resin-security.xtp

来自「RESIN 3.2 最新源码」· XTP 代码 · 共 1,899 行 · 第 1/5 页

<var>private key</var>.
</glossary>

<p>
SSL also provides the ability for a client to verify the identity of a server.
This is used to protect against identity theft, where for example a malicious
person imitates your server or redirects client traffic to a different server
while pretending to be you.
</p>

<glossary title="signing authority" type="sidebar-left">
A company that is trusted to sign certificates.  Browsers include
certificates of signing authorities that they trust.
</glossary>

<p>
Server authentication uses the signature aspect of public key cryptography.
The private key is used to sign messages, and the public key is used to verify
the signature.  With SSL, the validity of signatures depends upon signing
authorities.  Signing authorites (also called certificate authorities) are
companies who have generated public keys that are included with browser
software.  The browser knows it can trust the signing authority, and the
signing authority signs your SSL certificate, putting its stamp of approval on
the information in your certificate.
</p>

<glossary title="certificate authority">
Another name for <var>signing authority</var>.  A company that is trusted to
sign certificates.  Browsers include certificates of signing authorities that
they trust.
</glossary>

<p>For example, after you generate your public and private key, you then
generate a signing request and send it to a signing authority.  This signing
request contains information about your identity, this identity information is
confirmed by the signing authority and ultimately displayed to the user of the
browser.  The signing authority validates the identity information you have
provided and uses their private key to sign, and then returns a
<var>certificate</var> to you.  This certificate contains the identity information
and your public key, verified by the signing authority, and is provided to the
browser. Since the browser has the public key of the signing authority, it can
recognize the signature and know that the identity information has been
provided by someone that can be trusted.</p>


</s2> <!-- aboutssl/Server Authentication -->

</s1> <!-- aboutssl -->

<s1 name="openssl" title="OpenSSL">

<p>OpenSSL is the same SSL implementation that Apache's mod_ssl
uses. Since OpenSSL uses the same certificate as Apache, you can get
signed certificates using the same method as for Apache's mod_ssl or
following the OpenSSL instructions.</p>

<s2 title="Linking to the OpenSSL Libraries on Unix">

<p>On Unix systems, Resin's libexec/libresinssl.so JNI library
supports SSL using the
<a href="http://www.openssl.org">OpenSSL</a> libraries.
Although the ./configure script will detect many configurations,
you can specify the openssl location directly:</p>

<example>
resin&gt; ./configure --with-openssl=/usr/local/ssl
</example>
</s2>

<s2 title="Obtaining the OpenSSL Libraries on Windows">

<p>On Windows systems, the resinssl.dll includes JNI code to use
OpenSSL libraries (it was in resin.dll in versions before 3.0).  All
you need to do is to obtain an OpenSSL binary distribution and install
it. </p>
  
<p>Resin on Windows is compiled against the GnuWin32 binary, you can obtain an
installation package 
<a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">here</a>.
</p>

<p>Once you have run the installation package, you can copy the necessary
dll libraries into <code>$RESIN_HOME</code>:</p>

<example title="Copying the Windows SSL libraries into $RESIN_HOME">
C:\&gt; cd %RESIN_HOME%
C:\resin-3.0&gt; copy "C:\Program Files\GnuWin32\bin\libssl32.dll" .\libssl32.dll
C:\resin-3.0&gt; copy "C:\Program Files\GnuWin32\bin\libeay32.dll" .\libeay32.dll
</example>


</s2>

<s2 title="Preparing to use OpenSSL for making keys">
<p>You can make a <code>keys/</code> subdirectory of $RESIN_HOME to do
your work from and as a place to store your generated keys.</p>

<example title="$RESIN_HOME/keys">
unix&gt; cd $RESIN_HOME
unix&gt; mkdir keys
unix&gt; cd keys

win&gt; cd %RESIN_HOME%
win&gt; mkdir keys
win&gt; cd keys
</example>

<p>Using OpenSSL requires a configuration file.  Unix users might find
the default configuration file in <code>/usr/ssl/openssl.cnf</code>
or <code>/usr/share/ssl/openssl.cnf</code>.  Windows users may not
have received one with their package.</p>

<p>Either way, it can be valuable to make your own
<code>openssl.cnf</code> that is used just for generating the keys to
use with Resin.  You can use the following as a template for a file
<code>$RESIN_HOME/keys/openssl.cnf</code>.  You may want to fill in
the <code>_default</code> values so you don't have to type them in
every time.</p>

