Skip to main content

SSL

Tips#

# 显示证书openssl s_client -showcerts -connect wener.me:443# SNIopenssl s_client -showcerts -servername wener.me -connect 104.28.26.88:443
# 截取证书部分echo "" | openssl s_client -connect dm-101.data.aliyun.com:443 -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'
cert_fetch(){  mkdir -p ~/.cert/$1;cd ~/.cert/$1;  echo "" | openssl s_client -connect $1:443 -prexit 2>/dev/null | \    sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > $1.pem}
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinningopenssl s_client -servername www.example.com -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# 下载 crtopenssl x509 -in <(openssl s_client -connect example.com:443 -prexit 2>/dev/null) -out example.crt# 导入 crtsudo keytool -importcert -file example.crt -alias example -keystore $(/usr/libexec/java_home)/jre/lib/security/cacerts -storepass changeit# 导入 cerkeytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
# 生成 CSR# https://support.rackspace.com/how-to/generate-a-csr-with-openssl/# 生成 Keyopenssl genrsa -out wener.me.key 4096# 生成新的 CSRpenssl req -new -sha256 -key wener.me.key -out wener.me.csr# 然后提交 wener.me.csr 即可# 拿到分发的 x509 可生成 pem 以供 nginx 使用openssl x509 -in wener.me.x509 -out wener.me.pem -outform PEM# 查看证书信息openssl x509 -in wener.me.pem -text -noout
# Let's Encrypt certbotbrew install certbotcertbot certonly --standalone --preferred-challenges tls-sni -d example.com --staple-ocsp -m [email protected] --agree-tos --work-dir . --config-dir ./config --logs-dir ./logs

Convert#

https://stackoverflow.com/q/13732826/1870054

CA#

CFSSL#

# 安装go get -u github.com/cloudflare/cfssl/cmd/...

FAQ#

SSL/TLS mutual authentication#

  • 客户端和服务端同时验证证书, 因此要求客户端配置 cert 和 key
  • Golang ClientAuthType
    • NoClientCert
    • RequestClientCert
    • RequireAnyClientCert
    • VerifyClientCertIfGiven
    • RequireAndVerifyClientCert

Revoke#

[ server_cert ]# 在服务配置中指定 crlcrlDistributionPoints = URI:http://example.com/intermediate.crl.pem
# 生成 CLRopenssl ca -config intermediate/openssl.cnf \      -gencrl -out intermediate/crl/intermediate.crl.pem# 检查 crl 中的内容openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text

crl.pem

R 160420124740Z 150411125310Z 1001 unknown ... /[email protected]

Java 启动时 ssl 相关参数#

http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...
  • debug 参数
    • all turn on all debugging
    • ssl turn on ssl debugging
  • ssl 相关参数
record       enable per-record tracinghandshake    print each handshake messagekeygen       print key generation datasession      print session activitydefaultctx   print default SSL initializationsslctx       print SSLContext tracingsessioncache print session cache tracingkeymanager   print key manager tracingtrustmanager print trust manager tracingpluggability print pluggability tracing
handshake debugging can be widened with:data         hex dump of each handshake messageverbose      verbose handshake message printing
record debugging can be widened with:plaintext    hex dump of record plaintextpacket       print raw SSL/TLS packets

Server Cert vs Client Cert#

  • https://stackoverflow.com/q/24752105/1870054
  • Server
    • Signing
      • 证书中的秘钥能用于标识 CN 中说明的服务, 实体认证
    • Key Encipherment
      • 证书中的秘钥可以用于加密从会话中衍生的会话秘钥(对等秘钥)
  • Client
    • Signing