Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Https

    Enviado por

    Prasad Kalumu
    33 visualizações15 páginas

    Título original

    https

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    33 visualizações15 páginas

    Https

    Enviado por

    Prasad Kalumu

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 15

    HTTPS Setup using mod_ssl on CentOS 5.

    Jeong Chul
    tland12.wordpress.com

    Computer Science ITC and RUPP in Cambodia

    HTTPS Setup using mod_ssl on CentOS 5.8


    Part 1 Basic concepts on SSL

    Step 1 Secure Socket Layer Step 2 SSL Record Protocol Operation Step 3 SSL Handshake Protocol Step 4 Digital Certificates Step 5 X.509 Certificates Step 6 HTTPS

    Part 2 HTTPS Configuration


    Step 7 Installation and startup Step 8 Https configuration Step 9 Packet Capture using Wireshark

    Https Server Testing Environment


    1.sever.chul.com: 192.168.80.25 HTTPS server https://www.chul.com
    2.client.chul.com: 192.168.80.10 Linux web client Testing on Firefox

    Step 1 Secure Socket Layer (SSL)

    SSL Record Protocol Service 1.Confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption 2. Message integrity using a MAC (Message Authentication Code) with shared secret key similar to HMAC but with different padding

    Step 2 SSL Record Protocol Operation

    Step 3 SSL Handshake Protocol (1)


    1.allows server & client to:
    authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used

    2.comprises a series of messages in phases


    Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish

    Step 3 SSL Handshake Protocol (2)

    Step 4 Digital Certificates


    1.Digital Signatures
    1.1 Private key to encrypt, public key to decrypt Any holder of the public key can decrypt the message, but only a holder of the private key could have encrypted it 1.2 For speed and improved security, hash the plaintext and sign that, then encrypt 1.3 Algorithms: RSA, ElGamal, DSA DSA is intended for digital signatures only

    2. Digital Certificates
    2.1 Trusted third party digitally signs public key Certificate Authority (CA) has a public key that is known by everyone involved 2.2 The resulting digital certificate contains Server's public key and expiration date Information about the owner of the key Information about the CA and the CA's signature Information on how the certificate may be used Package installation

    Step 5 X.509 Certificates

    Step 6 HTTPS
    1. HTTPS (HTTP over SSL) combination of HTTP & SSL/TLS to secure communications between browser & server documented in RFC2818 no fundamental change using either SSL or TLS 2. Use https:// URL rather than http:// and port 443 rather than 80 3. Encrypts URL, document contents, form data, cookies, HTTP headers

    Step 7 Installation and startup


    1.Package installation

    # rpm qa | grep httpd # rpm qa | grep mod_ssl # rpm qa | grep openssl # yum install httpd httpd-manual httpd-devel # yum install mod_ssl openssl

    2. Service startup and main directory


    # service httpd start # ls l /etc/httpd/conf /var/www/html /etc/pki/CA 3. Service startup checking # ps ef | grep httpd # netstat nat | grep 80 4. Runlevel registration # chkconfig httpd on # chkconfig list httpd 5. Testing on browser http://localhost

    Step 8 HTTPS Configuration (1)


    1.SSL Configuration for making a private Certificate Authority vim /etc/pki/tls/openssl.cnf dir = /etc/pki/CA certificate = $dir/linux-ca.crt crl = $dir/linux-ca.crl private_key = $dir/private/linux-ca.key 2. Default setting for CA # mkdir /etc/pki/CA/{certs,crl,newcerts} # touch /etc/pki/CA/index.txt //database to contain all certificates # echo 01 > /etc/pki/CA/serial //next certificate serial number issued 3. Generating RSA private key # openssl genrsa out private/linux-ca.key des3 2048 # openssl rsa noout text in linux-ca.key 4. Generating Certificate # openssl req new x509 key private/linux-ca.key days 365 > linux-ca.crt

    Step 8 Https Configuration (2)


    5. Generating a Certificate Signing Request (CSR)
    # openssl req new key linux-ca.key out linux-ca.csr

    6. Creating a CA-signed Certificate

    # openssl ca in linux-ca.csr out linux-ca.crt # cp linux-ca.key /etc/httpd/conf # cp linux-ca.crt /etc/httpd/conf/ # cp linux-ca.crt /var/www/html/certs/ // download certificate for users

    7. SSL configuration
    # vim /etc/httpd/conf.d/ssl.conf SSL Engine on SSL CertificateFile /etc/httpd/conf/linux-ca.crt SSL CertificatKeyFile /etc/httpd/conf/linux-ca.key

    8. SSL log file

    # tail f /var/log/httpd/ssl_access ssl_error 9.Testing on the browser


    # service httpd restart https://www.chul.com/ Examine Certificate on the browser

    Step 9 Packet Capture using Wireshark


    1.Start Wireshark on Server system # rpm qa | grep wireshark # yum install wireshark wireshark-gnome # wireshark 2.Packet capture for http packet on Wireshark # service httpd restart # elinks http://www.chul.com 3. Packet capture for https packet on Wireshark # service httpd restart # elinks https://www.chul.com 4. Packet analysis using Wireshark

    HTTPS Setup using mod_ssl on CentOS 5.8

    Thank you !!
    See you again on Kerberos, next video tland12.wordpress.com

    Você também pode gostar