https

https

作用:防止中间人攻击,防篡改和隐私泄露

一般加密算法

  • 非对称加密算法:RSA,DSA/DSS
  • 对称加密算法:AES,RC4,3DES
  • HASH算法:MD5,SHA1,SHA256

加密协议

  • TLS 1.0,SSL 3.1
  • TLS 1.1,SSL 3.2
  • TLS 1.2,SSL 3.3

SSL握手

https_第1张图片
ssl_handshake_rsa.jpg

CA

CA用来签发证书。浏览器客户端内置了一些信任的证书,防止中间人攻击。

自建CA

//建立根证书
cd /etc/pki/CA/
touch index.txt serial
echo 01 > serial
openssl genrsa -out private/cakey.pem 2048
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -sha256 -day 1000
//从根证书申请证书
mkdir /root/ssl
cd /root/ssl
openssl genrsa -out test.key 2048
openssl req -new -sha256 -key test.key -out test.csr
cp test.key /etc/pki/CA/csr
openssl ca -in /etc/pki/CA/csr/test.csr -out test.crt -days 1000 -md sha256

//双向认证使用命令,pfx用来导入浏览器
openssl pkcs12 -export -inkey test.key -in test.crt -out test.pfx

nginx配置

ssl on;
ssl_certificate /root/ssl/test.crt;
ssl_certificate_key /root/ssl/test.key;

#下面为客户端认证配置
ssl_client_certificate /usr/local/nginx/ca/private/ca.crt; 
ssl_verify_client on;  #开户客户端证书验证 

keyless

需要使用类似cdn服务,需要提供私钥,不安全,使用keyless解决问题

hsts

使得http重定向跳转到https

java调用https


    org.apache.httpcomponents
    httpclient
    4.4.1
 
String keyStoreFile = "/root/aa.keystore";
String password = "111111";
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream in = new FileInputStream(keyStoreFile);
ks.load(in, password.toCharArray());

String trustStoreFile = "/root/aa.keystore";
String trustPassword = "111111";
KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream tsIn = new FileInputStream(trustStoreFile);
ks.load(tsIn, trustPassword.toCharArray());

SSLContext sslContext = new SSLContextBuilder().loadKeyMaterial(ts, trustPassword.toCharArray()).loadTrustMaterial(ks).build();
CloseableHttpClient httpclient = HttpClients.custom().setSslcontext(sslContext).setSSLHostnameVerifier(new NoopHostnameVerifier()).build();

你可能感兴趣的:(https)