** 确认证书主题是:
               countryName               = CN
                stateOrProvinceName       = BeiJing
                organizationName          = COM
                organizationalUnitName    = YOUR
                commonName                = CA.YOUR.COM

    3)删除二级根证书申请文件CA.YOUR.COM.csr

    至此我们创建完二级根证书,后续的服务器证书与个人证书,我们都使用二级根证书做签名。当然,我们也可以使用根证书签名,但为模拟更现实的情况,我们使用二级根证书做主要的签名证书。

    创建服务器证书

    1)创建服务器证书的证书申请;

    openssl req -newkey rsa:1024 -keyout c:/ca/keys/www.your.com.key -outwww.your.com.csr -config openssl.cnf
    ** 创建时需要指定服务器证书私钥的保护密码,请牢记此密码;
    ** 创建时需要指定下列内容,其他内容使用默认值。
    Country Name : CN
    State or Province Name: BeiJing
    Organization Name:COM
    Organizational Unit Name:YOUR
    Common Name:www.your.com

    2)使用二级根证书对服务器证书签名;

    openssl ca -in www.your.com.csr -out c:/ca/certs/www.your.com.crt -config openssl.cnf
    ** 输入二级证书的私钥保护密码;
    ** 确认证书主题是:
     countryName               = CN
     stateOrProvinceName       = BeiJing
     organizationName          = COM
     organizationalUnitName    = YOUR
     commonName                = www.your.com
    注意:本步骤中我们使用了配置文件openssl.cnf中指定的签名证书ca.your.com.crt与签名证书私钥ca.your.com.key以及有效期365,因而命令比2.2节命令要简洁许多。

    3)删除服务器证书申请文件www.your.com.csr

    创建个人证书

    1)创建个人证书的证书申请;

    openssl req -newkey rsa:1024 -keyout my.key -out my.csr -config openssl.cnf
    ** 创建时需要指定个人证书私钥的保护密码,请牢记此密码;
    ** 创建时需要指定下列内容,其他内容使用默认值。
    Country Name : CN
    State or Province Name: BeiJing
    Organization Name:COM
    Organizational Unit Name:YOUR
    Common Name:my@your.com

    2)使用二级根证书对个人证书签名;

    openssl ca -in my.csr -out my.crt -config openssl.cnf
    ** 输入二级证书的私钥保护密码;
    ** 确认证书主题是:
     countryName               = CN
     stateOrProvinceName       = BeiJing
     organizationName          = COM
     organizationalUnitName    = YOUR
     commonName                = my@your.com

    3)添加证书链到个人证书。编辑my.crt文件,将CA.YOUR.COM.crtCA.COM.crt文件从BEGIN CERTIFICATE开始的内容按序复制到my.crt文件中;

    4)合并编辑后的my.crtmy.key为个人证书文件my.pfx

    openssl pkcs12 -export -in my.crt -inkey my.key -out c:/ca/certs/my.pfx
    ** 输入my的证书私钥保护密码;
    ** 重新指定个人证书的保护密码,请牢记此密码;

    5)删除个人证书申请文件my.csr、私钥文件my.key、证书文件my.crt

    注意:第34两步可以使用下列命令一步完成:

    openssl pkcs12 -export -in my.crt -inkey my.key -out c:/ca/certs/my.pfx -certfile c:/ca/certs/ca.your.com.crt -certfile c:/ca/certs/ca.com.crt

    再按以上步骤,创建另外一张个人证书my1.pfxCommon Namemy1。后面我们将注销这张证书,演示证书注销列表的使用。

    创建证书链文件

    Web服务器与客户端建立SSL通信通道前,要交换双方的证书,并使用本方的证书链文件(P7BPKCS7)与证书注销列表文件(CRL)验证对方证书的合法性。

    证书链文件,实际上就是多个CA的证书(公钥),有两种格式:一是文本格式(Privacy Enhanced MailPEM),即使用BASE64转码后的格式;二是二进制格式(Distinguished Encoding RulesDER),即P7B文件。其中,PEM格式仅需将各CA的证书从枝到根的顺序合并在一起即可。而P7B格式的证书链文件,则需要特殊处理。