<example title="$RESIN_HOME/keys/openssl.cnf">
[ req ]
 default_bits            = 1024
 distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
 C                      = 2 letter Country Code, for example US
 C_default              =
 ST                     = State or Province
 ST_default             =
 L                      = City
 L_default              =
 O                      = Organization Name
 O_default              =
 OU                     = Organizational Unit Name, for example 'Marketing'
 OU_default             =
 CN                     = your domain name, for example www.hogwarts.com
 CN_default             =
 emailAddress           = an email address
 emailAddress_default   =

</example>
</s2>

<s2 title="Creating a private key">

<p>Create a private key for the server.  You will be asked for a
password - don't forget it!  You will need this password anytime you
want to do anything with this private key.  But don't pick something
you need to keep secret, you will need to put this password in the
Resin configuration file.</p>

<example title="creating the private key gryffindor.key">
unix&gt; openssl genrsa -des3 -out gryffindor.key 1024
win&gt;  "C:\Program Files\GnuWin32\bin\openssl.exe" \
         genrsa -des3 -out gryffindor.key 1024
</example>

</s2>

<s2 title="Creating a certificate">
<p>OpenSSL works by having a signed public key that corresponds to your
private key.  This signed public key is called a <var>certificate</var>.  A
certificate is what is sent to the browser.</p>

<p>You can create a self-signed certificate, or get a certificate that
is signed by a certificate signer (CA).</p>

<s3 title="Creating a self-signed certificate">

<p>You can create a certificate that is self-signed, which is good for
testing or for saving you money.  Since it is self-signed, browsers will not
recognize the signature and will pop up a warning to browser users.  Other than
this warning, self-signed certificates work well. The browser cannot confirm
that the server is who it says it is, but the data between the browser and the
client is still encrypted.</p>

<example title="creating a self-signed certificate gryffindor.crt">
unix&gt; openssl req -config ./openssl.cnf -new -key gryffindor.key \
        -x509 -out gryffindor.crt
win&gt; "C:\Program Files\GnuWin32\bin\openssl.exe" req -config ./openssl.cnf \
         -new -key gryffindor.key -x509 -out gryffindor.crt
</example>

<p>You will be asked to provide some information about the identity of
your server, such as the name of your Organization etc.  Common Name
(CN) is your domain name, like: "www.gryffindor.com".</p>

</s3>

<s3 title="Creating a certificate request">

<p>To get a certificate that is signed by a CA, first you generate a
<var>certificate signing request</var> (CSR).</p>

<example title="creating a certificate request gryffindor.csr">
unix&gt; openssl req -new -config ./openssl.cnf -key gryffindor.key \
      -out gryffindor.csr
win&gt; "C:\Program Files\GnuWin32\bin\openssl.exe" req -new \
      -config ./openssl.cnf  -key gryffindor.key -out gryffindor.csr
</example>

<p>You will be asked to provide some information about the identity of
your server, such as the name of your Organization etc.  Common Name
(CN) is your domain name, like: "www.gryffindor.com".</p>

<p>Send the CSR to a certificate signer (CA).  You'll use the CA's
instructions for Apache because the certificates are identical.  Some
commercial signers include:</p>

<ul>
<li><a href="http://digitalid.verisign.com/server/apacheNotice.htm">Verisign</a>
</li><li><a href="http://www.thawte.com/certs/server/request.html">Thawte Consulting</a>
</li></ul>
<p>You'll receive a <em>gryffindor.crt</em> file.</p>

<p>Most browsers are configured to recognize the signature of signing
authorities.  Since they recognize the signature, they will not pop up a
warning message the way they will with self-signed certificates.  The browser
can confirm that the server is who it says it is, and the data between the
browser and the client is encrypted.</p>

</s3>
</s2>

<s2 title="resin.xml - Configuring Resin to use your private key and certificate">

<p>The OpenSSL configuration has two tags <a config-tag="certificate-file"/> and
<a config-tag="certificate-key-file"/>.  These correspond exactly to mod_ssl's
SSLCertificateFile and SSLCertificateKeyFile.  So you can use the same
certificates (and documentation) from mod_ssl for Resin.</p>

<p>The full set of parameters is in the port configuration.</p> 

<example>
...
&lt;http port="443"&gt;
  &lt;openssl&gt;
    &lt;certificate-file&gt;keys/gryffindor.crt&lt;/certificate-file&gt;
    &lt;certificate-key-file&gt;keys/gryffindor.key&lt;/certificate-key-file&gt;
    &lt;password&gt;my-password&lt;/password&gt;
  &lt;/openssl&gt;
&lt;/http&gt;
</example>

