Linux OPENSSL 服务器 2001-05-13 11:15 发布者:netbull 阅读次数:93 LinuxByte注:本站有OpenSSL下载 概述 加密的优势 数据的保密性 数据的一致性 安全验证 专利 注意事项 安装软件包需要注意的问题 软件包的来源 编译 编译与优化 配置 配置“/etc/ssl/openssl.cnf”文件 创建“/usr/bin/sign.sh”脚本文件 保证OPENSSL的安全 命令 为Apache服务器创建用口令保护的RSA私人密匙。 用服务器的RSA私人密匙创建Certificate Signing Request(CSR) 为自己的CA创建RSA私人密匙 用CA的RSA密匙创建自我签订的证书(x509 结构) 签订一个证书请求(用自己的CA) 安装到系统中的文件 概述 OpenSSL项目是一个合作的项目,开发一个健壮的、商业等级的、完整的开发源代码的工具包,,用强大的加密算法来实现安全的Socket层(Secure Sockets Layer,SSL v2/v3)和传输层的安全性(Transport Layer Security,TLS v1)。 这个项目是由全世界的志愿者管理的,他们通过Internet相互交流、制定计划和开发OpenSSL工具包和相关文档。 加密的优势 数据的保密性 信息加密就是把纯文本的输入文件用加密算法转换成加密的文件以实现数据的保密。加密的过程需要用到密匙来加密数据然后再解密。没有了密匙,就无法解开加密的数据。数据加密之后,只有密匙要用一个安全的方法传送。加密过的数据可以公开地传送。 数据的一致性 加密也能保证数据的一致性。例如:加密的校验码,也叫做消息验证码(Message Authentication Code,MAC),能够校验用户提供的加密信息。加密的数据和MAC一起发送给接收者,接收者就可以用MAC来校验加密数据,保证数据没有被窜改过。 安全验证 加密的另外一个用途是用来作为个人的标识,用户的密匙可以作为他的安全验证的标识。 专利 各种各样的公司在世界各地拥有各种各样算法的专利。在使用加密算法之前必须检查一下这个算法有没有受到本国专利的限制。下面列出一些受到专利保护的算法(可能不确切): RSA Data Security在美国和日本拥有RSA和RC5算法的专利。必须和RSA Data Security联系以得到许可条例。其主页是:。 RC4是RSA Data Security的商标,使用这个标志必须得到RSA Data Security的许可。 IDEA算法在澳大利亚、法国、德国、意大利、日本、荷兰、西班牙、瑞典、瑞士、英国和美国受专利保护。如果要使用这个算法必须得到许可,其主页是:。 注意事项 下面所有的命令都是Unix兼容的命令。 源路径都为“/var/tmp”(当然在实际情况中也可以用其它路径)。 安装在RedHat Linux 6.1下测试通过。 要用“root”用户进行安装。 OpenSSL的版本是0.9.4。 安装软件包需要注意的问题 最好在编译前和编译后都做一张系统中所有文件的列表,然后用“diff”命令去比较它们,找出其中的差别并知道到底把软件安装在哪里。只要简单地在编译之前运行一下命令“find /* >ssl1”,在编译和安装完软件之后运行命令“find /* > ssl2”,最后用命令“diff ssl1 ssl2 > ssl”找出变化。 软件包的来源 OpenSSL的主页是:。 下载:openssl-0.9.4.tar.gz 编译 把软件包(tar.Z)解压缩: [root@deep]# cp openssl_version.tar.gz /var/tmp [root@deep]# cd /var/tmp [root@deep]# tar xzpf openssl_version.tar.gz 编译与优化 转到OpenSSL目录下。 第一步 编辑“c_rehash”文件(vi +11 tools/c_rehash),把: DIR=/usr/local/ssl 改为: DIR=/usr 这个改变是使编译和安装OpenSSL时用“/usr”这个默认目录。 第二步 在默认情况下OpenSSL把Perl程序的目录设置为“/usr/local/bin/perl”目录。必须改变所有脚本中的“#!/usr/local/bin/perl”这一行,因为在RedHat Linux中Perl的路径是“/usr/bin”。用下面的命令: [root@deep]# perl util/perlpath.pl /usr/bin (where your perl program reside). 第三步 为了成功编译OpenSSL,必须知道函数库所在的路径。用下面的命令设置PATH环境变量: [root@deep]# export LD_LIBRARY_PATH=`pwd` 设置编译器的编译参数: CC=”egcs” ./Configure linux-elf -DSSL_FORBID_ENULL –prefix=/usr –openssldir=/etc/ssl 注意:因为安全方面的原因要禁止“不加密”,所以“-DSSL_FORBID_ENULL”参数是必须的。 编辑“Makefile.ssl”文件(vi +52 Makefile.ssl),加入: CFLAG= -DTHREADS -D_REENTRANT -DSSL_FORBID_ENULL -DL_ENDIAN -DTERMIO -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM 这是编译OpenSSL的优化参数。 编辑“Makefile.ssl”文件(vi +77 Makefile.ssl),加入: PROCESSOR= 686 注意:如果CPU是Pentium,用586表示,PentiumPro/II/III用686,486用486。 [root@deep]# make -f Makefile [root@deep]# make test [root@deep]# make install [root@deep]# mv /etc/ssl/misc/* /usr/bin/ [root@deep]# rm -rf /etc/ssl/misc/ [root@deep]# rm -rf /etc/ssl/lib/ [root@deep]# rm -f /usr/bin/CA.pl [root@deep]# rm -f /usr/bin/CA.sh [root@deep]# install -m 644 libRSAglue.a /usr/lib/ [root@deep]# install -m 644 rsaref/rsaref.h /usr/include/openssl/ [root@deep]# strip /usr/bin/openssl [root@deep]# mkdir -p /etc/ssl/crl “make –f”命令编译OpenSSL函数库(libcrypto.a和libssl.a)以及OpenSSL的二进制文件“openssl”。编译完之后函数库在顶层目录,二进制程序在“apps”子目录。成编译之后,“make test”测试函数库是否正常。最后,“make install”安装OpenSSL。 “mv”命令把“/etc/ssl/misc”目录下的所有文件移到“/usr/bin”目录下。