使用openssl api編程 - bw_0927 - 博客園 TLS1.2協議設計原理 - 傑哥很忙 - 博客園
OpenSSL是用於安全通信的最著名的開放庫。GNS TLS只支持TLS 1.0和SSL 3.0。Mozilla NSS比OpenSSL大,並且需要外部庫,而OpenSSL是自包含的。The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available, 比如python. OpenSSL還有命令行工具openssl,不用寫程序也可以干不少事情。比如 openssl list -cipher-algorithms 就像既可以在命令行使用ffmpeg,也可以調用ffmpeg的庫一樣。
OpenSSL的重點是各種各樣的加密算法,但也有收發網絡數據的功能如: SSL_read(ssl, buffer, MAXBUF); SSL_write(ssl, buf, strlen(buf)); 但你得自己去socket, bind, listen, accpet, connect等,並用SSL_set_fd(ssl, sockfd);告訴OpenSSL用於收發的socket. 它應該是可以和epoll(), libevent之類結合使用的: 發現socket可讀后再去調用SSL_read(). TLS runs "on top of some reliable transport protocol (e.g., TCP)."
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as email, instant messaging, and voice over IP, but its use as the Security layer in HTTPS remains the most publicly visible.
SSL 1.0 Unpublished
SSL 2.0 1995 Deprecated in 2011 (RFC 6176)
SSL 3.0 1996 Deprecated in 2015 (RFC 7568)
TLS 1.0 1999 Deprecated in 2020
TLS 1.1 2006 Deprecated in 2020
TLS 1.2 2008
TLS 1.3 2018
deprecated沒有聽起來那么嚇人。好像:
1. 版本越新,支持的加密算法越多,加密強度越高。黑客不惦記我那一點點銀行存款,他們有時考慮的是A國破解C國的啥。
2. 向下兼容,Client和Server會協商出個都能接受的版本
3. 證書通用
SSL and TLS certificates – What is the difference?
In recent years, SSL has become basically obsolete since TLS offers a higher level of security, but some people have gotten into the habit of referring to both protocols as SSL. You may have noticed that some resources refer to SSL certificates using the term TLS certificates. The common reason is that the general public is familiar with the "SSL" term and the leading Certificate Authorities, such as DigiCert, GeoTrust, RapidSSL, along with major software providers, like OpenSSL, kept the "SSL" name for their products. The public simply got used to it and changing the name may cause confusion. In conclusion, there are three key things to remember:
1) The SSL protocol is now the TLS protocol, but it keeps the old name.
2) The SSL protocol is no longer in use. Only old servers and systems may still support it.
3) You don't have to worry about making any updates because all the SSL certificates are compatible with the latest TLS versions.
In cryptography, X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols. They are also used in offline applications, like electronic signatures. An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key. X.509 is defined by the International Telecommunications Union.
Netscape developed the original SSL protocols, and Taher Elgamal, chief scientist at Netscape Communications from 1995 to 1998, has been described as the "father of SSL".
Google Chrome set TLS 1.3 as the default version for a short time in 2017. It then removed it as the default, due to incompatible middleboxes such as Blue Coat web proxies.
HTTP Strict Transport Security is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security, unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.
What Is a Man-in-the-Middle Attack and How Can It Be Prevented | UpGuard