| 版本 | 作者 | 日期 | 备注 |
|---|---|---|---|
| 0.1 | loon | 2019.4.1 | 初稿 |
首先,理解一下证书的类型:
以上所有证书都可以自己生成。
linux系统是不以后缀名来判断文件类型的,但是为了我们能够更好地判断文件用途,所以添加各种后缀。以下是约定成俗的后缀。
openssl genrsa -des3 -out server.key 1024
输入加密密码,用 128 位 rsa 算法生成密钥,得到 server.key 文件。
openssl req -new -key server.key -out server.csr
CSR( Certificate Signing Request)是一个证书签名请求,在申请证书之前,首先要在服务器上生成 CSR ,并将其提交给 CA 认证中心, CA 才能签发 SSL 服务器证书。也可以认为, CSR 就是一个在服务器上生成的证书。
在生成这个文件的过程中,有一点需要特别注意,Common Name 填入主机名(或者服务器IP)。
如果不使用 CA 证书签名的话,用如下方式生成:
openssl req -x509 -days 1024 -key server.key -in server.csr > server.crt
用服务器密钥和证书请求生成证书 server.crt , -days 参数指明证书有效期,单位为天。商业上来说,服务器证书是由通过第三方机构颁发的,该证书由第三方认证机构颁发的。
如果使用 CA 证书签名,用 openssl 提供的工具 CA.sh 生成服务器证书:
mv server.csr newreq.pem
./CA.sh -sign
mv newcert.pem server.crt
签名证书后,可通过如下命令可查看服务器证书的内容:
openssl x509 -noout -text -in server.crt
可通过如下命令验证服务器证书:
openssl verify -CAfile ca.crt server.crt
客户证书是可选的。如果有客户证书,就是双向认证 HTTPS ,否则就是单向认证 HTTPS 。
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
如果使用双向认证,就会有三个私钥和三个证书。分别是 ca.key, ca.crt, server.key, server.crt, client.key, client.crt ,以及给浏览器的 client.pfx 。
如果使用有 CA 证书的单向认证,证书和私钥就是 ca.key, ca.crt, server.key, server.crt 。
如果使用无 CA 证书的单向认证,证书和私钥就是 server.key, server.crt。
这里采用mongoose库自带的RESTAPI的https server例子,我们只需要开启ssl即可(需要修改宏):
#include "mongoose.h"
static const char *s_http_port = "9001";
static struct mg_serve_http_opts s_http_server_opts;
static void handle_sum_call(struct mg_connection *nc, struct http_message *hm)
{
char n1[100], n2[100];
double result;
/* Get form variables */
mg_get_http_var(&hm->body, "n1", n1, sizeof(n1));
mg_get_http_var(&hm->body, "n2", n2, sizeof(n2));
/* Send headers */
mg_printf(nc, "%s", "HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\n\r\n");
/* Compute the result and send it back as a JSON object */
result = strtod(n1, NULL) + strtod(n2, NULL);
mg_printf_http_chunk(nc, "{ \"result\": %lf }", result);
mg_send_http_chunk(nc, "", 0); /* Send empty chunk, the end of response */
}
static void ev_handler(struct mg_connection *nc, int ev, void *ev_data)
{
struct http_message *hm = (struct http_message *) ev_data;
switch (ev)
{
case MG_EV_HTTP_REQUEST:
if (mg_vcmp(&hm->uri, "/api/v1/sum") == 0)
{
handle_sum_call(nc, hm); /* Handle RESTful call */
}
else if (mg_vcmp(&hm->uri, "/printcontent") == 0)
{
char buf[100] = {0};
memcpy(buf, hm->body.p,
sizeof(buf) - 1 < hm->body.len ? sizeof(buf) - 1 : hm->body.len);
printf("%s\n", buf);
}
else
{
mg_serve_http(nc, hm, s_http_server_opts); /* Serve static content */
}
break;
default:
break;
}
}
int main(int argc, char *argv[])
{
struct mg_mgr mgr;
struct mg_connection *nc;
struct mg_bind_opts bind_opts;
int i;
char *cp;
const char *err_str;
#if MG_ENABLE_SSL
const char *ssl_cert = NULL;
const char *ssl_key = NULL;
#endif
mg_mgr_init(&mgr, NULL);
/* Use current binary directory as document root */
if (argc > 0 && ((cp = strrchr(argv[0], DIRSEP)) != NULL))
{
*cp = '\0';
s_http_server_opts.document_root = argv[0];
}
/* Process command line options to customize HTTP server */
for (i = 1; i < argc; i++)
{
if (strcmp(argv[i], "-D") == 0 && i + 1 < argc)
{
mgr.hexdump_file = argv[++i];
}
else if (strcmp(argv[i], "-d") == 0 && i + 1 < argc)
{
s_http_server_opts.document_root = argv[++i];
}
else if (strcmp(argv[i], "-p") == 0 && i + 1 < argc)
{
s_http_port = argv[++i];
}
else if (strcmp(argv[i], "-a") == 0 && i + 1 < argc)
{
s_http_server_opts.auth_domain = argv[++i];
}
else if (strcmp(argv[i], "-P") == 0 && i + 1 < argc)
{
s_http_server_opts.global_auth_file = argv[++i];
}
else if (strcmp(argv[i], "-A") == 0 && i + 1 < argc)
{
s_http_server_opts.per_directory_auth_file = argv[++i];
}
else if (strcmp(argv[i], "-r") == 0 && i + 1 < argc)
{
s_http_server_opts.url_rewrites = argv[++i];
#if MG_ENABLE_HTTP_CGI
}