    使用OpenSSL创建P7B格式的证书链文件的命令如下:

    openssl crl2pkcs7 -out c:/ca/your.p7b -nocrl -certfilec:/ca/certs/CA.YOUR.COM.crt -certfile c:/ca/certs/CA.COM.crt

    创建证书注销列表文件

    1)注销证书my1.pfx

    编辑c:/ca/index.txt文件,查阅/C=CN /ST=BeiJing /O=COM /OU=YOUR /CN=lny对应的证书序号为05。创建证书时,openssl自动将新创建的证书存储在certs目录下,文件名为<证书序号>.pem,因此05.pem即为my1.pfx对应的证书。使用下列命令可以显示证书的主题信息进行确认:

    openssl x509 -in c:/ca/certs/05.pem -text
    ** 确认主题是:Subject: C=CN, ST=BeiJing, O=COM, OU=YOUR, CN=my1

    然后,使用下列命令注销此证书:

    openssl ca -revoke c:/ca/certs/05.pem
    ** 输入二级根证书的私钥保护密码。

    再次编辑c:/ca/index.txt,可以看到05号证书的状态已经修改为R,即注销了。

    2)生成证书注销列表文件;

    openssl ca -gencrl -crldays 7 -crlexts crl_ext -out c:/ca/crl/your.crl -config openssl.cnf
    ** 输入二级证书的私钥保护密码;

    3)转换PEM格式证书列表文件为DER格式;

    本步骤是可选的。如果客户端或服务器需要DER格式的证书注销列表文件,则可以使用下列命令进行格式转换:

    openssl crl -inform PEM -outform DER -in c:/ca/crl/your.crl -outc:/ca/crl/your_bin.crl

    注意:上述操作中,我们可以注销多个证书后再生成证书注销列表。生成证书注销列表时,我们指定了下次发布证书注销列表的日期为7日后(-crldays 7)。

    3       配置Apache

    准备好需要的各种证书及配套的文件后,我们可以配置Apache,启用SSL连接服务。

    1)编辑apache/conf/httpd.conf,删除#Include conf/extra/ httpd-ssl.conf前的#,激活httpd-ssl.conf

    2)编辑apache/conf/extra/httpd-ssl.conf,将全部包含C:/Program Files/Apache Software Foundation/Apache2.2的项编辑为使用""括(兰色字体部分),修改如下:

    #
    # This is the Apache server configuration file providing SSL support.
    # It contains the configuration directives to instruct the server how to
    # serve pages over an https connection. For detailing information about these
    # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
    #
    # Do NOT simply read the instructions in here without understanding
    # what they do. They're here only as hints or reminders. If you are unsure
    # consult the online docs. You have been warned. 
    #
    #
    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the SSL library.
    # The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough entropy
    # is available. This means you then cannot use the /dev/random device
    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which doesn't
    # block. So, if available, use this one instead. Read the mod_ssl User
    # Manual for more details.
    #
    #SSLRandomSeed startup file:/dev/random 512
    #SSLRandomSeed startup file:/dev/urandom 512
    #SSLRandomSeed connect file:/dev/random 512
    #SSLRandomSeed connect file:/dev/urandom 512
    #
    # When we also provide SSL we have to listen to the
    # standard HTTP port (see above) and to the HTTPS port
    #
    # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
    #       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
    #
    Listen 443
    ##
    ## SSL Global Context
    ##
    ## All SSL configuration in this context applies both to
    ## the main server and all SSL-enabled virtual hosts.
    ##
    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog builtin
    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism
    #   to use and second the expiring timeout (in seconds).
    #SSLSessionCache         dbm:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache
    SSLSessionCache        "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
    SSLSessionCacheTimeout 300
    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization.
    SSLMutex default
    ##
    ## SSL Virtual Host Context
    ##
    <VirtualHost _default_:443>
     
