碼上快樂

相關內容    簡體    繁體

[svc]cfssl模擬https站點-探究瀏覽器如何校驗證書

本文轉載自   查看原文   2017-12-23 20:04   1619 

准備cfssl環境

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O     /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O      /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*

生成ca證書

cd;mkdir keys;cd keys
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "app": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
EOF


cat > ca-csr.json <<EOF
{
  "CN": "k8s",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF


cfssl gencert -initca ca-csr.json | cfssljson -bare ca

生成server證書

cd /root/keys
cat > app-csr.json <<EOF
{
  "CN": "app",
  "hosts": [
    "127.0.0.1",
    "192.168.1.11",
    "app",
    "app.ma.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem \
  -ca-key=/root/keys/ca-key.pem \
  -config=/root/keys/ca-config.json \
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem

構建https webserver模擬測試

cd /root/
cat > http-server.js <<EOF
var https = require('https');
var fs = require('fs');

var options = {
    key: fs.readFileSync('./keys/app-key.pem'),
    cert: fs.readFileSync('./keys/app.pem')
};

https.createServer(options, function (req, res) {
    res.writeHead(200);
    res.end('hello world');
}).listen(8000);
EOF

yum install nodejs -y
npm install https -g
node http-server.js

訪問服務端https://192.168.1.x:8000端口(域已添加本地hosts)

發現

opera瀏覽器

處理瀏覽器安全問題

1.導出ca.pem到win7,改名為ca.crt.

2.運行 certmgr.msc 打開證書管理器

3.瀏覽器訪問8000端口(ctrl+shift+del清緩存)

opera瀏覽器

4.使用apps.ma.com訪問,也報錯

無SAN(Subject Alternative Name)-CN: app.ma.com-即使地址欄的域名和CN一樣也報錯

cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{
  "CN": "app.ma.com",  #將hosts字段去掉(SAN干掉)
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem \
  -ca-key=/root/keys/ca-key.pem \
  -config=/root/keys/ca-config.json \
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem

無SAN(Subject Alternative Name)-CN: *.ma.com-即使地址欄的域名和CN一樣也報錯

cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{
  "CN": "*.ma.com",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem \
  -ca-key=/root/keys/ca-key.pem \
  -config=/root/keys/ca-config.json \
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem

SAN含app.ma.com(Subject Alternative Name)-CN: *.ma.com-僅app.ma.com域名可訪問

cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{
  "CN": "*.ma.com",
  "hosts": [
    "app.ma.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem \
  -ca-key=/root/keys/ca-key.pem \
  -config=/root/keys/ca-config.json \
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem
cd ..;node http-server.js


SAN含*.ma.com(Subject Alternative Name)-CN: .ma.com-可用任意.ma.com來訪問

cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{
  "CN": "*.ma.com",
  "hosts": [
    "*.ma.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=/root/keys/ca.pem \
  -ca-key=/root/keys/ca-key.pem \
  -config=/root/keys/ca-config.json \
  -profile=app app-csr.json | cfssljson -bare app

openssl x509  -noout -text -in  app.pem
cd ..;node http-server.js

查看互聯網上一些證書

  • 汽車之家的通用型(*)證書(而且一個證書對應了多個域名)

  • 谷歌的 www證書

wildcard和san兩種證書的區別

wildcard: 可變部分sub-domain:
*.maotai.com
www.maotai.com
bbs.maotai.com


san: 可變部分: subdomain和domain
subdomain
*.ma.com
*.ma.net
*.xx.net

注:一般通用型證書比www證書價格貴一半左右.

瀏覽器如何驗證證書

參考: http://www.cnblogs.com/iiiiher/p/8085698.html
當瀏覽器使用HTTPS連接到您的服務器時,他們會檢查以確保您的SSL證書與地址欄中的主機名稱匹配。

瀏覽器有三種找到匹配的方法:

  • 1.主機名(在地址欄中)與證書主題(Subject)中的通用名稱(Common Name)完全匹配。

  • 2.主機名稱與通配符通用名稱相匹配。例如,www.example.com匹配通用名稱* .example.com。

  • 3.主機名主題備用名稱(SAN: Subject Alternative Name)字段中列出

  • 1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.

  • 2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.

  • 3.The host name is listed in the Subject Alternative Name field.

參考

客戶端使用服務端返回的信息驗證服務器的合法性,包括:

    證書是否過期
    發型服務器證書的CA是否可靠
    返回的公鑰是否能正確解開返回證書中的數字簽名
    服務器證書上的域名是否和服務器的實際域名相匹配  -- 要核對CN或SAN,見上
    驗證通過后,將繼續進行通信,否則,終止通信

在哪里可以查看到san

參考: https://www.digicert.com/subject-alternative-name.htm

小結: 正因為訪問的域名在san列表,所以訪問才能被通過校驗.


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 postman 配置https 校驗證書 夜神模擬器瀏覽器安裝burp證書 Curl可以模擬瀏覽器 Nginx配置SSL證書實現https訪問「瀏覽器未認證」 Safari 瀏覽器模擬iPhone和其他瀏覽器 安裝了https ssl證書,但瀏覽器顯示並非完全安全(此頁面內容部分不安全) 可以模擬多種瀏覽器的網站 用Java模擬瀏覽器操作 java模擬瀏覽器發送請求 python3爬蟲的模擬瀏覽器
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM