SSL

發展出https的原由

是因為http在連線時，可能會有被竊聽或是中間人攻擊的可能性，因而出現了使用SSL加密的https協定。

原本的http在連線時，client在向server提出連線請求時，server會將本身的public key交給client端，讓雙方能透過這對鑰匙來為傳輸資料加密，但這避免不了中間人攻擊，因此出現了CA憑證機制，透過公正可信的第三方認證機構協助確認public key是否有被暗地偷換過，從而避免了中間人攻擊的可能性，增加傳輸的安全性。

Freebsd 自簽SSL憑證

1.創立兩個資料夾(用於存放憑證)，在每一個資料夾中各放入一個文件

mkdir /usr/local/etc/apache24/ssl.key
mkdir /usr/local/etc/apache24/ssl.crt
chmod 0700 /usr/local/etc/apache24/ssl.key
chmod 0700 /usr/local/etc/apache24/ssl.crt

2.切換到root目錄下

cd /root
openssl genrsa -des3 -out server.key 2048

2.產生憑證

openssl req -new -key server.key -out server.csr

3.填妥表格

Enter pass phrase for rootca.key:                                          //輸入密碼 (Rootca 的 Private key 密碼)
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:TW                                                   //國碼臺灣是 TW
 State or Province Name (full name) [Some-State]:Taiwan R.O.C                           //國名臺灣填 Taiwan
 Locality Name (eg, city) []:Taipei                                                     //地名
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:FreeBSD Personal Reserach   //組織單位名稱
 Organizational Unit Name (eg, section) []:FreeBSD Personal Reserach                    //部門名稱
 Common Name (eg, YOUR name) []:Weithenn-Wang                                           //憑證的名稱
 Email Address []:[email protected]                                                 //申請單位的聯絡信箱
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:按 Enter 直接跳過                                              //申請書的密碼
 An optional company name []:按 Enter 直接跳過                                          //憑證代辦公司的名稱

4.簽發

openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt

5.將憑證放入apache24伺服器中的資料夾

cp /root/server.key /usr/local/etc/apache24/ssl.key/
cp /root/server.crt /usr/local/etc/apache24/ssl.crt/

6.變更憑證的存取權限

chmod 0400 /usr/local/etc/apache24/ssl.key/server.key
chmod 0400 /usr/local/etc/apache24/ssl.crt/server.crt

7.將憑證裝上伺服器

cd /usr/local/etc/apache24/extra
vi httpd-ssl.conf


DocumentRoot “/usr/local/www/data” //httpd.conf的文件路徑
ServerName www.example.com:443 //網域名稱
ServerAdmin [email protected] //聯絡信箱
ErrorLog /var/log/httpd-error.log //預設
TransferLog /var/log/httpd-access.log //預設
SSLCertificateFile “/usr/local/etc/apache24/ssl.crt/server.crt“//憑證資料夾位子
SSLCertificateKeyFile ”/usr/local/etc/apache24/ssl.key/server.key““//憑證資料夾位子
#SSLSessionCache ”shmcb:/var/run/ssl_scache(512000)“//這行註解掉

8.讓Apache伺服器轉向https連線

vi /usr/local/etc/apache24/httpd.conf

LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
Include etc/apache24/extra/httpd-ssl.conf

9.重啟Apache伺服器

/usr/local/etc/rc.d/apache24 stop
/usr/local/etc/rc.d/apache24 start