OpenSSL实战指南：常用功能与命令解析

linux

openssl

需积分: 10 106 浏览量更新于2024-07-17 收藏 1.57MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"OpenSSL Cookbook 是一本指南，涵盖了OpenSSL最常用的功能和命令，由Ivan Ristić撰写，旨在帮助读者理解并运用OpenSSL在Linux环境中进行安全通信。本书适用于基础设施部署和Web应用程序开发中的SSL/TLS和PKI（公钥基础设施）的使用。" OpenSSL是一个强大的安全套接字层密码库，包含了各种主要的密码算法、常用的密钥和证书封装管理功能以及SSL协议，并提供丰富的应用程序供测试或其他目的使用。在Linux系统中，OpenSSL被广泛应用于构建安全网络服务，如HTTPS服务器、电子邮件服务器等。该Cookbook详细讲解了如何利用OpenSSL来执行以下关键任务： 1. **生成和管理密钥**：包括创建RSA、DSA等不同类型的密钥对，以及处理私钥的安全存储和备份。 2. **创建和验证数字证书**：涵盖自签名证书的制作、CA（证书颁发机构）的建立，以及如何对证书进行签名和撤销。 3. **SSL/TLS协议配置**：指导如何在Web服务器（如Apache或Nginx）中设置和优化SSL/TLS连接，包括选择正确的加密套件和启用HSTS（HTTP严格传输安全）等。 4. **SSL/TLS会话管理**：讨论会话缓存、会话ID和会话Ticket的使用，以提高性能和安全性。 5. **加密和解密数据**：介绍使用OpenSSL工具进行文件和数据的加密和解密操作。 6. **网络通信的调试和分析**：教授如何使用`openssl s_client`和`s_server`工具进行网络通信的抓包和分析，以检测潜在的安全问题。 7. **PKI概念和实践**：深入解释X.509证书、CRL（证书撤销列表）和OCSP（在线证书状态协议）的工作原理及其在实际环境中的应用。 8. **安全最佳实践**：根据当前的安全标准和建议，提供关于密码策略、密钥长度和加密算法选择的最佳实践。 Ivan Ristić的《OpenSSL Cookbook》是学习和掌握OpenSSL实用技能的宝贵资源，无论你是系统管理员、开发者还是网络安全专业人员，都能从中受益。书中不仅有详细的步骤说明，还有丰富的示例代码，帮助读者快速上手并解决实际工作中遇到的问题。通过这本书，你可以提升自己的技能，确保你的网络服务在安全性和性能方面达到最佳状态。

资源详情

资源推荐

1 OpenSSL Cookbook

OpenSSL is an open source project that consists of a cryptographic library and an SSL toolkit.

From the project’s web site:

The OpenSSL Project is a collaborative effort to develop a robust, commer-

cial-grade, full-featured, and Open Source toolkit implementing the Secure

Sockets Layer (SSL) and Transport Layer Security (TLS) protocols as well as a

full-strength general purpose cryptography library. The project is managed by a

worldwide community of volunteers that use the Internet to communicate, plan,

and develop the OpenSSL toolkit and its related documentation.

OpenSSL is a de facto standard in this space and comes with a long history. The code initially

began its life in 1995 under the name SSLeay,

when it was developed by Eric A. Young and

Tim J. Hudson. The OpenSSL project was born in the last days of 1998, when Eric and Tim

stopped their work on SSLeay to work on a commercial SSL toolkit called BSAFE SSL-C at

RSA Australia.

Today, OpenSSL is ubiquitous on the server side and in many client tools. Interestingly,

browsers tend to use other libraries. The command-line tools provided by OpenSSL are most

commonly used to manage keys and certiﬁcates.

OpenSSL is dual-licensed under OpenSSL and SSLeay licenses. Both are BSD-like, with an

advertising clause. The license has been a source of contention for a very long time, because

neither of the licenses is considered compatible with the GPL family of licenses. For that rea-

son, you will often ﬁnd that GPL-licensed programs favor GnuTLS.

The letters “eay” in the name SSLeay are Eric A. Young’s initials.

Personal copy of gg ggg <cindy@devnullmail.com>

2 Chapter 1: OpenSSL Cookbook

Getting Started

If you’re using one of the Unix platforms, getting started with OpenSSL is easy; you’re virtually

guaranteed to already have it on your system. The only problem that you might face is that you

might not have the latest version. In this section, I assume that you’re using a Unix platform,

because that’s the natural environment for OpenSSL.

Windows users tend to download binaries, which might complicate the situation slightly. In

the simplest case, if you need OpenSSL only for its command-line utilities, the main OpenSSL

web site links to Shining Light Productions for the Windows binaries. In all other situations,

you need to ensure that you’re not mixing binaries compiled under different versions of

OpenSSL. Otherwise, you might experience crashes that are difﬁcult to troubleshoot. The best

approach is to use a single bundle of programs that includes everything that you need. For

example, if you want to run Apache on Windows, you can get your binaries from the Apache

Lounge.

