ssl + apache? 我的是RH7.2(3) ，APACHE，PHP和MYSQL(轉)

ssl + apache? 我的是RH7.2(3) ，APACHE，PHP和MYSQL(轉)[@more@]

注意了：

貼上我總結的安裝方法給大家分享

配置支援SSL的TOMCAT與APACHE

軟體：

Java j2sdk-1_4_0_rc-win

Jakarta-tomcat-4.0-b1

Openssl for Linux

操作步驟：

1、 建立CA根證照（使用openssl）

1． 在openssl的apps目錄下建立自己的CA目錄，2． 例如：mageCA

mkdir mage

3． 生成CA金鑰（用於簽發證照）

openssl genrsa -out mageCA/ca-key.pem 1024

4． 生成待簽名5． 的證照

openssl req -new -out mageCA/ca-req.csr -key mageCA/ca-key.pem

6． 用CA私鑰自簽名7．

openssl x509 -req -in mageCA/ca-req.csr -out mageCA/ca-cert.pem -signkey mageCA/ca-key.pem -days 365

2、 建立服3、 務器證照（使用java）注：%JDK_HOME%為j2sdk的安裝目錄

1. 在Java的工作目錄，2. 也就是%JDK_HOME%的bin目錄下建立自己的server目錄，3. 例如：server

mkdir server

4. 生成server金鑰對

%JDK_HOME%inkeytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn=localhost, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore serverserver_keystore

注：-alias後的tomcat_server是金鑰對的名字可替換為自己想要的名字

-keypass與-strorepass後的changeit為保護密碼必須6位，將其替換為你要的密碼即可。

-dname為包含的server資訊。其中cn是伺服器的名字一定要與WEB伺服器中設定的一樣。

5. 生成待簽名6. 證照

%JDK_HOME%inkeytool -certreq -alias tomcat_server -sigalg MD5withRSA -file serverserver.csr -keypass changeit -keystore serverserver_keystore -storepass changeit引數意義同上

7. 用CA私鑰簽名8. （在linux上使用openssl）

1) 先將剛剛生成的server.csr檔案ftp到linux上openssl的目錄下的server子目錄中。注意ftp的時候使用bin模式。

2) openssl x509 -req -in server/server.csr -out server/server-cert.pem -CA mageCA/ca-cert.pem -CAkey mageCA/ca-key.pem -days 365

4、 將CA根證照和服5、 務器證照匯入Tomcat（使用Java）

1． 先匯入CA根證照

1） 將CA根證照（ca-cert.pem）ftp到Java工作目錄下的ca子目錄中。注意ftp的時候使用bin模式。

2） %JDK_HOME%inkeytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file caca-cert.pem -keystore %JDK_HOME%jrelibsecuritycacerts注意此時的-storepass為預設的“changeit”。-alias為 CA根證照的別名3） 。

2． 再匯入服3． 務器證照

1） 將服2） 務器證照（server-cert.pem）ftp到Java工作目錄下的server子目錄中。注意ftp的時候使用bin模式。

3） %JDK_HOME%inkeytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file serverserver-cert.pem -keystore serverserver_keystore注意此時的-storepass為剛才生成證照時輸入的密碼。-alias為服4） 務器證照的別名5）。

4． 檢視證照

1） 檢視CA證照

keytool -list -keystore %JDK_HOME%jrelibsecuritycacerts

2） 檢視服3） 務器證照

keytool -list -keystore serverserver_keystore

5． 修改Tomcat的配置檔案

用寫字板修改conf目錄下server.xml檔案找到以下內容去掉其註釋並修改。

<!-- Define an SSL HTTP/1.1 Connector on port 8443 --&gt

port="8443" minProcessors="5" maxProcessors="75"

enableLookups="false"

acceptCount="10" debug="0" scheme="https" secure="true">

clientAuth="true" protocol="TLS"

keystoreFile="c:/jakarta-tomcat-4.0-b1/conf/server_keystore" keystorePass="780608"