因为在我们的系统中所有的二进制文件都在“/usr/bin”目录下,所以要把二进制文件都移到这个目录下。 “rm”命令删除“/etc/ssl/misc”和“/etc/ssl/lib”目录,因为这个目录中的文件都在别的地方了。“CA.pl”和“CA.sh”文件是小的脚本文件用来创建CA认证。这个脚本和“openssl ca”命令相关,而且有一些奇怪的要求。在默认情况下,OpenSSL的配置不能很容易地使用“openssl ca”。所以我们后面会用“sign.sh”脚本来替换它们。 清除不必要的文件 [root@deep]# cd /var/tmp [root@deep]# rm -rf openssl-version/ openssl_version.tar.gz “rm”命令删除所有的编译和安装OpenSSL软件所需的源文件,并把OpenSSL软件的压缩包删除。 配置 可以到这去下载“floppy.tgz”文件:。把“floppy.tgz”文件解开之后,可以在相应的目录下发现我们在这本书中介绍的所有软件的配置文件。这样就没有必要手工重新生成这些文件,或者用拷贝粘贴的方法把它们粘贴到配置文件中去。不管是打算自己动手生成配置文件还是拷贝现成的,你都要学会自己修改配置文件并且把配置文件拷贝到正确的目录下。下面将具体说明。 为了运行OpenSSL服务器,必须创建或者把下面的文件拷贝到相应的目录下: l 把“openssl.cnf”文件拷贝到“/etc/ssl”目录下 l 把“sign.sh”文件拷贝到“/usr/bin”目录下 可以把“floppy.tgz”解压之后,找到上面列出来的文件,并拷贝到相应的目录下,或者用拷贝粘贴的方法从本书中直接粘贴出。 配置“/etc/ssl/openssl.cnf”文件 这是openssl程序总的配置文件,可以配置密匙的过期时间、公司的名称、地址,等等。需要改变得配置在[CA_default]和[req_distinguished_name]这两个section里。 编辑“openssl.cnf”文件(vi /etc/ssl/openssl.cnf),加入并改变: # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # RANDFILE = $ENV::HOME/.rnd oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the “-extfile” option of the # “openssl x509” utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by ca and eq. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/ca.db.index # database index file. new_certs_dir = $dir/ca.db.certs # default place for new certs. certificate = $dir/certs/ca.crt # The CA certificate serial = $dir/ca.db.serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/ca.key # The private key RANDFILE = $dir/ca.db.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = md5 # which md to use. Preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that 🙂 policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the anything policy # At this point in time, you must list all acceptable object # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CA countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Quebec localityName = Locality Name (eg, city) localityName_default = Montreal 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Open Network Architecture # we can do this but it is not needed normally 🙂 #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Internet Department commonName = Common Name (eg, YOUR name) commonName_default = commonName_max = 64 emailAddress = Email Address emailAddress_default = admin@openarch.com emailAddress_max = 40 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when ca signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscapes comment listbox. nsComment = “OpenSSL Generated Certificate” # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_ca] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # RAW DER hex encoding of an extension: beware experts only! # 1.2.3.5=RAW:02:03 # You can even override a supported extension: # basicConstraints= critical, RAW:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always 注意:编译和安装完OpenSSL程序之后,“openssl.cnf”文件在服务器上已经存在了,可以在“/et/ssl”目录下找到。没有必要改变这个文件中所有的默认配置,经常需要修改的只是[CA_default]和[req_distinguished_name]这两个section。 创建“/usr/bin/sign.sh”脚本文件 “openssl ca”命令有一些奇怪的要求,OpenSSL默认的配置并不是很容易直接使用“openssl ca”,因此我们用“sign.sh”脚本文件替代它。 