SSL雙向認證

雙向認證：

 

1. 客戶端向服務器發送消息，首先把消息用客戶端證書加密然后連同時把客戶端證書一起發送到服務器端，
2. 服務器接到消息后用首先用客戶端證書把消息解密，然后用服務器私鑰把消息加密，把服務器證書和消息一起發送到客戶端，
3. 客戶端用發來的服務器證書對消息進行解密，然后用服務器的證書對消息加密，然后在用客戶端的證書對消息在進行一次加密，連同加密消息和客戶端證書一起發送到服務器端，
4. 到服務器端首先用客戶端傳來的證書對消息進行解密，確保消息是這個客戶發來的，然后用服務器端的私鑰對消息在進行解密這個便得到了明文數據。

 

單向認證：

 

1. 客戶端向服務器發送消息，
2. 服務器接到消息后，用服務器端的密鑰庫中的私鑰對數據進行加密，然后把加密后的數據和服務器端的公鑰一起發送到客戶端，
3. 客戶端用服務器發送來的公鑰對數據解密，然后在用傳到客戶端的服務器公鑰對數據加密傳給服務器端，
4. 服務器用私鑰對數據進行解密，

這就完成了客戶端和服務器之間通信的安全問題，但是單向認證沒有驗證客戶端的合法性。

 

 

==========================

openssl在windows上的安裝

 

 

從此處下載openssl for windows

http://gnuwin32.sourceforge.net/packages/openssl.htm

解壓，並設置PATH環境變量指向其bin文件夾

下載openssl的配置文件http://www.securityfocus.com/data/tools/openssl.conf

並將其拷到一個文件夾下，以便用命令行指定，這里是c:/ssl/下

否則運行時會報Unable to load config info from /usr/local/ssl/openssl.cnf錯誤

=============================

 

 

以下安裝配置環境為linux，tomcat-5.5.30

 

 

一、建立目錄

 

 

cd /home
mkdir ssl
cd ssl
mkdir ca
mkdir client
mkdir server

 

 

創建一個證書的步驟： 

 

（1）生成系統私鑰

（2）生成待簽名證書

（3）生成x509證書, 用CA私鑰進行簽名

（4）導成瀏覽器支持的p12格式證書

 

二：生成CA證書

目前不使用第三方權威機構的CA來認證，自己充當CA的角色。 

1. 創建私鑰 ：

openssl genrsa -out ca/ca-key.pem 1024 

2.創建證書請求 ：

openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem

 

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:ca

Email Address []:ca@ca.com

 

 

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

3.自簽署證書 ：

openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650 

4.將證書導出成瀏覽器支持的.p12格式 ：

 

openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12 

密碼：123456

 

 

三.生成server證書

1.創建私鑰 ：

openssl genrsa -out server/server-key.pem 1024 

2.創建證書請求 ：

openssl req -new -out server/server-req.csr -key server/server-key.pem

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:localhost   #此處一定要寫服務器所在ip

Email Address []:server@server.com

 

 

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3.自簽署證書 ：

openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 

4.將證書導出成瀏覽器支持的.p12格式 ：

openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12 

密碼：123456

 

 

四.生成client證書 

1.創建私鑰 ：

openssl genrsa -out client/client-key.pem 1024 

2.創建證書請求 ：

openssl req -new -out client/client-req.csr -key client/client-key.pem

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:dong

Email Address []:dong@dong.com

 

 

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

3.自簽署證書 ：

openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 

4.將證書導出成瀏覽器支持的.p12格式 ：

openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 

密碼：123456

 

 

五.根據ca證書生成jks文件 (java keystore)

keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file ca/ca-cert.pem

 

 

六.配置tomcat ssl

修改conf/server.xml。tomcat6中多了SSLEnabled="true"屬性。keystorefile, truststorefile設置為你正確的相關路徑 

 

 tomcat 5.5的配置：

 

<Connector port="8443" maxHttpHeaderSize="8192"
             maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
             enableLookups="false" disableUploadTimeout="true"
             acceptCount="100" scheme="https" secure="true"
             clientAuth="true" sslProtocol="TLS"
             keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
             truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" />

 

 

tomcat6.0的配置：

 

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
               keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
               truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>

 

tomcat7.0的配置：

jsse模式

 