</s2>

<s2 title="Testing">

<s3 title="Testing with the browser">
<!--
<p><jsp:scriptlet>if (request.isSecure()) {</jsp:scriptlet>
</p><p><code>request.isSecure()</code> is reporting true, so it looks like
you have SSL working and are viewing this page over an SSL encrypted
connection.</p>
<jsp:scriptlet>} else {</jsp:scriptlet>
<p>Once you have SSL configured, you can come back to this page using
an <code>https://</code> style URL instead of an <code>http://</code>
url and you will get a message telling that SSL is working.
<jsp:scriptlet>}</jsp:scriptlet>

</p>
-->

<p>A quick test is the following JSP.</p>

<example>
Secure? &lt;%= request.isSecure() %&gt;
</example>
</s3>

<s3 title="Using openssl to test the server">
<p>
The openssl tool can be used as a client, showing some interesting information
about the conversation between the client and the server:
</p>

<example>
unix$ openssl s_client -connect www.some.host:443 -prexit
</example>
</s3>
</s2> <!-- testing -->

<s2 title="Certificate Chains">

<p>A <var>certificate chain</var> is used when the signing authority is not an
authority trusted by the browser.  In this case, the signing authority uses a
certificate which is in turn signed by a trusted authority, giving a chain of
<code>[your certificate] &lt;--- signed by ---- [untrusted signer] &lt;---- signed by ---- [trusted signer]</code>.

</p><p>
The Resin config parameter <a config-tag="certificate-chain-file"/> is used to
specify a certificate chain.  It is used to reference a file that is a
concatenation of:
</p>

<ol>
<li>your certificate file
</li><li>the intermediate (untrusted) certificate
</li><li>the root (trusted) certificate.
</li></ol>

<p>
The certificates must be in that order, and must be in PEM format.
</p>

<s3 title="Example certificate chain for Instant SSL">

<p>
<a href="http://instantssl.com">Comodo (http://instantssl.com)</a> is a signing
authority that is untrusted by most browsers.  Comodo has their certificate
signed by GTECyberTrust.
</p>

<p>
Comodo gives you three certificates:
</p>

<ol>
<li><code>your_domain.crt</code>   (signed by Comodo)
</li><li><code>ComodoSecurityServicesCA.crt</code>   (signed by GTE CyberTrust)
</li><li><code>GTECyberTrustRoot.crt</code>  (universally known root)
</li></ol>

<p>
In addition to this, you have your key, <code>your_domain.key</code>.
The contents of the file referred to by <a config-tag="certificate-chain-file"/> is a concatenation of the three
certificates, in the correct order.
</p>

<example title="Creating a certificate chain file">
$ cat your_domain.crt ComodoSecurityServicesCA.crt GTECyberTrustRoot.crt &gt; chain.txt
</example>

<example title="resin.xml using a certificate chain file">
&lt;http port="443"&gt;
  &lt;openssl&gt;
    &lt;certificate-key-file&gt;keys/your_domain.key&lt;/certificate-key-file&gt;
    &lt;certificate-file&gt;keys/your_domain.crt&lt;/certificate-file&gt;        
    &lt;certificate-chain-file&gt;keys/chain.txt&lt;/certificate-chain-file&gt;
    &lt;password&gt;test123&lt;/password&gt;
  &lt;/openssl&gt;
&lt;/http&gt;
</example>

</s3> <!-- example certificate chain -->

</s2> <!-- certificate chain -->

</s1> <!-- OpenSSL -->


<s1 name="jsse" title="JSSE">

<p>We recommend avoiding JSSE if possible. It is slower than using
Resin's OpenSSL support and does not appear to be as stable as Apache
or IIS (or Netscape/Zeus) for SSL support. In addition, JSSE is far
more complicated to configure. While we've never received any problems
with Resin using OpenSSL, or SSL from Apache or IIS, JSSE issues are
fairly frequent.</p>

<s2 title="Install JSSE from Sun">

<p>This section gives a quick guide to installing a test SSL
configuration using Sun's JSSE.  It avoids as many complications as
possible and uses Sun's keytool to create a server certificate.</p>

<p>Resin's SSL support is provided by Sun's
<a href="http://java.sun.com/products/jsse">JSSE</a>.  Because of
export restrictions, patents, etc, you'll need to download the JSSE
distribution from Sun or get a commercial JSSE implementation.</p>

<p>More complete JSSE installation instructions for JSSE are at
<a href="http://java.sun.com/products/jsse/install.html">http://java.sun.com/products/jsse/install.html</a>.
</p>
<ol>
<li>First download Sun's <a href="http://java.sun.com/products/jsse">JSSE</a>.
</li><li>Uncompress and extract the downloaded file.
</li><li>Install the JSSE jar files: jsse.jar, jnet.jar, and jcert.jar.  You can
either put them into the CLASSPATH or you can put them into $JAVA_HOME/jre/lib/ext.  Since you will use "keytool" with the new jars, you need to make t