    
    #   General setup for the virtual host
    DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
    ServerName lny.your.com:443
    ServerAdmin nyli@your.cn
    ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error_log"
    TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access_log"
    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate.
    #   See the mod_ssl documentation for a complete list.
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    #   Server Certificate:
    #   Point SSLCertificateFile at a PEM encoded certificate. If
    #   the certificate is encrypted, then you will be prompted for a
    #   pass phrase. Note that a kill -HUP will prompt again. Keep
    #   in mind that if you have both an RSA and a DSA certificate you
    #   can configure both in parallel (to also allow the use of DSA
    #   ciphers, etc.)
    SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.crt"
    #SSLCertificateFile C:/Program Files/Apache Software Foundation/Apache2.2/conf/server-dsa.crt
    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file. Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key"
    #SSLCertificateKeyFile C:/Program Files/Apache Software Foundation/Apache2.2/conf/server-dsa.key
    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convinience.
    SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ca.crt"
    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)
    #   Note: Inside SSLCACertificatePath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.
    SSLCACertificatePath "C:/Program Files/Apache Software Foundation/Apache2.2/conf"
    SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ca.crt"
    #   Certificate Revocation Lists (CRL):
    #   Set the CA revocation path where to find CA CRLs for client
    #   authentication or alternatively one huge file containing all
    #   of them (file must be PEM encoded)
    #   Note: Inside SSLCARevocationPath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.
    SSLCARevocationPath "C:/Program Files/Apache Software Foundation/Apache2.2/conf"
    SSLCARevocationFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ca.crl"
    #   Client Authentication (Type):
    #   Client certificate verification type and depth. Types are
    #   none, optional, require and optional_no_ca. Depth is a
    #   number which specifies how deeply to verify the certificate
    #   issuer chain before deciding the certificate is not valid.
    SSLVerifyClient require
    SSLVerifyDepth 10
    #   Access Control:
    #   With SSLRequire you can do per-directory access control based
    #   on arbitrary complex boolean expressions containing server
    #   variable checks and other lookup directives. The syntax is a
    #   mixture between C and Perl. See the mod_ssl documentation
    #   for more details.
    #<Location />
    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ "
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." "
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} "
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 "
    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) "
    #           or %{REMOTE_ADDR} =~ m/^192".76".162".[0-9]+$/
    #</Location>
    #   SSL Engine Options:
    #   Set various options for the SSL engine.
    #   o FakeBasicAuth:
    #     Translate the client X.509 into a Basic Authorisation. This means that
    #     the standard Auth/DBMAuth methods can be used for access control. The
    #     user name is the `one line' version of the client's X.509 certificate.
    #     Note that no password is obtained from the user. Every entry in the user
    #     file needs this password: `xxj31ZMTZzkVA'.
    #   o ExportCertData:
    #     This exports two additional environment variables: SSL_CLIENT_CERT and
    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    #     server (always existing) and the client (only existing when client
    #     authentication is used). This can be used to import the certificates
    #     into CGI scripts.
    #   o StdEnvVars:
    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
    #     Per default this exportation is switched off for performance reasons,
    #     because the extraction step is an expensive operation and is usually
    #     useless for serving static content. So one usually enables the
    #     exportation for CGI and SSI requests only.
    #   o StrictRequire:
    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
    #     under a "Satisfy any" situation, i.e. when it applies access is denied
    #     and no other module can change it.
    #   o OptRenegotiate:
    #     This enables optimized SSL connection renegotiation handling when SSL
    #     directives are used in per-directory context.
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    <FilesMatch "".(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    #   SSL Protocol Adjustments:
    #   The safe and default but still SSL/TLS standard compliant shutdown
    #   approach is that mod_ssl sends the close notify alert but doesn't wait for
    #   the close notify alert from client. When you need a different shutdown
    #   approach you can use one of the following variables:
    #   o ssl-unclean-shutdown:
    #     This forces an unclean shutdown when the connection is closed, i.e. no
    #     SSL close notify alert is send or allowed to received. This violates
    #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
    #     this when you receive I/O errors because of the standard approach where
    #     mod_ssl sends the close notify alert.
    #   o ssl-accurate-shutdown:
    #     This forces an accurate shutdown when the connection is closed, i.e. a
    #     SSL close notify alert is send and mod_ssl waits for the close notify
    #     alert of the client. This is 100% SSL/TLS standard compliant, but in
    #     practice often causes hanging connections with brain-dead browsers. Use
    #     this only for browsers where you know that their SSL implementation
    #     works correctly.
    #   Notice: Most problems of broken clients are also related to the HTTP
    #   keep-alive facility, so you usually additionally want to disable
    #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
    #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
    #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
    #   "force-response-1.0" for this.
    BrowserMatch ".*MSIE.*" "
             nokeepalive ssl-unclean-shutdown "
             downgrade-1.0 force-response-1.0
    #   Per-Server Logging:
    #   The home of a custom SSL log file. Use this when you want a
    #   compact non-error SSL logfile on a virtual host basis.
    CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request_log" "
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x ""%r"" %b"
    </VirtualHost>                                 

