先说双向认证吧,需要使用openssl生成相应的证书(根证书、服务端证书、多套客户端证书)。(建议在linux环境下进行操作),我是centos7。
部署模式大体如下:
客户浏览器(或其他工具)《==ssl 双向认证的安全通道==》Nginx代理服务<-- 内网非安全通道 -->web服务(tomcat 或其他)集群
一、Nginx双向认证
1.生成根秘钥及证书
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=HA/L=ZZ/O=topxx/OU=internet/CN=www.xx.top/[email protected]"
2.生成服务端证书
openssl genrsa -des3 -out www.xxx.com.pem 1024
openssl rsa -in queue.qmx.top.pem -out www.xxx.com.key
openssl req -new -key www.xxx.com.pem -out www.xxx.com.csr -subj "/C=CN/ST=HA/L=ZZ/O=xxx/OU=internet/CN=www.xxx.com/[email protected]"
3.根证书签名服务端证书
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in www.xxx.com.csr -out www.xxx.com.crt
cat ca.crt >> www.xxx.com.crt
4.生成客户端证书 (需要在客户机器上安装)
openssl genrsa -des3 -out client.pem 2048
openssl req -new -key client.pem -out client-req.csr -subj "/C=CN/ST=XZ/L=LS/O=gsj/OU=gss/CN=www.clientdomain.com/[email protected]"
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in client-req.csr -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12
客户机器上双击p12文件,进行安装。如需要其他格式文件,使用openssl导出。
5.Nginx安装(支持ssl模块,已安装过的,可以搜索教程,单单更新安装ssl模块)
cd /usr/local/src #进入用户目录
wget http://nginx.org/download/nginx-1.15.0.tar.gz #下载最新版本nginx
tar -zxvf nginx-1.15.0.tar.gz #解压
cd nginx-1.15.0 #进入目录
./configure --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre --with-http_realip_module --with-http_image_filter_module #检测
说明--prefix 指定安装目录
make #编译
make install #安装
6.Nginx ssl双向认证配置
server {
listen 443;
server_name test.com www.test.com;
root html;
index index.html index.htm;
ssl on; #开启ssl
ssl_certificate /usr/ssl/light.cn.crt; #服务器证书位置
ssl_certificate_key /usr/ssl/light.cn.key; #服务器私钥
ssl_client_certificate /usr/ssl/ca.crt; #CA证书用于验证客户端证书的合法性
ssl_verify_client on; #开启对客户端的验证
ssl_session_timeout 5m; #session有效期,5分钟
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; #加密算法
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8080;
}
}
7.吊销证书
openssl ca -revoke client.crt -cert ca.crt -keyfile ca.key
openssl x509 -in rkz_client.crt -noout -serial -subject #查看证书序列号
echo 02 >> crlnumber #02是要吊销的证书序号
openssl ca -gencrl -out private/ca.crl #生成crl文件
openssl verify -crl_check -CRLfile ca.crl -CAfile ca.crt rkz_client.crt #检查吊销状态
nginx 要想吊销证书生效,需要加入: ssl_crl /opt/mykeys/ca.crl;
吊销证书后nginx reload即可。
二、Golang https client 自签名证书使用
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net/http"
)
func main() {
pool := x509.NewCertPool()
addTrust(pool, "./ca.crt") //添加信任的证书,最好是服务端对应的根证书
cliCrt, err := tls.LoadX509KeyPair("./client.crt", "./client.key")
if err != nil {
fmt.Println("Loadx509keypair err:", err)
return
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: pool,
Certificates: []tls.Certificate{cliCrt},
//InsecureSkipVerify: true, //跳过验证服务端证书
},
}
client := &http.Client{Transport: tr}
resp, err := client.Get("https://www.xxx.com/myaction.do") //此处必须使用域名或者host内的别名
if err != nil {
fmt.Println("Get error:", err)
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
fmt.Println(string(body))
}
func addTrust(pool *x509.CertPool, path string) {
aCrt, err := ioutil.ReadFile(path)
if err != nil {
fmt.Println("ReadFile err:", err)
return
}
pool.AppendCertsFromPEM(aCrt)
}
三、双向认证的websocket服务访问
package main
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"log"
"golang.org/x/net/websocket"
)
var origin = "https://queue.qmx.top/"
var url = "wss://queue.qmx.top/ws"
//
func addTrust(pool *x509.CertPool, path string) {
aCrt, err := ioutil.ReadFile(path)
if err != nil {
log.Println("ReadFile err:", err)
return
}
pool.AppendCertsFromPEM(aCrt)
}
//
func main() {
//放置证书的目录,仅需要跟证书,客户证书及客户key即可
capath := "/Users/myname/Downloads/ssl/demoCA/"
pool := x509.NewCertPool()
addTrust(pool, capath+"ca.crt")
cliCrt, err := tls.LoadX509KeyPair(capath+"client.crt", capath+"client.key")
if err != nil {
log.Println("Loadx509keypair err:", err)
return
}
//
ws_cfg, err := websocket.NewConfig(url, origin)
ws_cfg.TlsConfig = &tls.Config{RootCAs: pool,
Certificates: []tls.Certificate{cliCrt},
}
if err != nil {
log.Println("tls error:", err)
return
}
//构建websocket连接
ws, err := websocket.DialConfig(ws_cfg)
if err != nil {
log.Println("dial error:", err)
return
}
log.Println(ws)
//TODO websocket后续代码可参考网上教程
}