创建“sign.sh”脚本(touch /usr/bin/sign.sh),加入: #!/bin/sh ## ## sign.sh — Sign a SSL Certificate Request (CSR) ## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. ## # argument line handling CSR=$1 if [ $# -ne 1 ]; then echo “Usage: sign.sign .csr”; exit 1 fi if [ ! -f $CSR ]; then echo “CSR not found: $CSR”; exit 1 fi case $CSR in *.csr ) CERT=”`echo $CSR | sed -e s/.csr/.crt/`” ;; * ) CERT=”$CSR.crt” ;; esac # make sure environment exists if [ ! -d ca.db.certs ]; then mkdir ca.db.certs fi if [ ! -f ca.db.serial ]; then echo 1 >ca.db.serial fi if [ ! -f ca.db.index ]; then cp /dev/null ca.db.index fi # create an own SSLeay config cat >ca.config $CERT:” openssl ca -config ca.config -out $CERT -infiles $CSR echo “CA verifying: $CERT CA cert” openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT # cleanup after SSLeay rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old # die gracefully exit 0 现在,让这个脚本可执行并改变它的默认权限: [root@deep]# chmod 755 /usr/bin/sign.sh 注意:解开“floppy.tgz”文件之后,可以在“mod_ssl-version/pkg.contrib”目录下找到“sign.sh”文件。要根据实际情况改变[CA_own]这一节,而且不要忘了改变“openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT”这一行。 保证OPENSSL的安全 把密匙设置成只能被超级用户“root”可执行和可写。必须保证其他人不能访问这个文件。 用下面的命令使得密匙只能被“root”可执行和可写: [root@deep]# chmod 600 /etc/ssl/certs/ca.crt [root@deep]# chmod 600 /etc/ssl/certs/server.crt [root@deep]# chmod 600 /chroot/httpd/etc/ssl/private/ca.key [root@deep]# chmod 600 /chroot/httpd/etc/ssl/private/server.key 命令 下面列出的是一些我们经常要用到的命令,当然还有很多其它的命令,更详细的信息可以查看man帮助页或其它文档。 在下面这个例子中,我们指导你如何为Apache Web服务器创建认证: 注意:下面所有的命令都在“/etc/ssl”目录下运行的。 为Apache服务器创建用口令保护的RSA私人密匙。 [root@deep]# openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ………………….+++++ …..+++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password – Enter PEM pass phrase: 请把“server.key”文件备份起来,记住只有在安全的地方才能输入口令。 用服务器的RSA私人密匙创建Certificate Signing Request(CSR) [root@deep]# openssl req -new -key server.key -out server.csr Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. —– Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [Open Network Architecture]: Organizational Unit Name (eg, section) [Internet Department]: Common Name (eg, YOUR name) []: Email Address [admin@openarch.com]: Please enter the following extra attributes to be sent with your certificate request A challenge password []:. An optional company name []:. 现在可以把这个CSR(Certificate Signing Request)发送给认证机构(Certifying Authority, CA),让它签订这个CSR。CSR被签订之后,就成为真正的证书(Certificate),可以被Apache使用。有下面两种选择。第一:可以让商业的CA,如:Verisign或Thawte签订CSR。通常需要在Web上登记CSR,然后支付签订所需的费用,接着等待签订后的证书,最后收到证书把它存成server.crt文件。第二:可以用自己的CA来签订证书。下面介绍如何用自己的CA签订CSR。 首先确信当OpenSSL提示输入“CommonName”的时候,输入服务器的FQDN(Fully Qualified Domain Name,完全合格的域名)。例如:如果要为今后用访问的站点创建CSR,在这里就需要输入。 为自己的CA创建RSA私人密匙 [root@deep]# openssl genrsa -des3 -out ca.key 1024 Generating RSA private key, 1024 bit long modulus ………………………+++++ ……………………………………..+++++ e is 65537 (0x10001) Enter PEM pass phrase: 备份好ca.key文件。注意只有在安全的地方才能输入口令。 