    3)取消www.your.com.key的私钥保护密码;

    此操作仅Win32Apache需要。

    LinuxApache启动时自动提示要求输入服务器证书私钥的保护密码,而Win32Apache没有此功能,因此必须取消证书私钥的保护密码。

    openssl rsa -in c:/ca/keys/www.your.com.key -outc:/ca/keys/www.your.com1.key
    ** 输入lny.your.com的私钥保护密码。

    4)复制证书文件;

    移动c:/ca/keys/www.your.com1.keyconf/server.key

    复制c:/ca/certs/www.your.com.crtconf/server.crt

    合并c:/ca/certs/CA.YOUR.COM.crtc:/ca/certs/CA.COM. crt证书从BEGIN CERTIFICATE开始的内容到PEM格式的证书链文件中,复制该证书链文件到conf/ca.crt。如果有P7B格式的证书链文件,可以使用下列命名转换成PEM格式的证书链文件。

    openssl pkcs7 -in c:/ca/your.p7b -out ca.crt -print_certs

    复制c:/ca/crl/your.crlconf/ca.crl

    4       测试

    1)编辑客户端hosts文件,增加服务器的域名;

    192.168.100.1   www.your.com

    2)复制并安装个人证书lny.pfxlny1.pfx

    3)使用ie浏览器访问服务器https://www.your.com,在弹出的证书选择窗口中选择my@your.cn证书,应能连接到服务器,输出如下内容。

     

    4)使用ie浏览器访问服务器https://www.your.com,在弹出的证书选择窗口中选择my1证书,应弹出下列错误窗口。

     

    5       其他证书管理

    从个人证书中获取私钥

    openssl pkcs12 -in c:/ca/certs/my.pfx -out my.key –nocerts
    ** 输入个人证书的保护密码;
    ** 指定个人证书私钥的保护密码。

    从个人证书中获取证书

    openssl pkcs12 -in c:/ca/certs/my.pfx -out my.crt -nokeys
    ** 输入个人证书的保护密码。
    展开全文
  • Apache服务器SSL证书安装https

    千次阅读 2020-02-09 10:19:22
    Apache服务器SSL证书安装https–2020-2-9 1、证书准备 (以腾讯云为例)(域名以www.cloud.com为例) 1>在SSL 证书管理控制台申请填基本信息(密钥不填) 2>下载证书一个名字为域名的zip解压包找到里面Apache里的...

    Apache服务器SSL证书安装https–2020-2-9

    1、证书准备

    (以腾讯云为例)(域名以www.cloud.com为例)
    1>在SSL 证书管理控制台申请填基本信息(密钥不填)
    2>下载证书一个名字为域名的zip解压包找到里面Apache里的
    1_root_bundle.crt 证书文件
    2_www.cloud.com.crt 证书文件
    3_www.cloud.com.key 私钥文件

    2、证书转移(推荐用WinSCP)

    1>如果 /etc/httpd/ssl 目录,可通过

    mkdir /etc/httpd/ssl

    命令行创建,再进行第二步。
    2>如果 /etc/httpd/ssl 目录,将已获取到的 1_root_bundle.crt 证书文件、2_www.cloud.com.crt 证书文件以及 3_www.domain.com.key 私钥文件从本地目录拷贝到目录下

