SSL: secure socket layer
TLS: standardized SSL
Provide privacy and data before the integrity of two communication entities.
It consists of two layers: TLS recording protocol and TLS handshake protocol.
The core of SSL is to provide secure and reliable communication.
In practical application, there are usually two ways to realize one-way authentication and two-way authentication.
1 client: send SSL version information of the client, etc.
Server: Returns SSL version information and server public key.
Client: Check whether the certificate is legal.
Verify whether the certificate is expired, whether the CA is reliable, etc.
4 client: send a symmetric encryption scheme to the server.
5 Server: Select the encryption method.
6 server: send the encryption scheme to the client in plain text.
7. Client: generate a random code, generate a symmetric encryption key, encrypt it with the server public key, and send it to the server.
8 server: decrypt with private key to obtain symmetric encryption key.
9 Handshake over, symmetric encryption, secure communication
1 client: send SSL version information of the client, etc.
Server: Returns SSL version information and server public key.
Client: Check whether the certificate is legal.
4 Client: Send its own certificate and public key to the server.
5 server: check the client certificate and get the client public key.
6 client: send the docking encryption scheme to the server.
7 Server: Select the encryption method.
8 server: encrypt the encryption scheme with the client's public key and send it to the client.
9 client: decrypt with private key to obtain encryption mode, generate random code, generate symmetric encryption key, encrypt with server public key, and send it to server.
10 server: decrypt with private key to obtain symmetric encryption key.
1 1 handshake terminal, symmetric encryption and secure communication.
Concepts of SSL core: ca, private key, public key and certificate.
The default format of the private key is pkcs 1, which is a simplified private key generation command:
OpenSSL gen RSA-out private . PEM 3072
Java requires private key format, which needs to be converted into pkcs8 format. The conversion command is:
OpenSSL pkcs 8-top k8-inform PEM-in private . PEM-out form PEM-nocrypt-out private-pkcs 8 . PEM
Certification center, a third-party certification provider, provides reliability certification for certificates.
In the process of development, the self-issued certificate is generally used for testing, and then the official certificate is used.
When using ca, CA certificate is mainly used, which is issued by ca key.
Elements: CA private key, CA CSR and issuing certificate.
Enter the name of the country, state or province as prompted.
Composition: CA root certificate, which issues client certificates.
When creating a client certificate using OpenSSL, please note that
When creating the private key, specify the length as 4096.
When creating a certificate, specify usr_cert for the -extensions parameter.
Generate private key
Openssl genrsa -out products. Key 3072
Generate a certificate issuance request
OpenSSL req- new key product. Key output product. csr
Sending a certificate issuance request to a CA to issue a certificate is usually imperceptible, which may mean executing the following issuance command.
Openssl ca -in products. csr -out products. crt -days 365.
The above one still hides a lot of details, and then look at the following one.
The signing process needs the participation of CA's certificate and private key, and finally a certificate signed by CA is issued.
OpenSSL x509-req-CA CA . CRT-CAkey CA . key-cacreate serial-in product . CSR-out product . CRT
This product.crt is the official certificate that can be used.
The difference between TLS one-way authentication and two-way authentication