else if (strcmp(argv[i], "-i") == 0 && i + 1 < argc)
{
s_http_server_opts.cgi_interpreter = argv[++i];
#endif
#if MG_ENABLE_SSL
}
else if (strcmp(argv[i], "-s") == 0 && i + 1 < argc)
{
ssl_cert = argv[++i];
ssl_key = argv[++i];
#endif
}
else
{
fprintf(stderr, "Unknown option: [%s]\n", argv[i]);
exit(1);
}
}
/* Set HTTP server options */
memset(&bind_opts, 0, sizeof(bind_opts));
bind_opts.error_string = &err_str;
#if MG_ENABLE_SSL
if (ssl_cert != NULL)
{
bind_opts.ssl_cert = ssl_cert;
bind_opts.ssl_key = ssl_key;
}
#endif
nc = mg_bind_opt(&mgr, s_http_port, ev_handler, bind_opts);
if (nc == NULL)
{
fprintf(stderr, "Error starting server on port %s: %s\n", s_http_port,
*bind_opts.error_string);
exit(1);
}
mg_set_protocol_http_websocket(nc);
s_http_server_opts.enable_directory_listing = "yes";
printf("Starting RESTful server on port %s, serving %s\n", s_http_port,
s_http_server_opts.document_root);
for (;;) {
mg_mgr_poll(&mgr, 1000);
}
mg_mgr_free(&mgr);
return 0;
}
├── build
├── CMakeLists.txt
├── https_server.c
├── mongoose.c
├── mongoose.h
├── server.crt
├── server.key
└── server.pem
1 directory, 7 files
cmake_minimum_required(VERSION 2.8)
project(https_server)
include_directories(
${PROJECT_SOURCE_DIR}
)
aux_source_directory(. DIR_SRCS)
add_executable(https_server ${DIR_SRCS})
target_link_libraries(https_server ssl crypto)
生成私钥:
zy@zy-virtual-machine:~/workdir$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........................++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
生成证书请求:
zy@zy-virtual-machine:~/workdir$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:123
Organizational Unit Name (eg, section) []:123
Common Name (e.g. server FQDN or YOUR name) []:172.17.190.85
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:1234
自生成服务器证书:
zy@zy-virtual-machine:~/workdir$ openssl req -x509 -days 1024 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key:
然后会生成server.crt server.csr server.key这三个文件。
之后查看和验证:
zy@zy-virtual-machine:~/workdir$ openssl x509 -noout -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12517631415260529715 (0xadb78f736fdfc433)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanghai, L=shanghai, O=123, OU=123, CN=172.17.190.85
Validity
Not Before: Apr 1 08:04:45 2019 GMT
Not After : Jan 19 08:04:45 2022 GMT
Subject: C=CN, ST=shanghai, L=shanghai, O=123, OU=123, CN=172.17.190.85
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b3:f0:3c:c6:f3:a3:b5:83:1d:4f:3d:6f:39:9d:
c2:39:0e:e9:c1:76:cf:63:f2:80:6c:7f:44:63:6a:
0f:80:61:c1:a0:77:99:93:f7:83:a0:32:ce:c0:54:
a2:d8:1c:a8:3e:2b:71:61:d7:e5:60:67:9a:af:3e:
23:0c:8b:da:6e:54:96:a6:d0:f2:9a:dd:80:4d:73:
00:8c:b8:2e:a3:ec:91:55:d4:4b:e9:dd:3b:3f:f2:
8b:a6:96:d6:70:ba:2a:50:dd:83:39:25:15:78:67:
d3:e2:dd:41:f0:4e:d6:6f:d1:d4:43:ed:46:9c:9b:
24:61:83:03:9f:82:00:7a:77
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0D:BB:52:85:5A:F9:BA:D8:CC:42:7F:20:1C:C1:72:64:EF:96:87:9C
X509v3 Authority Key Identifier:
keyid:0D:BB:52:85:5A:F9:BA:D8:CC:42:7F:20:1C:C1:72:64:EF:96:87:9C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a9:d5:84:3d:aa:3d:11:6b:8c:00:d7:e3:9d:94:61:3b:4a:2e:
ee:c7:8a:a0:b3:0d:24:d2:cf:f4:6f:12:14:16:f2:b4:7b:60:
91:32:8a:f8:6d:8e:19:cc:d9:de:8f:7e:0d:e6:dd:26:c7:ec:
09:55:f2:44:5a:87:dc:fc:64:b1:89:b4:8c:97:d9:e2:9c:d3:
e1:0d:35:6f:ba:22:7e:a9:ff:2f:d7:bf:45:bf:a8:ef:19:c3:
9c:16:13:6e:92:5d:b4:54:ca:b9:b4:8a:06:4f:73:6e:7a:0b:
37:0b:67:b9:cb:fe:55:f9:c8:07:56:35:67:f9:99:3f:7d:1b:
29:60
zy@zy-virtual-machine:~/workdir$ openssl verify server.crt
server.crt: C = CN, ST = shanghai, L = shanghai, O = 123, OU = 123, CN = 172.17.190.85
error 18 at 0 depth lookup:self signed certificate
OK
运行并使用curl进行连接:
./https_server "-s" "../server.crt" "../server.key"
Enter PEM pass phrase:
Starting RESTful server on port 9001, serving .