    3、Apache修改配置

    1>/etc/httpd/conf/httpd.conf
    找到Include conf.modules.d/*.conf(用于加载配置 SSL 的配置目录)配置语句,并确认该配置语句未被注释。若已注释,请去掉首行的注释符号(#),保存配置文件,没就加上。
    2>/etc/httpd/conf.modules.d
    若无00-ssl.conf

    yum install mod_ssl

    再进行下步
    若有00-ssl.conf
    LoadModule ssl_module modules/mod_ssl.so(用于加载 SSL 模块)配置语句,并确认该配置语句未被注释,若已注释,请去掉首行的注释符号(#),保存配置文件。
    3>/etc/httpd/conf.d
    目录下的 ssl.conf 配置文件。

    <VirtualHost 0.0.0.0:443>
         #网页根目录
         DocumentRoot "/var/www/html" 
         #填写证书名称
         ServerName www.cloud.com 
         #启用 SSL 功能
         SSLEngine on 
         #证书文件的路径
         SSLCertificateFile /etc/httpd/ssl/2_www.cloud.com.crt 
         #私钥文件的路径
         SSLCertificateKeyFile /etc/httpd/ssl/3_www.cloud.com.key 
         #证书链文件的路径
         SSLCertificateChainFile /etc/httpd/ssl/1_root_bundle.crt 
    </VirtualHost>
    

    4、重启Apache

    systemctl restart httpd.service

    5、http强转到https(自选)

    1>/etc/httpd/conf/httpd.conf
    请确认该配置文件是否存在LoadModule rewrite_module modules/mod_rewrite.so。
    存在,请去掉LoadModule rewrite_module modules/mod_rewrite.so前面的注释符号(#)号。
    不存在,加上。
    在最后加上:

    <Directory "/var/www/cloud/public">  
    //  /var/www/cloud/public->是网站根目录
    Options FollowSymLinks MultiViews Includes
    AllowOverride All
    Require all granted 
    </Directory>
    

    2>/etc/httpd/conf.modules.d
    新建00-rewrite.conf添加

    LoadModule rewrite_module modules/mod_rewrite.so

    3>/var/www/cloud/public/.htaccess

    RewriteEngine On
    RewriteBase /             
    RewriteCond %{SERVER_PORT} !^443$    
    RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]   
    

    4>重启Apache服务器

    systemctl restart httpd.service

    展开全文
  • 在上篇文章centos7搭建postfix邮件服务器的搭建中我们没有配置SSL,接下来我们在这篇文章中讲讲centos7邮件服务器SSL配置。 1. 创建SSL证书 [root@www ~]# cd /etc/pki/tls/certs [root@www certs]# make ...

     

    在上篇文章centos7搭建postfix邮件服务器的搭建中我们没有配置SSL,接下来我们在这篇文章中讲讲centos7邮件服务器SSL配置。

    1. 创建SSL证书

    [root@www ~]# cd /etc/pki/tls/certs
    
    [root@www certs]# make server.key
    
    umask 77 ; \
    /usr/bin/openssl genrsa -aes128 2048 > server.key
    
    Generating RSA private key, 2048 bit long modulus
    ......................................................++++++
    .............++++++
    e is 61251 (0x10001)
    Enter pass phrase:# set passphrase
    
    Verifying - Enter pass phrase:# confirm
    
    # remove passphrase from private key
    
    [root@www certs]# openssl rsa -in server.key -out server.key
    
    Enter pass phrase for server.key:# input passphrase
    
    writing RSA key
    [root@www certs]#
    [root@www certs]# make server.csr
    
    umask 77 ; \
    /usr/bin/openssl req -utf8 -new -key server.key -out server.csr
    
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:JP
    # country
    
    State or Province Name (full name) [e]:Hiroshima
      # state
    
    Locality Name (eg, city) [Default City]:Hiroshima
    # city
    
    Organization Name (eg, company) [Default Company Ltd]:GTS
      # company
    
    Organizational Unit Name (eg, section) []:Server World
      # department
    
    Common Name (eg, your server's hostname) []:www.srv.world
      # server's FQDN
    
    Email Address []:xxx@srv.world
    # email address
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:# Enter
    