/>

然後把檔案serverserver_keystore複製到目錄%TCAT_HOME%conf下

6、 建立Client證照

1． 在openssl的apps目錄下建立自己的Client目錄，2． 例如：client

3． 生成Client金鑰對

openssl genrsa -out clientclient-key.pem 1024

4． 生成待簽名5． 的證照

openssl req -new -out clientclient-req.csr -key clientclient-key.pem

6． 用CA私鑰簽名7．

openssl x509 -req -in clientclient-req.csr -out clientclient-cert.pem -signkey clientclient-key.pem -CA mageCAca-cert.pem -CAkey mageCAca-key.pem -CAcreateserial -days 365

8． 生成Client端可以匯入的個人證照

openssl pkcs12 -export -clcerts -in clientclient-cert.pem -inkey clientclient-key.pem -out clientclient.p12

7、 將CA證照與個人證照匯入IE

1． 先匯入CA根證照

1) 將已經ftp到Java工作目錄下ca子目錄中的ca-cert.pem改名2) 為ca-cert.cer

3) 在client端的IE中使用,< Internet選項>,,,,把我們生成的CA根證照匯入，4) 使其成為使用者信任的CA。

2． 再匯入個人證照

1) 將個人證照（client.p12）ftp到Client端。注意ftp的時候使用bin模式。

2) 把client.p12匯入到client端的IE中作為個人證照，3) 匯入過程同4) 上

8、 啟動並訪問

1． 執行%TCAT_HOME%instartup.bat啟動Tomcat 4.x

2． 在IE瀏覽器的位址列中輸入，3． 如果前面的操作都正確的話，4．應該可以看到Tomcat的歡迎頁面。同5． 時狀態列上的小鎖處於閉合狀態，6． 表示您已經成功地與服7．務器建立了要求客戶端驗證的SSL安全連線。

9、 其他

IE在進行伺服器證照的認證的時候可能出現一個對話方塊說明有三項驗證資訊中的幾項不副。1該安全證照不是由可信的驗證機構發行2該安全證照的日期無效3安全證照上的名稱和站點名稱不匹配。

下面是APACHE的SSL設定。

金鑰與證照的生成方式都一樣然後是對http.conf的設定。

條件編譯

判斷引數

##

## SSL Virtual Host Context

##

開始設定

# General setup for the virtual host

#DocumentRoot "/etc/httpd/htdocs"

#ServerName new.host.name

#ServerAdmin you@your.address

DocumentRoot "/var/www/ssl/"預設根路徑

ServerName

ServerAdmin you@your.address

ErrorLog logs/error_log

TransferLog logs/access_log

# SSL Engine Switch:

# Enable/Disable SSL for this virtual host.

SSLEngine on啟動SSL引擎

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite支援的加密模式

ALL:!ADH:!EXPORT57:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate. If

# the certificate is encrypted, then you will be prompted for a

# pass phrase. Note that a kill -HUP will prompt again. A test

# certificate can be generated with `make certificate' under

# built time. Keep in mind that if you've both a RSA and a DSA

# certificate you can configure both in parallel (to also allow

# the use of DSA ciphers, etc.)

#SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

SSLCertificateFile /home/wig/openssl/apps/apache/apache-cert.pem伺服器證照檔案

#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt

# Server Private Key:

# If the key is not combined with the certificate, use this

# directive to point at the key file. Keep in mind that if

# you've both a RSA and a DSA private key you can configure

# both in parallel (to also allow the use of DSA ciphers, etc.)

#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

SSLCertificateKeyFile /home/wig/openssl/apps/apache/apache-key.pem伺服器金鑰對檔案

#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key

# Server Certificate Chain:

# Point SSLCertificateChainFile at a file containing the

# concatenation of PEM encoded CA certificates which form the

# certificate chain for the server certificate. Alternatively

# the referenced file can be the same as SSLCertificateFile

# when the CA certificates are directly appended to the server

# certificate for convinience.

#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server.crt

SSLCertificateChainFile /home/wig/openssl/apps/mageCA/ca-cert.pem CA鏈證照檔案（用來認證遞迴）

# Certificate Authority (CA):

# Set the CA certificate verification path where to find CA

# certificates for client authentication or alternatively one

# huge file containing all of them (file must be PEM encoded)

# Note: Inside SSLCACertificatePath you need hash symlinks

# to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes.

#SSLCACertificatePath /etc/httpd/conf/ssl.crt

#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

SSLCACertificateFile /home/wig/openssl/apps/mageCA/ca-cert.pemCA證照檔案

# Certificate Revocation Lists (CRL):

# Set the CA revocation path where to find CA CRLs for client

# authentication or alternatively one huge file containing all

# of them (file must be PEM encoded)

# Note: Inside SSLCARevocationPath you need hash symlinks

# to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes.

#SSLCARevocationPath /etc/httpd/conf/ssl.crl

#SSLCARevocationPath /etc/httpd/conf/ssl.crl

#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl

# Client Authentication (Type):

# Client certificate verification type and depth. Types are

# none, optional, require and optional_no_ca. Depth is a

# number which specifies how deeply to verify the certificate

# issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth 10

SSLVerifyClient require使用者認證方式為必須認證（可選）

SSLVerifyDepth 10使用者認證遞迴深度

# Access Control:

# With SSLRequire you can do per-directory access control based

# on arbitrary complex boolean expressions containing server

# variable checks and other lookup directives. The syntax is a

# mixture between C and Perl. See the mod_ssl documentation

# for more details.

#

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/

# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."

# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}

# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5

# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 )

# or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

#

# SSL Engine Options:

# Set various options for the SSL engine.

# o FakeBasicAuth:

# Translate the client X.509 into a Basic Authorisation. This means that

# the standard Auth/DBMAuth methods can be used for access control. The

# user name is the `one line' version of the client's X.509 certificate.

# Note that no password is obtained from the user. Every entry in the user

# file needs this password: `xxj31ZMTZzkVA'.

# o ExportCertData:

# This exports two additional environment variables: SSL_CLIENT_CERT and

# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

# server (always existing) and the client (only existing when client

# authentication is used). This can be used to import the certificates

# into CGI scripts.

# o StdEnvVars:

# This exports the standard SSL/TLS related `SSL_*' environment variables.

# Per default this exportation is switched off for performance reasons,

# because the extraction step is an expensive operation and is usually

# useless for serving static content. So one usually enables the

# exportation for CGI and SSI requests only.

# o CompatEnvVars:

# This exports obsolete environment variables for backward compatibility

# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this

# to provide compatibility to existing CGI scripts.

# o StrictRequire:

# This denies access when "SSLRequireSSL" or "SSLRequire" applied even

# under a "Satisfy any" situation, i.e. when it applies access is denied

# and no other module can change it.

# o OptRenegotiate:

# This enables optimized SSL connection renegotiation handling when SSL

# directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

# SSL Protocol Adjustments:

# The safe and default but still SSL/TLS standard compliant shutdown

# approach is that mod_ssl sends the close notify alert but doesn't wait for

# the close notify alert from client. When you need a different shutdown

# approach you can use one of the following variables:

# o ssl-unclean-shutdown:

# This forces an unclean shutdown when the connection is closed, i.e. no

# SSL close notify alert is send or allowed to received. This violates

# the SSL/TLS standard but is needed for some brain-dead browsers. Use

# this when you receive I/O errors because of the standard approach where

# mod_ssl sends the close notify alert.

# o ssl-accurate-shutdown:

# This forces an accurate shutdown when the connection is closed, i.e. a

# SSL close notify alert is send and mod_ssl waits for the close notify

# alert of the client. This is 100% SSL/TLS standard compliant, but in

# practice often causes hanging connections with brain-dead browsers. Use

# this only for browsers where you know that their SSL implementation

# works correctly.

# Notice: Most problems of broken clients are also related to the HTTP

# keep-alive facility, so you usually additionally want to disable

# keep-alive for those clients, too. Use variable "nokeepalive" for this.

# Similarly, one has to force some clients to use HTTP/1.0 to workaround

# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

# "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*"

nokeepalive ssl-unclean-shutdown

downgrade-1.0 force-response-1.0

# Per-Server Logging:

# The home of a custom SSL log file. Use this when you want a

# compact non-error SSL logfile on a virtual host basis.

CustomLog logs/ssl_request_log

"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

然後在/etc/rc.d/init.d/httpd start -D HAVE_SSL啟動APACHE就行了。