<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false"  sslProtocol="TLS"
    keystoreFile="G:\360data\重要數據\.keystore" keystorePass="changeit"
    truststoreFile="E:\Program Files\Java\jdk1.6.0_14\jre\lib\security\cacerts" truststorePass="222222" truststoreType="JKS"
    SSLEnabled="true"   protocol="org.apache.coyote.http11.Http11NioProtocol"
/>

 APR模式

 

<Connector port="8443"
        protocol="org.apache.coyote.http11.Http11AprProtocol"
            maxThreads="150"
            enableLookups="false" disableUploadTimeout="true"
            acceptCount="100" scheme="https" secure="true"
            clientAuth="true"
            SSLEnabled="true"
            SSLProtocol="all"
            SSLCipherSuite="ALL"
            SSLCertificateFile="../conf/ssl/server-cert.pem"
            SSLCertificateKeyFile="../conf/ssl/server-key.pem"
            SSLCACertificateFile="../conf/ssl/ca-cert.pem"
            SSLCACertificatePath="../conf/ssl"
            SSLVerifyDepth="15"
            SSLVerifyClient="require"
    />

 

 

 

 

七、測試（linux下）

openssl s_client -connect localhost:8443 -cert /home/ssl/client/client-cert.pem -key /home/ssl/client/client-key.pem -tls1 -CAfile /home/ssl/ca/ca-cert.pem -state -showcerts

 

GET /index.jsp HTTP/1.0

 

 

八、導入證書

服務端導入server.P12 和ca.p12證書

客戶端導入將ca.p12，client.p12證書

IE中（打開IE->;Internet選項->內容->證書）

 

ca.p12導入至受信任的根證書頒發機構，client.p12導入至個人

Firefox中（工具-選項-高級-加密-查看證書-您的證書）

將ca.p12和client.p12均導入這里

 

注意:ca,server,client的證書的common name(ca=ca,server=localhost,client=dong)一定不能重復，否則ssl不成功

 

 

 

九、tomcat應用程序使用瀏覽器證書認證

 

在server/webapps/manager/WEB-INF/web.xml中，將BASIC認證改為證書認證

 

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Tomcat Manager Application</realm-name>
  </login-config>

 

 

在conf/tomcat-users.xml中填入下列內容

 

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <role rolename="user"/>
  <user username="EMAILADDRESS=dong@dong.com, CN=dong, OU=tb, O=tb, L=bj, ST=bj, C=cn" password="null" roles="admin,user,manager"/>
</tomcat-users>

 

訪問http://localhost:8443即可驗證ssl是否成功

訪問http://localhost:8443/manager/html可驗證應用程序利用client證書驗證是否成功

 

 

 

 

 

Used keytool to self-author a server certificate for DEMO

 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\ukari>cd \program*
The filename, directory name, or volume label syntax is incorrect.

C:\Program Files>cd java

C:\Program Files\Java>cd jdk*

C:\Program Files\Java\jdk1.5.0_11>cd bin

C:\Program Files\Java\jdk1.5.0_11\bin>keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  compA
What is the name of your organizational unit?
  [Unknown]:  Information Systems
What is the name of your organization?
  [Unknown]:  Pacific Disaster Center
What is the name of your City or Locality?
  [Unknown]:  Kihei
What is the name of your State or Province?
  [Unknown]:  HI
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US correct?
  [no]:  yes

C:\Program Files\Java\jdk1.5.0_11\bin>keytool -export -alias tomcat -keypass changeit -file server.crt
Enter keystore password: changeit
Certificate stored in file <server.crt>

C:\Program Files\Java\jdk1.5.0_11\bin>keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts
Enter keystore password: changeit
Owner: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US
Issuer: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US
Serial number: 462030d8
Valid from: Fri Apr 13 15:39:36 HST 2007 until: Thu Jul 12 15:39:36 HST 2007
Certificate fingerprints:
MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D 5:98:CB:2E:3B:0A:AD
SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE
Trust this certificate? [no]: yes
Certificate was added to keystore

C:\Program Files\Java\jdk1.5.0_11\bin>

 

 

 

如果 下面這行出現錯誤：

keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts 

那么查看是否已存在 “..\jre\lib\security\cacerts” 這個文件，存在的話，備份刪除，重試就OK了

https://11lingxian.iteye.com/blog/1491607