httpsセキュリティ機構の原理とhttpsセキュリティサイトの実現


httpsの安全サイトを実現します.
https安全の原理:
  • クライアントは、サービス端末にhttps要求
  • を送信する.
  • サーバはクライアント証明書に返信する(証明書の主な内容はCAの秘密鍵で署名されたサービス端末の公開鍵である)
  • .
  • サービス端末は、CAの公開鍵を用いて解読し、安全で信頼できるサービス端末の公開鍵
  • を得る.
  • は、サービス端末の公開鍵を使って通信鍵を暗号化する(通信鍵は暗号化効率の高い対称鍵であり、実際には非対称鍵を使ってデータを暗号化することは不可能であり、効率が低いので)、サービス端末
  • に送信する.
  • 双方は、通信鍵を用いてデータを暗号化して通信する
  • .
    [root@localhost conf.d]# yum install mod_ssl -y
    [root@localhost conf.d]# rpm -ql mod_ssl		
    /etc/httpd/conf.d/ssl.conf
    /etc/httpd/conf.modules.d/00-ssl.conf
    /usr/lib64/httpd/modules/mod_ssl.so   			 ##        
    /usr/libexec/httpd-ssl-pass-dialog
    /var/cache/httpd/ssl
    [root@localhost conf.d]# cat /etc/httpd/conf.modules.d/00-ssl.conf
    LoadModule ssl_module modules/mod_ssl.so
    
    
    [root@localhost conf.d]# rpm -q --scripts mod_ssl		##   mod_ssl              
    postinstall scriptlet (using /bin/sh):
    umask 077
    
    if [ -f /etc/pki/tls/private/localhost.key -o -f /etc/pki/tls/certs/localhost.crt ]; then
       exit 0
    fi
    
    /usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > /etc/pki/tls/private/localhost.key 2> /dev/null
    
    FQDN=`hostname`
    if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
       FQDN=localhost.localdomain
    fi
    
    cat << EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \
             -x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \
             -out /etc/pki/tls/certs/localhost.crt 2>/dev/null
    --
    SomeState
    SomeCity
    SomeOrganization
    SomeOrganizationalUnit
    ${FQDN}
    root@${FQDN}
    EOF
    
    [root@localhost conf.d]# egrep -v "#|^$" /etc/httpd/conf.d/ssl.conf
    Listen 443 https
    SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
    SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
    SSLSessionCacheTimeout  300
    SSLRandomSeed startup file:/dev/urandom  256
    SSLRandomSeed connect builtin
    SSLCryptoDevice builtin
    
    <VirtualHost _default_:443>           ##          443       
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
    
     ##CA       CA           ,                。     ‘    ’       
     ##                         
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    ##  ,                 
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key       
    
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>
    
    [root@localhost conf.d]# systemctl restart httpd    ##    ,    
    
    httpとhttpsの性能比較
    -http圧測定
    [root@vm1 ~]# ab -c10 -n 100 http://www.a.com/messages.txt
    This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
    Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
    Licensed to The Apache Software Foundation, http://www.apache.org/
    
    Benchmarking www.a.com (be patient).....done
    
    
    Server Software:        Apache
    Server Hostname:        www.a.com
    Server Port:            80
    
    Document Path:          /messages.txt
    Document Length:        49652 bytes
    
    Concurrency Level:      10
    Time taken for tests:   0.049 seconds
    Complete requests:      100
    Failed requests:        0
    Write errors:           0
    Total transferred:      4992600 bytes
    HTML transferred:       4965200 bytes
    Requests per second:    2035.62 [#/sec] (mean)					##    2000   
    Time per request:       4.912 [ms] (mean)
    Time per request:       0.491 [ms] (mean, across all concurrent requests)
    Transfer rate:          99248.57 [Kbytes/sec] received
    
    Connection Times (ms)
                  min  mean[+/-sd] median   max
    Connect:        0    1   0.8      1       4
    Processing:     1    3   1.7      3       8
    Waiting:        0    2   1.5      2       7
    Total:          2    5   2.2      4      10
    
    Percentage of the requests served within a certain time (ms)
      50%      4
      66%      4
      75%      5
      80%      6
      90%      9
      95%      9
      98%     10
      99%     10
     100%     10 (longest request)
    
    -https圧測定
    [root@vm1 ~]# ab -c10 -n 100 https://www.a.com/messages.txt
    This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
    Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
    Licensed to The Apache Software Foundation, http://www.apache.org/
    
    Benchmarking www.a.com (be patient).....done
    
    
    Server Software:        Apache
    Server Hostname:        www.a.com
    Server Port:            443
    SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256
    
    Document Path:          /messages.txt
    Document Length:        214 bytes
    
    Concurrency Level:      10
    Time taken for tests:   0.095 seconds
    Complete requests:      100
    Failed requests:        0
    Write errors:           0
    Non-2xx responses:      100
    Total transferred:      37800 bytes
    HTML transferred:       21400 bytes
    Requests per second:    1055.74 [#/sec] (mean)               ##    1000   
    Time per request:       9.472 [ms] (mean)
    Time per request:       0.947 [ms] (mean, across all concurrent requests)
    Transfer rate:          389.72 [Kbytes/sec] received
    
    Connection Times (ms)
                  min  mean[+/-sd] median   max
    Connect:        4    7   1.4      7      12
    Processing:     0    1   0.7      1       3
    Waiting:        0    1   0.5      1       2
    Total:          4    8   1.6      8      15
    
    Percentage of the requests served within a certain time (ms)
      50%      8
      66%      8
      75%      9
      80%      9
      90%     10
      95%     10
      98%     13
      99%     15
     100%     15 (longest request)