Skip to main content

SSL

Tips

# 显示证书
openssl s_client -showcerts -connect wener.me:443
# SNI
openssl s_client -showcerts -servername wener.me -connect 104.28.26.88:443

# 截取证书部分
echo "" | openssl s_client -connect dm-101.data.aliyun.com:443 -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'

cert_fetch(){
mkdir -p ~/.cert/$1;cd ~/.cert/$1;
echo "" | openssl s_client -connect $1:443 -prexit 2>/dev/null | \
sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > $1.pem
}

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
openssl s_client -servername www.example.com -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

# 下载 crt
openssl x509 -in <(openssl s_client -connect example.com:443 -prexit 2>/dev/null) -out example.crt
# 导入 crt
sudo keytool -importcert -file example.crt -alias example -keystore $(/usr/libexec/java_home)/jre/lib/security/cacerts -storepass changeit
# 导入 cer
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"

# 生成 CSR
# https://support.rackspace.com/how-to/generate-a-csr-with-openssl/
# 生成 Key
openssl genrsa -out wener.me.key 4096
# 生成新的 CSR
penssl req -new -sha256 -key wener.me.key -out wener.me.csr
# 然后提交 wener.me.csr 即可
# 拿到分发的 x509 可生成 pem 以供 nginx 使用
openssl x509 -in wener.me.x509 -out wener.me.pem -outform PEM
# 查看证书信息
openssl x509 -in wener.me.pem -text -noout

# Let's Encrypt certbot
brew install certbot
certbot certonly --standalone --preferred-challenges tls-sni -d example.com --staple-ocsp -m [email protected] --agree-tos --work-dir . --config-dir ./config --logs-dir ./logs

Convert

https://stackoverflow.com/q/13732826/1870054

CA

CFSSL

# 安装
go get -u github.com/cloudflare/cfssl/cmd/...

FAQ

SSL/TLS mutual authentication

  • 客户端和服务端同时验证证书, 因此要求客户端配置 cert 和 key
  • Golang ClientAuthType
    • NoClientCert
    • RequestClientCert
    • RequireAnyClientCert
    • VerifyClientCertIfGiven
    • RequireAndVerifyClientCert

Revoke

[ server_cert ]
# 在服务配置中指定 crl
crlDistributionPoints = URI:http://example.com/intermediate.crl.pem
# 生成 CLR
openssl ca -config intermediate/openssl.cnf \
-gencrl -out intermediate/crl/intermediate.crl.pem
# 检查 crl 中的内容
openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text

crl.pem

R 160420124740Z 150411125310Z 1001 unknown ... /[email protected]

Java 启动时 ssl 相关参数

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...
  • debug 参数
    • all turn on all debugging
    • ssl turn on ssl debugging
  • ssl 相关参数
record       enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
pluggability print pluggability tracing

handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing

record debugging can be widened with:
plaintext hex dump of record plaintext
packet print raw SSL/TLS packets

Server Cert vs Client Cert

  • https://stackoverflow.com/q/24752105/1870054
  • Server
    • Signing
      • 证书中的秘钥能用于标识 CN 中说明的服务, 实体认证
    • Key Encipherment
      • 证书中的秘钥可以用于加密从会话中衍生的会话秘钥(对等秘钥)
  • Client
    • Signing