...
直接运行:
zy@zy-virtual-machine:~/workdir$ curl -v "https://172.17.190.85:9001"
* Rebuilt URL to: https://172.17.190.85:9001/
* Trying 172.17.190.85...
* Connected to 172.17.190.85 (172.17.190.85) port 9001 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
可以看到由于我们没有使用CA证书,这里会报错,一个简单的解决方法就是加上-k关闭curl对证书的验证。(我们只是为了防止黑客进行数据获取所以加上证书的,我们只要确认这点就行了,只要开启了ssl/tsl,则抓包工具也无法轻易抓取数据了,http则通过抓包工具轻松可以抓到交互过程中的数据)
zy@zy-virtual-machine:~/workdir$ curl -v -k "https://172.17.190.85:9001"
* Rebuilt URL to: https://172.17.190.85:9001/
* Trying 172.17.190.85...
* Connected to 172.17.190.85 (172.17.190.85) port 9001 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: 172.17.190.85 (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=CN,ST=shanghai,L=shanghai,O=chuangmi,OU=123,CN=172.17.190.85
* start date: Mon, 01 Apr 2019 06:12:00 GMT
* expire date: Wed, 19 Jan 2022 06:12:00 GMT
* issuer: C=CN,ST=shanghai,L=shanghai,O=chuangmi,OU=123,CN=172.17.190.85
* compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: 172.17.190.85:9001
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Mongoose/6.14
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=utf-8
<
<html><head><title>Index of /</title><script>function srt(tb, sc, so, d) {var tr = Array.prototype.slice.call(tb.rows, 0),tr = tr.sort(function (a, b) { var c1 = a.cells[sc], c2 = b.cells[sc],n1 = c1.getAttribute('name'), n2 = c2.getAttribute('name'), t1 = a.cells[2].getAttribute('name'), t2 = b.cells[2].getAttribute('name'); return so * (t1 < 0 && t2 >= 0 ? -1 : t2 < 0 && t1 >= 0 ? 1 : n1 ? parseInt(n2) - parseInt(n1) : c1.textContent.trim().localeCompare(c2.textContent.trim())); });for (var i = 0; i < tr.length; i++) tb.appendChild(tr[i]); if (!d) window.location.hash = ('sc=' + sc + '&so=' + so); };window.onload = function() {var tb = document.getElementById('tb');var m = /sc=([012]).so=(1|-1)/.exec(window.location.hash) || [0, 2, 1];var sc = m[1], so = m[2]; document.onclick = function(ev) { var c = ev.target.rel; if (c) {if (c == sc) so *= -1; srt(tb, c, so); sc = c; ev.preventDefault();}};srt(tb, sc, so, true);}</script><style>th,td {text-align: left; padding-right: 1em; font-family: monospace; }</style></head>
<body><h1>Index of /</h1>
<table cellpadding=0><thead><tr><th><a href=# rel=0>Name</a></th><th><a href=# rel=1>Modified</a</th><th><a href=# rel=2>Size</a></th></tr><tr><td colspan=3><hr></td></tr>
</thead>
<tbody id=tb><tr><td><a href="https_server">https_server</a></td><td>01-Apr-2019 16:15</td><td name=196264>191.7k</td></tr>
<tr><td><a href="CMakeFiles/">CMakeFiles/</a></td><td>01-Apr-2019 16:15</td><td name=-1>[DIRECTORY]</td></tr>
<tr><td><a href="Makefile">Makefile</a></td><td>01-Apr-2019 16:14</td><td name=5746>5.6k</td></tr>
<tr><td><a href="CMakeCache.txt">CMakeCache.txt</a></td><td>01-Apr-2019 16:14</td><td name=11609>11.3k</td></tr>
<tr><td><a href="cmake_install.cmake">cmake_install.cmake</a></td><td>01-Apr-2019 16:14</td><td name=1393>1.4k</td></tr>
</tbody><tr><td colspan=3><hr></td></tr>
</table>
<address>Mongoose/6.14</address>
* Connection #0 to host 172.17.190.85 left intact
</body></html>
直接连接后谷歌浏览器如下所示:
需要将我们的证书添加到受信任的根证书颁发机构中,否则会被浏览器阻止显示信息。
在这里如果不添加证书的话点击高级后如下:
我们可以直接访问,我们知道这个证书是我们自生成的,没有危险:
