httpsセキュリティ機構の原理とhttpsセキュリティサイトの実現
httpsの安全サイトを実現します.
https安全の原理:クライアントは、サービス端末にhttps要求 を送信する.サーバはクライアント証明書に返信する(証明書の主な内容はCAの秘密鍵で署名されたサービス端末の公開鍵である) .サービス端末は、CAの公開鍵を用いて解読し、安全で信頼できるサービス端末の公開鍵 を得る.は、サービス端末の公開鍵を使って通信鍵を暗号化する(通信鍵は暗号化効率の高い対称鍵であり、実際には非対称鍵を使ってデータを暗号化することは不可能であり、効率が低いので)、サービス端末 に送信する.双方は、通信鍵を用いてデータを暗号化して通信する .
-http圧測定
https安全の原理:
[root@localhost conf.d]# yum install mod_ssl -y
[root@localhost conf.d]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so ##
/usr/libexec/httpd-ssl-pass-dialog
/var/cache/httpd/ssl
[root@localhost conf.d]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
[root@localhost conf.d]# rpm -q --scripts mod_ssl ## mod_ssl
postinstall scriptlet (using /bin/sh):
umask 077
if [ -f /etc/pki/tls/private/localhost.key -o -f /etc/pki/tls/certs/localhost.crt ]; then
exit 0
fi
/usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > /etc/pki/tls/private/localhost.key 2> /dev/null
FQDN=`hostname`
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
FQDN=localhost.localdomain
fi
cat << EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \
-x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \
-out /etc/pki/tls/certs/localhost.crt 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF
[root@localhost conf.d]# egrep -v "#|^$" /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443> ## 443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
##CA CA , 。 ‘ ’
##
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
## ,
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@localhost conf.d]# systemctl restart httpd ## ,
httpとhttpsの性能比較-http圧測定
[root@vm1 ~]# ab -c10 -n 100 http://www.a.com/messages.txt
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking www.a.com (be patient).....done
Server Software: Apache
Server Hostname: www.a.com
Server Port: 80
Document Path: /messages.txt
Document Length: 49652 bytes
Concurrency Level: 10
Time taken for tests: 0.049 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Total transferred: 4992600 bytes
HTML transferred: 4965200 bytes
Requests per second: 2035.62 [#/sec] (mean) ## 2000
Time per request: 4.912 [ms] (mean)
Time per request: 0.491 [ms] (mean, across all concurrent requests)
Transfer rate: 99248.57 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 1 0.8 1 4
Processing: 1 3 1.7 3 8
Waiting: 0 2 1.5 2 7
Total: 2 5 2.2 4 10
Percentage of the requests served within a certain time (ms)
50% 4
66% 4
75% 5
80% 6
90% 9
95% 9
98% 10
99% 10
100% 10 (longest request)
-https圧測定[root@vm1 ~]# ab -c10 -n 100 https://www.a.com/messages.txt
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking www.a.com (be patient).....done
Server Software: Apache
Server Hostname: www.a.com
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /messages.txt
Document Length: 214 bytes
Concurrency Level: 10
Time taken for tests: 0.095 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Non-2xx responses: 100
Total transferred: 37800 bytes
HTML transferred: 21400 bytes
Requests per second: 1055.74 [#/sec] (mean) ## 1000
Time per request: 9.472 [ms] (mean)
Time per request: 0.947 [ms] (mean, across all concurrent requests)
Transfer rate: 389.72 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 4 7 1.4 7 12
Processing: 0 1 0.7 1 3
Waiting: 0 1 0.5 1 2
Total: 4 8 1.6 8 15
Percentage of the requests served within a certain time (ms)
50% 8
66% 8
75% 9
80% 9
90% 10
95% 10
98% 13
99% 15
100% 15 (longest request)