📄 1648.html
字号:
browser and web server, the applications will indicate to each other a list<br>
of algorithms that can be understood ranked by order of preference. The<br>
common preferred algorithm is then chosen. OpenSSL can be compiled with or<br>
without certain algorithms, so that it can be used in many countries where<br>
restrictions apply.<br>
-----------------------------------------------------------------------------<br>
<br>
1.2.5. The Hash:<br>
<br>
A hash is a number given by a hash function from a message. This is a one way<br>
function, it means that it is impossible to get the original message knowing<br>
the hash. However the hash will drastically change even for the slightest<br>
modification in the message. It is therefore extremely difficult to modify a<br>
message while keeping its original hash. It is also called a message digest.<br>
Hash functions are used in password mechanisms, in certifying that<br>
applications are original (MD5 sum), and in general in ensuring that any<br>
message has not been tampered with. It seems that the Internet Enginering<br>
Task Force (IETF) prefers SHA1 over MD5 for a number of technical reasons (Cf<br>
RFC2459 7.1.2 and 7.1.3).<br>
-----------------------------------------------------------------------------<br>
<br>
1.2.6. Signing:<br>
<br>
Signing a message, means authentifying that you have yourself assured the<br>
authenticity of the message (most of the time it means you are the author,<br>
but not neccesarily). The message can be a text message, or someone else's<br>
certificate. To sign a message, you create its hash, and then encrypt the<br>
hash with your private key, you then add the encrypted hash and your signed<br>
certificate with the message. The recipient will recreate the message hash,<br>
decrypts the encrypted hash using your well known public key stored in your<br>
signed certificate, check that both hash are equals and finally check the<br>
certificate.<br>
<br>
The other advantage of signing your messages is that you transmit your public<br>
key and certificate automatically to all your recipients.<br>
-----------------------------------------------------------------------------<br>
<br>
1.2.7. PassPhrase:<br>
<br>
??A passprase is like a password except it is longer??. In the early days<br>
passwords on Unix system were limited to 8 characters, so the term passphrase<br>
for longer passwords. Longer is the password harder it is to guess. Nowadays<br>
Unix systems use MD5 hashes which have no limitation in length of the<br>
password.<br>
-----------------------------------------------------------------------------<br>
<br>
1.3. What about S/Mime or other protocols?<br>
<br>
If SSL was developed for web servers, it can be used to encrypt any protocol.<br>
Any protocol can be encapsulated inside SSL. This is used in IMAPS, POPS,<br>
SMTPS,... These secure protocols will use a different port than their<br>
insecure version. SSL can also be used to encrypt any transaction: there is<br>
no need to be in direct (live) contact with the recipient. S/Mime is such<br>
protocol, it encapsulates an encrypted message inside a standard e-mail. The<br>
message is encrypted using the public key of the recipient. If you are not<br>
online with the recipient then you must know its public key. Either you get<br>
it from its web site, from a repository, or you request the recipient to<br>
e-mail you its public key and certificate (to ensure you are speaking to the<br>
right recipient).<br>
<br>
In a reverse order, the browser can send its own signed certificate to the<br>
web server, as a mean of authentication. But everybody can get the browser<br>
certificate on the CA web site. Yes, but the signed certificate has been sent<br>
encrypted with the private key, that only the public key can decrypt.<br>
-----------------------------------------------------------------------------<br>
<br>
Chapter 2. Certificate Management<br>
<br>
2.1. Installation<br>
<br>
Nowadays, you do not have to worry too much about installing OpenSSL: most<br>
distributions use package management applications. Refer to your distribution<br>
documentation, or read the README and INSTALL file inside the OpenSSL<br>
tarball. I want also to avoid to make this HOWTO, an installation HOWTO<br>
rather than an HOWTO use certificates.<br>
<br>
I describe here some standard installation options which are necessary to<br>
know for the samples following. Your installation may differ.<br>
<br>
The directory for all OpenSSL certificates is /var/ssl/. All commands and<br>
paths in this document are issued from this directory, it is not mandatory<br>
but it will help the examples.<br>
<br>
OpenSSL by default looks for a configuration file in /usr/lib/ssl/openssl.cnf<br>
so always add -config /etc/openssl.cnf to the commands openssl ca or openssl<br>
req for instance. I use /etc/openssl.cnf so all my configuration files are<br>
all in /etc.<br>
