使用openssl api编程 - bw_0927 - 博客园 TLS1.2协议设计原理 - 杰哥很忙 - 博客园
OpenSSL是用于安全通信的最著名的开放库。GNS TLS只支持TLS 1.0和SSL 3.0。Mozilla NSS比OpenSSL大,并且需要外部库,而OpenSSL是自包含的。The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available, 比如python. OpenSSL还有命令行工具openssl,不用写程序也可以干不少事情。比如 openssl list -cipher-algorithms 就像既可以在命令行使用ffmpeg,也可以调用ffmpeg的库一样。
OpenSSL的重点是各种各样的加密算法,但也有收发网络数据的功能如: SSL_read(ssl, buffer, MAXBUF); SSL_write(ssl, buf, strlen(buf)); 但你得自己去socket, bind, listen, accpet, connect等,并用SSL_set_fd(ssl, sockfd);告诉OpenSSL用于收发的socket. 它应该是可以和epoll(), libevent之类结合使用的: 发现socket可读后再去调用SSL_read(). TLS runs "on top of some reliable transport protocol (e.g., TCP)."
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as email, instant messaging, and voice over IP, but its use as the Security layer in HTTPS remains the most publicly visible.
SSL 1.0 Unpublished
SSL 2.0 1995 Deprecated in 2011 (RFC 6176)
SSL 3.0 1996 Deprecated in 2015 (RFC 7568)
TLS 1.0 1999 Deprecated in 2020
TLS 1.1 2006 Deprecated in 2020
TLS 1.2 2008
TLS 1.3 2018
deprecated没有听起来那么吓人。好像:
1. 版本越新,支持的加密算法越多,加密强度越高。黑客不惦记我那一点点银行存款,他们有时考虑的是A国破解C国的啥。
2. 向下兼容,Client和Server会协商出个都能接受的版本
3. 证书通用
SSL and TLS certificates – What is the difference?
In recent years, SSL has become basically obsolete since TLS offers a higher level of security, but some people have gotten into the habit of referring to both protocols as SSL. You may have noticed that some resources refer to SSL certificates using the term TLS certificates. The common reason is that the general public is familiar with the "SSL" term and the leading Certificate Authorities, such as DigiCert, GeoTrust, RapidSSL, along with major software providers, like OpenSSL, kept the "SSL" name for their products. The public simply got used to it and changing the name may cause confusion. In conclusion, there are three key things to remember:
1) The SSL protocol is now the TLS protocol, but it keeps the old name.
2) The SSL protocol is no longer in use. Only old servers and systems may still support it.
3) You don't have to worry about making any updates because all the SSL certificates are compatible with the latest TLS versions.
In cryptography, X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols. They are also used in offline applications, like electronic signatures. An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key. X.509 is defined by the International Telecommunications Union.
Netscape developed the original SSL protocols, and Taher Elgamal, chief scientist at Netscape Communications from 1995 to 1998, has been described as the "father of SSL".
Google Chrome set TLS 1.3 as the default version for a short time in 2017. It then removed it as the default, due to incompatible middleboxes such as Blue Coat web proxies.
HTTP Strict Transport Security is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security, unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.
What Is a Man-in-the-Middle Attack and How Can It Be Prevented | UpGuard