Knowledge of https
Introduction of https
HTTPS (full name: Hypertext Transfer Protocol Secure), is a secure HTTP channel that secures the transmission process through transport encryption and authentication on top of HTTP. HTTPS adds SSL to HTTP, the secure foundation of HTTPS is SSL, so encrypted HTTPS has a different default port than HTTP and an encryption/authentication layer (between HTTP and TCP). This system provides authentication and encrypted communication methods. It is widely used for secure and sensitive communications on the World Wide Web, such as transaction payments.
The difference between HTTP and HTTPS
-
HTTP is a plaintext transfer protocol, HTTPS protocol is a network protocol built from SSL+HTTP protocol that allows encrypted transmission and authentication, which is more secure than HTTP protocol.
-
HTTPS is more secure than HTTP, more friendly to search engines, good for SEO, Google, Baidu priority indexing HTTPS web pages;
-
HTTPS requires an SSL certificate, while HTTP does not [(HTTPS is a server with SSL installed, HTTP is a server without SSL installed)];
-
HTTPS standard port 443, HTTP standard port 80;
-
HTTPS is based on the transport layer, HTTP is based on the application layer;
-
HTTPS displays a green security lock in the browser, HTTP does not;
SSL related understanding
SSL (Secure Socket Layer) is a network security protocol pioneered by Netscape. It is a security protocol implemented over the Transport Communications Protocol (TCP/IP) and uses public key technology. SSL supports a wide range of network types and provides three basic security services, all of which use public key technology.
The relationship between SSL/TLS protocols and certificates
To ensure network security, we need to issue a certificate to the server, which can be generated by ourselves, but issuing the certificate by ourselves is not secure and can be forged by others, so we usually buy the certificate from a third-party organization. In fact, the certificate does not depend on the protocol, and there is not much connection with the protocol, the protocol is determined by the service configuration, and the certificate is used with the protocol
Workflow of https
(1) The client initiates an https request, which is sent to port 443 of the server through domain name resolution to establish a TCP connection
(2) The server will send the pre-prepared certificate file to the client
(3) The client will first verify the validity of the server's certificate, and if it is invalid, a warning message will be displayed, indicating that the site is not secure.
(4) If it is valid, the client will use the key in the certificate file sent by the server to encrypt the session private key generated by the pseudo-random number it uses and send it to the server.
(5) The server will use the private key file to unkey the encrypted session key sent by the client and get the session key
(6) After that, the data exchange between the client and the server will be done by encrypting and decrypting the key to complete the whole communication process
The process, the server side in the acquisition of the session key, the certificate generated in the public key private key for the session key to obtain the way for the asymmetric key method. After that, the client-side server side establishes the session private key for communication in a symmetric key way.
How the client verifies that the certificate is valid
Browsers are usually pre-installed with the public keys of some of the more authoritative third-party certification authorities, such as VeriSign, Symantec, and GlobalSign, among others.
When verifying the digital signature, the corresponding third-party public key will be obtained directly from the local area, and the private key will be decrypted to get the real signature after encryption.
Then the client uses the signature generation rules to generate the signature to see if the two signatures match, and if they match, the authentication passes, and if they do not match, the certificate fails.
Reasons why web sites don't all use https
1.First, many people still feel that there is a threshold for HTTPS implementation, and that threshold lies in the need for an SSL certificate issued by an authoritative CA. From certificate selection, purchase to deployment, the traditional model can be time-consuming and labor-intensive.
2.Secondly, HTTPS is generally considered to be more performance intensive than HTTP because encrypted communication consumes more CPU and memory resources compared to plain text communication. If every communication is encrypted, it will consume a considerable amount of resources, and the number of requests that can be processed will be reduced when spread out over a computer.
3. In addition, the desire to save on the cost of purchasing certificates is one of the reasons. To communicate over HTTPS, certificates are essential. The certificates used must be purchased from a certification authority (CA).
4. Lastly, security awareness is different. Compared with domestic, foreign Internet industry security awareness and technology application is relatively mature, HTTPS deployment trend is driven by the community, enterprises and government to go together.
The method of obtaining SSL certificate
Ali cloud certificate acquisition
You can choose to buy the certificate directly, here is the website of AliCloud.
https://www.aliyun.com/product/cas?userCode=r3yteowb
Certificate creation for openssl
Create ca private key
// First create a directory to store
mkdir /tls
cd /tls/
//generate ca certificate
openssl genrsa -aes256 -out ca-key.pem 4096 #type 123123
----------------------------------------------------------------------------------------------------------
genrsa: use RSA algorithm to generate private key
-aes256: encrypt the private key using AES algorithm with 256-bit key, so that every time you use the private key file, you will enter the password, which can be omitted
-out: the path of the output file, if no output file is specified, it will be the standard output
4096: Specify the length of the private key, the default is 1024. this must be the last parameter of the command line
----------------------------------------------------------------------------------------------------------
Create a ca certificate
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
----------------------------------------------------------------------------------------------------------
req: execute certificate issuance command
-new: new certificate issuance request
-x509: Generate a certificate in x509 format, exclusively for use when creating a private CA
-days: the valid time of the certificate, the unit is days
-key: specify the path of the private key
-sha256: certificate digest using sha256 algorithm
-subj: certificate related user information (abbreviation of subject)
-out: the path of the output file
----------------------------------------------------------------------------------------------------------
Create server private key
////Issue server-side certificate with ca certificate
openssl genrsa -out server-key.pem 4096
Generate certificate signing request file (csr file)
openssl req -new -key server-key.pem -sha256 -subj "/CN=*" -out server.csr
Use ca certificate and private key certificate to issue server-side signing certificate
openssl x509 -req -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -days 1000 -out server-cert.pem
----------------------------------------------------------------------------------------------------------
x509: generate x509 format certificate
-req: input csr file
-in: the csr file to be entered
-CA: specify the path of the ca certificate
-CAkey: specify the path to the private key of the ca certificate
-CAcreateserial: indicates the creation of a certificate serial number file, the default name of the created serial number file is ca.srl
----------------------------------------------------------------------------------------------------------
Generate client-side private key
//Issue client-side certificate with ca certificate
openssl genrsa -out client-key.pem 4096
Generate a certificate signing request file
openssl req -new -key client-key.pem -subj "/CN=client" -out client.csr
Create an extended profile to make the secret key suitable for client authentication
echo extendedKeyUsage=clientAuth > extfile.cnf
Issuing client-signed certificates using ca certificates
Enter 123123, (requires signature request file, ca certificate, ca key)
openssl x509 -req -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -extfile extfile.cnf -days 1000 -out client-cert.pem
//Delete two certificate signing request files and extension configuration files
rm -rf ca.srl client.csr extfile.cnf server.csr