Determine OpenSSL Version and Conﬁguration

Before you do any work, you should know which OpenSSL version you’ll be using. For exam-

ple, here’s what I get for version information with openssl version on Ubuntu 12.04 LTS,

which is the system that I’ll be using for the examples in this chapter:

$ openssl version

OpenSSL 1.0.1 14 Mar 2012

At the time of this writing, a transition from OpenSSL 0.9.x to OpenSSL 1.0.x is in progress.

The version 1.0.1 is especially signiﬁcant because it is the ﬁrst version to support TLS 1.1 and

TLS 1.2. The support for newer protocols is part of a global trend, so it’s likely that we’re going

to experience a period during which interoperability issues are not uncommon.

Note

Various operating systems often modify the OpenSSL code, usually to ﬁx known is-

sues. However, the name of the project and the version number generally stay the

same, and there is no indication that the code is actually a fork of the original project

that will behave differently. For example, the version of OpenSSL used in Ubuntu

12.04 LTS

is based on OpenSSL 1.0.1c. At the time of this writing, the full name of

the package is openssl 1.0.1-4ubuntu5.5, and it adds 44 patches to OpenSSL 1.0.1c.

Ubuntu: “openssl” source package in Precise

Personal copy of gg ggg <cindy@devnullmail.com>

Building OpenSSL 3

To get complete version information, use the -a switch:

$ openssl version -a

OpenSSL 1.0.1 14 Mar 2012

built on: Wed May 23 00:01:41 UTC 2012

platform: debian-amd64

options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)

compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN …

-DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector …

--param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D…

_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall …

-DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int …

-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM…

_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES…

_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

OPENSSLDIR: "/usr/lib/ssl"

The last line in the output (/usr/lib/ssl) is especially interesting because it will tell you where

OpenSSL will look for its conﬁguration and certiﬁcates. On my system, that location is essen-

tially an alias for /etc/ssl, where Ubuntu keeps SSL-related ﬁles:

lrwxrwxrwx 1 root root 14 Apr 19 09:28 certs -> /etc/ssl/certs

drwxr-xr-x 2 root root 4096 May 28 06:04 misc

lrwxrwxrwx 1 root root 20 May 22 17:07 openssl.cnf -> /etc/ssl/openssl.cnf

lrwxrwxrwx 1 root root 16 Apr 19 09:28 private -> /etc/ssl/private

The misc/ folder contains a few supplementary scripts, the most interesting of which are the

scripts that allow you to implement a custom Certiﬁcate Authority (CA).

Building OpenSSL

In most cases, you will be using the operating system–supplied version of OpenSSL, but some-

times there are good reasons to upgrade. For example, your current server platform may still

be using OpenSSL 0.9.x, and you might want to support newer protocol versions (available

only in OpenSSL 1.0.1). Further, the newer versions may not have all the features you need.

For example, on Ubuntu 12.04 LTS, there’s no support for SSL 2.0 in the s_client command.

Although not supporting this version of SSL by default is the right decision, you’ll need this

feature if you’re routinely testing other servers for SSL 2.0 support.

You can start by downloading the most recent version of OpenSSL (in my case, 1.0.1c):

$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz

The next step is to conﬁgure OpenSSL before compilation. In most cases, you’ll be leaving the

system-provided version alone and installing OpenSSL in an another location. For example:

Personal copy of gg ggg <cindy@devnullmail.com>

剩余56页未读，继续阅读

rhef

粉丝: 1
资源: 63

OpenSSL实战指南：常用功能与命令解析

OpenSSL使用指南

OpenSSL学习资料(比较齐全的OpenssL相关资料汇总)

openssl cookbook

OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

_lib.OpenSSL_add_all_algorithms() AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms'

openssl s_client -connect用法

openssl s_client

openssl s_server

CMake Error at F:/cmake-3.26.4-windows-x86_64/share/cmake-3.26/Modules/FindPackageHandleStandardArgs.cmake:230 (message): Could NOT find OpenSSL, try to set the path to OpenSSL root folder in the system variable OPENSSL_ROOT_DIR (missing: OPENSSL_INCLUDE_DIR) (Required is at least version "1.1.1")

使用工具openssl s_client和strace来分析SSL实操

openssl 验证 私钥 证书 openssl s_server -msg -verify

openssl_public_encrypt

openssl s_client工具安装

OpenSSL SSL_read: Connection was aborted, errno 10053

最新资源

openssl 验证私钥证书 openssl s_server -msg -verify