https

https

作用：防止中间人攻击，防篡改和隐私泄露

一般加密算法

• 非对称加密算法：RSA，DSA/DSS
• 对称加密算法：AES，RC4，3DES
• HASH算法：MD5，SHA1，SHA256

加密协议

• TLS 1.0，SSL 3.1
• TLS 1.1，SSL 3.2
• TLS 1.2，SSL 3.3

SSL握手

ssl_handshake_rsa.jpg

CA

CA用来签发证书。浏览器客户端内置了一些信任的证书，防止中间人攻击。

自建CA

//建立根证书
cd /etc/pki/CA/
touch index.txt serial
echo 01 > serial
openssl genrsa -out private/cakey.pem 2048
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -sha256 -day 1000
//从根证书申请证书
mkdir /root/ssl
cd /root/ssl
openssl genrsa -out test.key 2048
openssl req -new -sha256 -key test.key -out test.csr
cp test.key /etc/pki/CA/csr
openssl ca -in /etc/pki/CA/csr/test.csr -out test.crt -days 1000 -md sha256

//双向认证使用命令，pfx用来导入浏览器
openssl pkcs12 -export -inkey test.key -in test.crt -out test.pfx

nginx配置

ssl on;
ssl_certificate /root/ssl/test.crt;
ssl_certificate_key /root/ssl/test.key;

#下面为客户端认证配置
ssl_client_certificate /usr/local/nginx/ca/private/ca.crt; 
ssl_verify_client on;  #开户客户端证书验证 

keyless

需要使用类似cdn服务，需要提供私钥，不安全，使用keyless解决问题

hsts

使得http重定向跳转到https

java调用https

    org.apache.httpcomponents
    httpclient
    4.4.1
 

String keyStoreFile = "/root/aa.keystore";
String password = "111111";
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream in = new FileInputStream(keyStoreFile);
ks.load(in, password.toCharArray());

String trustStoreFile = "/root/aa.keystore";
String trustPassword = "111111";
KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream tsIn = new FileInputStream(trustStoreFile);
ks.load(tsIn, trustPassword.toCharArray());

SSLContext sslContext = new SSLContextBuilder().loadKeyMaterial(ts, trustPassword.toCharArray()).loadTrustMaterial(ks).build();
CloseableHttpClient httpclient = HttpClients.custom().setSslcontext(sslContext).setSSLHostnameVerifier(new NoopHostnameVerifier()).build();