[svc]cfssl模拟https站点-探究浏览器如何校验证书

准备cfssl环境

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O     /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O      /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*

生成ca证书

cd;mkdir keys;cd keys
cat > ca-config.json <<EOF
{"signing": {"default": {"expiry": "8760h"},"profiles": {"app": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "8760h"}}}
}
EOFcat > ca-csr.json <<EOF
{"CN": "k8s","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]
}
EOFcfssl gencert -initca ca-csr.json | cfssljson -bare ca

生成server证书

cd /root/keys
cat > app-csr.json <<EOF
{"CN": "app","hosts": ["127.0.0.1","192.168.1.11","app","app.ma.com"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]
}
EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509  -noout -text -in  app.pem

构建https webserver模拟测试

cd /root/
cat > http-server.js <<EOF
var https = require('https');
var fs = require('fs');var options = {key: fs.readFileSync('./keys/app-key.pem'),cert: fs.readFileSync('./keys/app.pem')
};https.createServer(options, function (req, res) {res.writeHead(200);res.end('hello world');
}).listen(8000);
EOFyum install nodejs -y
npm install https -g
node http-server.js

访问服务端https://192.168.1.x:8000端口(域已添加本地hosts)

发现

opera浏览器

处理浏览器安全问题

1.导出ca.pem到win7,改名为ca.crt.

2.运行 certmgr.msc 打开证书管理器

3.浏览器访问8000端口(ctrl+shift+del清缓存)

opera浏览器

4.使用apps.ma.com访问,也报错

无SAN(Subject Alternative Name)-CN: app.ma.com-即使地址栏的域名和CN一样也报错

cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{"CN": "app.ma.com",  #将hosts字段去掉(SAN干掉)"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]
}
EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509  -noout -text -in  app.pem

无SAN(Subject Alternative Name)-CN: *.ma.com-即使地址栏的域名和CN一样也报错

cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{"CN": "*.ma.com","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]
}
EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509  -noout -text -in  app.pem

SAN含app.ma.com(Subject Alternative Name)-CN: *.ma.com-仅app.ma.com域名可访问

cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{"CN": "*.ma.com","hosts": ["app.ma.com"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]
}
EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509  -noout -text -in  app.pem
cd ..;node http-server.js

SAN含.ma.com(Subject Alternative Name)-CN: .ma.com-可用任意*.ma.com来访问

cd /root/keys
rm -rf app*
cat > app-csr.json <<EOF
{"CN": "*.ma.com","hosts": ["*.ma.com"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}]
}
EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509  -noout -text -in  app.pem
cd ..;node http-server.js

查看互联网上一些证书

汽车之家的通用型(*)证书(而且一个证书对应了多个域名)
谷歌的 www证书

wildcard和san两种证书的区别

wildcard: 可变部分sub-domain:
*.maotai.com
www.maotai.com
bbs.maotai.comsan: 可变部分: subdomain和domain
subdomain
*.ma.com
*.ma.net
*.xx.net

注:一般通用型证书比www证书价格贵一半左右.

浏览器如何验证证书

参考: http://www.cnblogs.com/iiiiher/p/8085698.html
当浏览器使用HTTPS连接到您的服务器时，他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。

==浏览器有三种找到匹配的方法：==

1.主机名（在地址栏中）与证书主题(Subject)中的通用名称(Common Name)完全匹配。
2.主机名称与通配符通用名称相匹配。例如，www.example.com匹配通用名称* .example.com。
3.主机名在主题备用名称(SAN: Subject Alternative Name)字段中列出
1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.
3.The host name is listed in the Subject Alternative Name field.

参考

客户端使用服务端返回的信息验证服务器的合法性，包括：证书是否过期发型服务器证书的CA是否可靠返回的公钥是否能正确解开返回证书中的数字签名服务器证书上的域名是否和服务器的实际域名相匹配  -- 要核对CN或SAN,见上验证通过后，将继续进行通信，否则，终止通信

在哪里可以查看到san

参考:　https://www.digicert.com/subject-alternative-name.htm

小结: 正因为访问的域名在san列表,所以访问才能被通过校验.

[svc]cfssl模拟https站点-探究浏览器如何校验证书相关推荐

HTTPS站点不安全？SSL证书不做背锅侠
SSL证书在保护网站数据传输上起到了至关重要的作用,它的存在让网站访问者在访问浏览器时留下的信息和数据不被窃取.篡改和监听,让访客们访问网站时非常放心.非常安心,使网站由明文传输式的http变成数据加 ...
curl+个人证书访问https站点
目前,大公司的OA管理系统(俗称内网),安全性要求较高,通常采用https的双向认证模式. 首先,什么是https,简单的说就是在SSL协议之上实现的http协议(get.post等操作) 什么是双 ...
python 模拟微信浏览器请求_使用Chrome修改user agent模拟微信内置浏览器
很多时候,我们需要模拟微信内置浏览器,今天教大家用chrome简单模拟.如图设置: F12或者右键审查元素进入开发者模式,点击Emulation,然后点击Network,把Spoof user age ...
curl+个人证书（又叫客户端证书）访问https站点
目前,大公司的OA管理系统(俗称内网),安全性要求较高,通常采用https的双向认证模式. 首先,什么是https,简单的说就是在SSL协议之上实现的http协议(get.post等操作).更多的介 ...
HttpClient 忽略证书直接访问https站点
使用HttpClient访问https 站点时,如果Java没有导入该站点的证书的话,则会报如下错误: javax.net.ssl.SSLHandshakeException: sun.securit ...
HttpClient 使用证书访问https站点
使用HttpClient访问https 站点时,如果JRE或者JDK没有导入某个站点的证书,则会报如下错误: javax.net.ssl.SSLHandshakeException: sun.secu ...
iOS 模拟微信内置浏览器CYWebViewController
iOS 模拟微信内置浏览器和Safari浏览器CYWebViewController 分为两种模式,一种是类似微信内置浏览器模式,一种是Safari浏览器模式.类似微信内置浏览器,顶部导航栏提供web ...
HTTPS站点优化建议及技巧
本文转自IT摆渡网欢迎转载,请标明出处. 更多文章请阅读 SEO优化推广百度开放https收录,并明确表示同一域名优先收录https版,建议站长关闭http版.而早在去年谷歌已经公开表示将把http ...
Nginx 配置 SSL 证书 + HTTPS 站点小记
今天给几个站点配置了认证的 ssl 证书,但是苦于自己技术不过关,或是知识不足,导致还有那么一小点 Bug 的出现,这里就我配置 HTTPS 站点的经验来总结一下吧. 一.什么是 SSL 证书,什么是 ...