<br>
Utilities and other libraries are located in /usr/lib/ssl.<br>
-----------------------------------------------------------------------------<br>
<br>
2.1.1. The CA.pl utility<br>
<br>
Ensure that the utility CA.pl is in an accessible directory such as /usr/<br>
sbin. CA.pl can be found inside /usr/lib/ssl directories. CA.pl is a utility<br>
that hides the complexity of the openssl command. In all the examples, when I<br>
use CA.pl, I will also put the openssl equivalent in brakets.<br>
<br>
/usr/sbin/CA.pl needs to be modified to include -config /etc/openssl.cnf in<br>
ca and req calls.<br>
#$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"} <br>
$SSLEAY_CONFIG="-config /etc/openssl.cnf"; <br>
<br>
-----------------------------------------------------------------------------<br>
<br>
2.1.2. The openssl.cnf file<br>
<br>
/etc/openssl.cnf must be configured accordingly to minimize input entry.<br>
#---Begin--- <br>
# <br>
# OpenSSL example configuration file. <br>
# This is mostly being used for generation of certificate requests. <br>
# <br>
<br>
RANDFILE = $ENV::HOME/.rnd <br>
oid_file = $ENV::HOME/.oid <br>
oid_section = new_oids <br>
<br>
# To use this configuration file with the "-extfile" option of the <br>
# "openssl x509" utility, name here the section containing the <br>
# X.509v3 extensions to use: <br>
# extensions = <br>
# (Alternatively, use a configuration file that has only <br>
# X.509v3 extensions in its main [= default] section.) <br>
<br>
[ new_oids ] <br>
<br>
# We can add new OIDs in here for use by 'ca' and 'req'. <br>
# Add a simple OID like this: <br>
# testoid1=1.2.3.4 <br>
# Or use config file substitution like this: <br>
# testoid2=${testoid1}.5.6 <br>
<br>
#################################################################### <br>
[ ca ] <br>
default_ca = CA_default # The default ca section <br>
<br>
#################################################################### <br>
<br>
[ CA_default ] <br>
dir = /var/ssl # Where everything is kept <br>
certs = $dir/certs # Where the issued certs are kept <br>
crl_dir = $dir/crl # Where the issued crl are kept <br>
database = $dir/index.txt # database index file. <br>
new_certs_dir = $dir/newcerts # default place for new certs. <br>
<br>
certificate = $dir/cacert.pem # The CA certificate <br>
serial = $dir/serial # The current serial number <br>
crl = $dir/crl.pem # The current CRL <br>
private_key = $dir/private/cakey.pem # The private key <br>
RANDFILE = $dir/private/.rand # private random number file <br>
x509_extensions = usr_cert # The extentions to add to the cert <br>
<br>
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs <br>
# so this is commented out by default to leave a V1 CRL. <br>
# crl_extensions = crl_ext <br>
<br>
default_days = 365 # how long to certify for <br>
default_crl_days= 30 # how long before next CRL <br>
default_md = sha1 # which md to use. <br>
preserve = no # keep passed DN ordering <br>
<br>
# A few difference way of specifying how similar the request should look <br>
# For type CA, the listed attributes must be the same, and the optional <br>
# and supplied fields are just that :-) <br>
policy = policy_match <br>
<br>
# For the CA policy <br>
[ policy_match ] <br>
countryName = match <br>
stateOrProvinceName = optional <br>
localityName = match <br>
organizationName = match <br>
organizationalUnitName = optional <br>
commonName = supplied <br>
emailAddress = optional <br>
<br>
# For the 'anything' policy <br>
# At this point in time, you must list all acceptable 'object' <br>
# types. <br>
[ policy_anything ] <br>
countryName = optional <br>
stateOrProvinceName = optional <br>
localityName = optional <br>
organizationName = optional <br>
organizationalUnitName = optional <br>
commonName = supplied <br>
emailAddress = optional <br>
<br>
#################################################################### <br>
[ req ] <br>
default_bits = 1024 <br>
default_keyfile = privkey.pem <br>
distinguished_name = req_distinguished_name <br>
attributes = req_attributes <br>
default_md = sha1 <br>
x509_extensions = v3_ca # The extentions to add to the self signed cert <br>
<br>
[ req_distinguished_name ] <br>
countryName = Country Name (2 letter code) <br>
countryName_default = FJ <br>
countryName_min = 2 <br>
countryName_max = 2 <br>
<br>
stateOrProvinceName = State or Province Name (full name) <br>
stateOrProvinceName_default = Fiji <br>
<br>
localityName = Locality Name (eg, city) <br>
localityName_default = Suva <br>
<br>
0.organizationName = Organization Name (eg, company) <br>
0.organizationName_default = SOPAC <br>
<br>
# we can do this but it is not needed normally :-) <br>
#1.organizationName = Second Organization Name (eg, company) <br>
#1.organizationName_default = World Wide Web Pty Ltd <br>
<br>
organizationalUnitName = Organizational Unit Name (eg, section) <br>
organizationalUnitName_default = ITU <br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -