第1页 / 共101页
第2页 / 共101页
第3页 / 共101页
第4页 / 共101页
第5页 / 共101页
第6页 / 共101页
第7页 / 共101页
第8页 / 共101页
openssl官方文档.pdf
OpenSSL Cookbook
Table of Contents
Preface
Feedback
About Bulletproof SSL and TLS
About the Author
Chapter 1: OpenSSL
Getting Started
Determine OpenSSL Version and Configuration
Building OpenSSL
Examine Available Commands
Building a Trust Store
Conversion Using Perl
Conversion Using Go
Key and Certificate Management
Key Generation
Creating Certificate Signing Requests
Creating CSRs from Existing Certificates
Unattended CSR Generation
Signing Your Own Certificates
Creating Certificates Valid for Multiple Hostnames
Examining Certificates
Key and Certificate Conversion
PEM and DER Conversion
PKCS#12 (PFX) Conversion
PKCS#7 Conversion
Configuration
Cipher Suite Selection
Obtaining the List of Supported Suites
Keywords
Combining Keywords
Building Cipher Suite Lists
Keyword Modifiers
Sorting
Handling Errors
Putting It All Together
Recommended Configuration
Performance
Creating a Private Certification Authority
Features and Limitations
Creating a Root CA
Root CA Configuration
Root CA Directory Structure
Root CA Generation
Structure of the Database File
Root CA Operations
Create a Certificate for OCSP Signing
Creating a Subordinate CA
Subordinate CA Configuration
Subordinate CA Generation
Subordinate CA Operations
Chapter 2: Testing with OpenSSL
Connecting to SSL Services
Testing Protocols that Upgrade to SSL
Using Different Handshake Formats
Extracting Remote Certificates
Testing Protocol Support
Testing Cipher Suite Support
Testing Servers that Require SNI
Testing Session Reuse
Checking OCSP Revocation
Testing OCSP Stapling
Checking CRL Revocation
Testing Renegotiation
Testing for the BEAST Vulnerability
Testing for Heartbleed
Determining the Strength of Diffie-Hellman Parameters
Appendix A: SSL/TLS Deployment Best Practices
1 Private Key and Certificate
1.1 Use 2048-Bit Private Keys
1.2 Protect Private Keys
1.3 Ensure Sufficient Hostname Coverage
1.4 Obtain Certificates from a Reliable CA
1.5 Use Strong Certificate Signature Algorithms
2 Configuration
2.1 Use Complete Certificate Chains
2.2 Use Secure Protocols
2.3 Use Secure Cipher Suites
2.4 Select Best Cipher Suites
2.5 Use Forward Secrecy
2.6 Use Strong Key Exchange
2.7 Mitigate Known Problems
3 Performance
3.1 Avoid Too Much Security
3.2 Use Session Resumption
3.3 Use WAN Optimization and HTTP/2
3.4 Cache Public Content
3.5 Use OCSP Stapling
3.6 Use Fast Cryptographic Primitives
4 HTTP and Application Security
4.1 Encrypt Everything
4.2 Eliminate Mixed Content
4.3 Understand and Acknowledge Third-Party Trust
4.4 Secure Cookies
4.5 Secure HTTP Compression
4.6 Deploy HTTP Strict Transport Security
4.7 Deploy Content Security Policy
4.8 Do Not Cache Sensitive Content
4.9 Consider Other Threats
5 Validation
6 Advanced Topics
7 Changes
Version 1.3 (17 September 2013)
Version 1.4 (8 December 2014)
Version 1.5 (8 June 2016)
Acknowledgments
About SSL Labs
About Qualys
Appendix B: Changes
v1.0 (May 2013)
v1.1 (October 2013)
v2.0 (March 2015)
v2.1 (March 2016)
SECOND
EDITION
OPENSSL
COOKBOOK
A Guide to the Most Frequently Used
OpenSSL Features and Commands
From the book
Bulletproof SSL and TLS
Ivan Ristić
Last update: Thu Jun 14 04:32:04 BST 2018 (build 606)
The Best TLS Training in the World
Spend two days to understand both the theory
and practice of SSL/TLS and Internet PKI
Two days in London www.feistyduck.com/training
The Best
TLS Training
in the World
£100 off
the course price
with code
COOKBOOK
Designed by Ivan Ristić, this practical training
course will teach you how to deploy secure
servers and encrypted web applications and
will explain both the theory and practice of
Internet PKI. You'll learn how to get an A+ on
SSL Labs and how to build and deploy a
realistic private certification authority.
You will receive a free copy of Bulletproof SSL
and TLS, training materials and exercises, and
your own virtual server, which you will work on
during the training and for a few weeks after.
“Vibrant, enthusiastic and knowledgeable.
Covered all I needed and more.”
Andrew Mallett, The Urban Penguin
“Excellent course, well laid out and excellent
exercises to help understand materials.”
Irum Malik, WAJT Consulting
“Great Course. Lots of useful information
and practical labs. Flawless lab setup.”
Tom Griffiths, Infrasys Technology
BULLETPROOF SSL AND TLS
Understanding and deploying SSL/TLS and PKI
to secure your servers and web applications
BULLETPROOF
SSL AND TLS
Understanding and Deploying SSL/TLS and
PKI to Secure Servers and Web Applications
Free edition: Getting Started
Ivan Ristić
Available Now
www.feistyduck.com
For system administrators, developers, and
IT security professionals, this book will
teach you everything you need to know to
protect your systems from eavesdropping
and impersonation attacks.
“The most comprehensive book about
deploying TLS in the real world!”
Nasko Oskov, Chrome Security
developer and former SChannel
developer
“Meticulously researched.”
Eric Lawrence, Fiddler author and
former Internet Explorer Program
Manager
“The most to the point and up to date
book about SSL/TLS I’ve read.”
Jakob Schlyter, IT security advisor
and DANE co-author
OpenSSL Cookbook
Ivan Ristić
OpenSSL Cookbook
by Ivan Ristić
Version 2.1-draft (build 606), published in June 2018.
Copyright © 2016 Feisty Duck Limited. All rights reserved.
First published in May 2013. Second edition published in March 2015.
Feisty Duck Limited
www.feistyduck.com
contact@feistyduck.com
Address:
6 Acantha Court
Montpelier Road
London W5 2QP
United Kingdom
Production editor: Jelena Girić-Ristić
Copyeditors: Melinda Rankin, Nancy Wolfe Kotary
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, without the prior permission in writing of the publisher.
The author and publisher have taken care in preparation of this book, but make no expressed or implied warranty of any kind and
assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection
with or arising out of the use of the information or programs contained herein.
Licensed for the exclusive use of:
rookie kk <2459444323@qq.com>
Feisty Duck DigitalBook Distributionwww.feistyduck.com
Table of Contents
Getting Started
Key and Certificate Management
Feedback
About Bulletproof SSL and TLS
About the Author
Determine OpenSSL Version and Configuration
Building OpenSSL
Examine Available Commands
Building a Trust Store
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
viii
viii
viii
1. OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2
2
3
5
6
8
8
12
14
14
15
15
16
19
22
22
35
39
39
40
47
2. Testing with OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
51
56
Key Generation
Creating Certificate Signing Requests
Creating CSRs from Existing Certificates
Unattended CSR Generation
Signing Your Own Certificates
Creating Certificates Valid for Multiple Hostnames
Examining Certificates
Key and Certificate Conversion
Connecting to SSL Services
Testing Protocols that Upgrade to SSL
Configuration
Cipher Suite Selection
Performance
Creating a Private Certification Authority
Features and Limitations
Creating a Root CA
Creating a Subordinate CA
iii
1 Private Key and Certificate
1.1 Use 2048-Bit Private Keys
1.2 Protect Private Keys
1.3 Ensure Sufficient Hostname Coverage
1.4 Obtain Certificates from a Reliable CA
1.5 Use Strong Certificate Signature Algorithms
2 Configuration
Using Different Handshake Formats
Extracting Remote Certificates
Testing Protocol Support
Testing Cipher Suite Support
Testing Servers that Require SNI
Testing Session Reuse
Checking OCSP Revocation
Testing OCSP Stapling
Checking CRL Revocation
Testing Renegotiation
Testing for the BEAST Vulnerability
Testing for Heartbleed
Determining the Strength of Diffie-Hellman Parameters
56
57
57
58
59
60
61
63
64
66
68
69
72
A. SSL/TLS Deployment Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
75
75
76
76
77
78
78
78
78
79
80
80
81
81
81
82
82
82
82
82
83
83
83
83
84
2.1 Use Complete Certificate Chains
2.2 Use Secure Protocols
2.3 Use Secure Cipher Suites
2.4 Select Best Cipher Suites
2.5 Use Forward Secrecy
2.6 Use Strong Key Exchange
2.7 Mitigate Known Problems
3.1 Avoid Too Much Security
3.2 Use Session Resumption
3.3 Use WAN Optimization and HTTP/2
3.4 Cache Public Content
3.5 Use OCSP Stapling
3.6 Use Fast Cryptographic Primitives
4 HTTP and Application Security
4.1 Encrypt Everything
4.2 Eliminate Mixed Content
4.3 Understand and Acknowledge Third-Party Trust
3 Performance
iv
4.4 Secure Cookies
4.5 Secure HTTP Compression
4.6 Deploy HTTP Strict Transport Security
4.7 Deploy Content Security Policy
4.8 Do Not Cache Sensitive Content
4.9 Consider Other Threats
5 Validation
6 Advanced Topics
7 Changes
Version 1.3 (17 September 2013)
Version 1.4 (8 December 2014)
Version 1.5 (8 June 2016)
Acknowledgments
About SSL Labs
About Qualys
B. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
v1.0 (May 2013)
v1.1 (October 2013)
v2.0 (March 2015)
v2.1 (March 2016)
84
84
85
85
86
86
86
86
87
87
88
88
89
89
89
91
91
91
92
92
v
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
