HTTPS was first proposed by Netscape in 1994. HTTPS encrypts packets using SSL and TLS on the basis of HTTP, providing reasonable protection against eavesdropping and man-in-the-middle attacks.
A, HTTPS
HyperText Transfer Protocol Secure (HTTPS). These are commonly called HTTP over TLS, HTTP over SSL, or HTTP Secure.
The default HTTPS port number is 443 (HTTP is 80).
If you type http://www.baidu.com in the browser, you are automatically redirected to https://www.baidu.com. The redirect is not determined by the browser itself, but the server returns the redirect address after accessing http://www.baidu.com.
If no protocol header is added, the browser uses HTTPS by default.
Cost of HTTPS: the cost of certificates, encryption and decryption calculation, etc., reduce the access speed. Some companies use HTTPS only for requests containing sensitive data, while others still use HTTP, such as ICBC (www.icbc.com.cn, https://mybank.icb…
The HTTPS communication process can be divided into three stages:
- TCP three-way handshake
- The TLS connection
- HTTP requests and responses
Second, the SSL/TLS
Transport Layer Security (TLS) : Transport Layer Security protocol. Its predecessor is Secure Sockets Layer (SSL).
SSL/TLS can also be used for other protocols, such as FTP -> FTPS and SMTP -> SMTPS.
2.1. Historical version information
- SSL 1.0: Never made public due to a serious security vulnerability
- SSL 2.0:1995, deprecated in 2011 (see RFC_6176).
- SSL 3.0:1996, deprecated in 2015 (see RFC_7568)
- TLS 1.0:1999, see RFC_2246
- TLS 1.1:2006, see RFC_4346
- TLS 1.2:2008, see RFC_5246
- TLS 1.3:2018, see RFC_8446
2.2. The OSI
SSL/TLS is between the application layer and the transport layer, because SSL encrypts HTTP packets and must be intervened before they reach the transport layer.
2.3. The OpenSSL
OpenSSL is an open source implementation of THE SSL/TLS protocol. It was started in 1998 and supports Windows, Mac, and Linux platforms. OpenSSL comes with Linux and Mac. You need to download and install OpenSSL for Windows (slproweb.com/products/Wi…
Common commands:
- Generate private key:
Openssl genrsa -out Specifies the name. Key - Generating a public key:
Openssl rsa-in Name key-pubout-out name pem
You can use OpenSSL to build your own CA and issue your own certificate, which is called “self-signed certificate”.
2.4. Connection to TLS 1.2
There are about 10 steps, and some ACK acknowledgements generated in the middle are omitted from the picture.
Step 1: Client Hello
- TLS version number
- List of supported encryption components (Cipher Suite)
- The encryption component refers to the encryption algorithm and key length used
- A random number (Client Random)
Step 2: Server Hello
- TLS version number
- The selected encryption component
- Selected from the list of client encryption components received
- A random number (Server Random)
Step 3: Certificate
- The server’s public key certificate (signed by the CA)
Step 4: Server Key Exchange
- One of the parameters used to implement the ECDHE algorithmServer Params)
- ECDHE is a key exchange algorithm
- To prevent forgery,Server ParamsThe server private key has been signed
Step 5: Server Hello Done
- Notifies the client that the negotiation is complete
By step 5, the Client and Server are shared in plaintext: Client Random, Server Random, Server Params. In addition, the client has obtained the public key certificate of the server, and then the client verifies the validity of the certificate.
Step 6: Client Key Exchange
- Another parameter used to implement the ECDHE algorithm (Client Params)
So far, both the Client and the Server have two parameters required by the ECDHE algorithm: Server Params and Client Params. At this point, both Client and Server can use ECDHE algorithm to calculate a new random key string (pre-master secret) according to Server Params and Client Params. Then, a master key is generated by combining Client Random, Server Random, and pre-master Secret. Finally, other keys are derived from the master key: session key for Client sending, session key for Server sending, etc.
Step 7: Change Cipher Spec
- Inform the server that subsequent communications will be encrypted using the calculated client session key.
Step 8: Finished Contains the verification values (summary) of all packets connected so far and is encrypted (encrypted with the session key) and sent to the server. Whether the handshake negotiation is successful depends on whether the server can decrypt the message correctly
Step 9: Change Cipher Spec The server notifies the client that encrypted communication can be performed (the server uses the server session key).
Step 10: Finished Notifying the client of the encrypted packets received by the server.
At this point, the client server has verified that encryption and decryption are ok, and the handshake is officially over.
Start encrypted transmission:
Wireshark decrypts HTTPS
Set the environment variable SSLKEYLOGFILE (to which the browser exports key information). After setting up, you’d better restart the operating system.
Select this file in Wireshark (Edit -> Preferences -> Protocols -> TLS) :
4. Configure HTTPS for the server
4.1. Generate a certificate
Environment: Tomcat9.0.34, JDK1.8.0_251
First, generate the certificate using the KEYtool that comes with the JDK (a site that generates free certificates: freessl.org/).
Command: keytool genkeypair – alias daben (alias) – keyalg RSA (name of the key algorithm) – keystore/User/Developer/Desktop/daben. JKS (output)
Tomcat 4.2. Configuration
Put the certificate *.jks file in the TomcatHome/conf directory (it doesn’t matter where, as long as the path is correctly configured in the server.xml configuration).
Modify TomcatHome/conf/server in XML Connector:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/daben.jks"
type="RSA"
certificateKeystorePassword="123456"/>
</SSLHostConfig>
</Connector>
Copy the codeRestart Tomcat. Since it is a self-signed certificate, the browser will not trust (the browser will issue an unsafe warning), but it does not affect our study and use.
For more articles in this series, please pay attention to wechat official account [1024 Planet].