    An optional company name []:# Enter
    
    [root@www certs]#
    [root@www certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
    
    Signature ok
    subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.srv.world/emailAddress=xxx@srv.world Getting Private key
    [root@www certs]# chmod 400 server.* 

    2.配置Postfix和Dovecot

    [root@mail ~]# vim /etc/postfix/main.cf
    # 添加到最后
    smtpd_use_tls = yes
    smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
    smtpd_tls_key_file = /etc/pki/tls/certs/server.key
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_tls_loglevel = 0
    smtpd_tls_auth_only = yes
    
    [root@mail ~]# vim /etc/postfix/master.cf
    # 17-18行: 取消注释
    smtps       inet   n       -       n       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
    
    [root@mail ~]# vim /etc/dovecot/conf.d/10-ssl.conf
    # 6行: 取消注释
    ssl = yes
    # 12,13行: 指定证书
    ssl_cert = </etc/pki/tls/certs/server.crt
    ssl_key = </etc/pki/tls/certs/server.key
    
    #开放SSL端口(端口的话,SMTP使用的是465, POP3使用995, IMAP使用993)
    firewall-cmd --add-port={465/tcp,995/tcp,993/tcp} --permanent
    firewall-cmd --reload # 重启postfix [root@mail
    ~]# systemctl restart postfix Shutting down postfix: [ OK ] Starting postfix: [ OK ] # 重启dovecot [root@mail ~]# systemctl restart dovect Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: [ OK ]

    3. 使用SSL登录

    配置好了以后,我们在使用Foxmail等客户端的时候,就可以勾选SSL.

    这样我们就配置好了SSL了。

    转载于:https://www.cnblogs.com/operationhome/p/9084446.html

    展开全文
  • 服务器SSL/TLS快速检测工具TLLSSLed
    服务器SSL/TLS快速检测工具TLLSSLed

    现在SSL和TLS被广泛应用服务器的数据加密中,如网站的HTTPS服务。所以,在渗透测试中如何快速检测服务器的SSL和TLS配置寻找安全漏洞,就显得很重要。
    Kali Linux提供专用检测工具TLLSLed。该工具是基于sslscan的脚本工具,使用非常简单。用户可以一次性执行所有检测任务,并且会生成详细的日志文件。它可以检测支持的协议类型、空密码和弱密码以及强密码等功能。
    展开全文
  • windows服务器ssl证书安装及配置

    万次阅读 2016-03-23 14:55:34
    windows服务器ssl证书安装及配置用IIS发布https网站,SSL的安全服务配置步骤: 生成申请证书请求 获取及安装中级CA证书 安装服务器证书及配置绑定 一、生成证书请求 进入IIS控制台在“开始”菜单上,依次单击“所有...
  • 百度云服务器SSL(免费申请) 官方地址:SSL证书申请 以上就是关于“ 百度云服务器SSL(免费申请)- 教程篇 ” 的全部内容。
  • 二、服务器SSL/TLS快速检测工具TLSSLed  现在SSL和TLS被广泛应用服务器的数据加密中,如网站的HTTPS服务。所以,在渗透测试中如何快速检测服务器的SSL和TLS配置寻找安全漏洞,就显得很重要。 Kali Linux提供专用...
  • 服务器ssl证书安装

    千次阅读 2018-09-12 14:11:12
    想给服务器安装个ssl证书,折腾了小半天,终于搞好了,不过也是踩了坑的。现在分享出来给大家。 我下载的是数安时代的免费证书https://certmall.trustauth.cn/Free,也有问题,浏览器可用,但是手机上还是会提示...
  • SSL证书上传到cert文件夹内,然后在nginx.conf文件修改为该文件的名称 /usr/local/nginx/sbin/nginx -t,查看nginx状态是否正常 /usr/local/nginx/sbin/nginx -s reload,重载配置信息 大功告成~ ...
  • Linux服务器SSL证书认证