用CA的RSA密匙创建自我签订的证书(x509 结构) [root@deep]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. —– Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [Open Network Architecture]: Organizational Unit Name (eg, section) [Internet Department]:CA Marketing Common Name (eg, YOUR name) []: Email Address [admin@openarch.com]: [root@deep]# mv server.key private/ [root@deep]# mv ca.key private/ [root@deep]# mv ca.crt certs/ 注意:当使用“-x509”参数的时候,“req”命令创建了自我签订的证书。 签订一个证书请求(用自己的CA) 准备一个用于签订证书的脚本是必须的,因为“openssl ca”命令有一些很怪的要求而且在默认情况下OpenSSL的配置不是很容易就可以直接使用“openssl ca”。这就需要一个名为“sign.sh”的脚本文件,解开“floppy.tgz”之后就可以在相应的目录中找到。用这个脚本完成签订。 现在用这个CA签订服务器的CSR,这样就能为Apache服务器创建真正的SSL证书(假定你已经有了“server.csr”这个文件)。 [root@deep]# /usr/bin/sign.sh server.csr Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:CA stateOrProvinceName :PRINTABLE:Quebec localityName :PRINTABLE:Montreal organizationName :PRINTABLE:Open Network Architecture organizationalUnitName :PRINTABLE:Internet Department commonName :PRINTABLE: emailAddress :IA5STRING:admin@openarch.com Certificate is to be certified until Dec 1 14:59:29 2000 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt CA cert server.crt: OK 上面的命令签订了CSR并把结果存成“server.crt”文件。 [root@deep]# mv server.crt certs/ 现在有两个文件:“server.key”和“server.crt”。可以在Apache的配置文件“httpd.conf”文件中加上: SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key “server.csr”文件可以不要了。 [root@deep]# rm -f server.csr 安装到系统中的文件 > /etc/ssl > /etc/ssl/crl > /etc/ssl/certs > /etc/ssl/private > /etc/ssl/openssl.cnf > /usr/bin/openssl > /usr/bin/c_rehash > /usr/bin/sign.sh > /usr/bin/c_hash > /usr/bin/c_info > /usr/bin/c_issuer > /usr/bin/c_name > /usr/bin/der_chop > /usr/include/openssl > /usr/include/openssl/e_os.h > /usr/include/openssl/e_os2.h > /usr/include/openssl/crypto.h > /usr/include/openssl/tmdiff.h > /usr/include/openssl/opensslv.h > /usr/include/openssl/opensslconf.h > /usr/include/openssl/ebcdic.h > /usr/include/openssl/md2.h > /usr/include/openssl/md5.h > /usr/include/openssl/sha.h > /usr/include/openssl/mdc2.h > /usr/include/openssl/hmac.h > /usr/include/openssl/ripemd.h > /usr/include/openssl/des.h > /usr/include/openssl/rc2.h > /usr/include/openssl/rc4.h > /usr/include/openssl/rc5.h > /usr/include/openssl/idea.h > /usr/include/openssl/blowfish.h > /usr/include/openssl/cast.h > /usr/include/openssl/bn.h > /usr/include/openssl/rsa.h > /usr/include/openssl/dsa.h > /usr/include/openssl/dh.h > /usr/include/openssl/buffer.h > /usr/include/openssl/bio.h > /usr/include/openssl/stack.h > /usr/include/openssl/safestack.h > /usr/include/openssl/lhash.h > /usr/include/openssl/rand.h > /usr/include/openssl/err.h > /usr/include/openssl/objects.h > /usr/include/openssl/evp.h > /usr/include/openssl/asn1.h > /usr/include/openssl/asn1_mac.h > /usr/include/openssl/pem.h > /usr/include/openssl/pem2.h > /usr/include/openssl/x509.h > /usr/include/openssl/x509_vfy.h > /usr/include/openssl/x509v3.h > /usr/include/openssl/conf.h > /usr/include/openssl/txt_db.h > /usr/include/openssl/pkcs7.h > /usr/include/openssl/pkcs12.h > /usr/include/openssl/comp.h > /usr/include/openssl/ssl.h > /usr/include/openssl/ssl2.h > /usr/include/openssl/ssl3.h > /usr/include/openssl/ssl23.h > /usr/include/openssl/tls1.h > /usr/include/openssl/rsaref.h > /usr/lib/libcrypto.a > /usr/lib/libssl.a > /usr/lib/libRSAglue.a > /var/lock/subsys/named 接受失败等于回归真实的自我,
Linux OPENSSL 服务器