    千次阅读 2018-07-13 14:52:26
    最近公司好多项目上线, 弄了好几个SSL证书, 又熟练了一阵子 , 简单得很,但想想第一次弄的时候找不着北就 性质使然写一个教程吧!第一步,找到阿里云服务器管理控制台 , 操作如图第二步, 如图 第三步, 如图【第一次...
  • 处理服务器SSL收到了一个弱临时Diffie-Hellman 密钥 当我们用火狐浏览器打开某个HTTPS网站时可能会失败,并且出现如下错误提示:  安全连接失败连接某个URL网址时发生错误。 在服务器密钥交换握手信息中 SSL ...
  • Tomcat服务器SSL证书部署步骤

    千次阅读 2017-07-06 12:52:58
    首先需要获取SSL证书及密钥库文件。如果是腾讯云服务器,我们可以申请免费证书,有效时间长达一年哦。(这里就不再详细介绍申请证书的过程了,本文重点在于证书的安装过程) 如果申请证书时有填写私钥密码,下载可...
  • 1、腾讯云服务器下载ssl证书文件 打开 Apache 文件夹,有以下三个文件: 2、安装 SSL 模块 yum install mod_ssl openssl 会自动生成 /etc/httpd/conf.d/ssl.conf 文件。 3、修改 /etc/httpd/conf.d/ssl.conf 文件...
  • 服务器SSL不安全漏洞修复方案

    千次阅读 2018-05-20 12:51:09
    关于SSL POODLE漏洞POODLE = Padding Oracle On Downgraded Legacy Encryption.是最新安全漏洞(CVE-2014-3566)的代号,俗称“贵宾犬”漏洞。 此漏洞是针对SSL3.0中CBC模式加密算法的一种padding oracle攻击,可以让...
  • 客户端与服务器SSL双向认证(java-java):含源码 (一)实现技术: JSSE(Java Security Socket Extension) 是Sun为了解决在Internet上的实现安全信息传输的解决方案。它实现了SSL和TSL(传输层安全)协议。...
  • 我按照阿里云提供的教程安装并配置了ssl证书,但是始终无法用https访问,http访问没问题,下面是各个端口的配置: connectionTimeout="20000" redirectPort="443" /> protocol="org.apache.coyote....
  • 错误描述: wx.request请求数据,电脑端开发工具运行正常,...修改ssl.conf, SSLCertificateFile, SSLCertificateKeyFile,SSLCertificateChainFile三者缺一不可,SSL证书可在startssl免费申请;修改完后,重启apache; Doc...
  • 客户端与服务器SSL双向认证(客户端:java-服务端:vc)-含源码 (一)服务端 已经生成了client.p12、server.p12、ca.p12;主要实现客户端过程 (二)目录结构 (三)客户端代码 主要注意事项: 1.之前一直纠结PKCS...
  • Jboss 服务器SSL证书安装指南

    千次阅读 2015-12-28 17:04:32
    1.获取服务器证书 将证书签发邮件中的从BEGIN到 END结束的服务器证书内容(包括“-----BEGIN CERTIFICATE-----”和“-----END CERTIFICATE-----”)粘贴到记事本等文本编辑器中,并修改文件扩展名,保存为server....
  • Windows IIS服务器SSL数字证书安装指南

    千次阅读 2018-04-23 17:18:51
    一旦您申请的SSL证书成功签发,签发机构Comodo会通过附件将数字证书发送到您的邮箱。附件包含4个证书文件,您需要按照1-2-3-4顺序将文件内容拷贝到一个文本文件,然后保存为CRT文件。然后将CRT文件和Key文件转换成...
  • 客户端与服务器SSL双向认证(客户端Android-服务端vc)-含源码 (一)服务端 已经生成了client.p12、server.p12、ca.p12;主要实现客户端过程 (二)目录结构 (三)客户端注意 1.生成bks,时候...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 22,821
精华内容 9,128
关键字:

服务器ssl