HTTPS 原理与证书实践
1.1 网络安全知识
1.1.1 网结安全出现背景
1.1.2 网络安全涉及问题
1.2 网络安全问题的解决
1.2.1 网络安全解决问题–如何保证数据的机密性
1.2.2 网络安全解决问题-如何保证数据的完整
1.2.3 网络安全解决问题-如何进行传输双方身份验证
1.3 证书的由来
1.3.1 如何获取公钥信息
1.3.2 证书信息所包含什么内容
1.4 加密算法的简介
1.4.1 对称加密算法
1.4.2 单向加密算法
1.4.3 非对称加密算法
1.5 OpenSSL软件介绍
1.5.1 OpenSSL软件概念说明
1.5.2 OpenSSL软件组成部分
1.5.3 OpenSSL的使用
系统环境说明
检查OpenSLL**软件版本:**
方法一:
方法二:
主配置文件位置:
openssl使用帮助
<p>
<span style="font-family: '微软雅黑',sans-serif;">加密一个文件的方法:</span>
</p>
<div class="cnblogs_code">
<pre>openssl enc -des3 -salt -a -<span style="color: #0000ff;">in</span> inittab -out initab.des3 <span style="color: #008000;">#</span><span style="color: #008000;"> 输入密码后BP加密成功</span>
openssl enc -des3 -d -salt -a -in initab.des3 -out inittab # 输入钥后即解密成功
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">说明:其中命令中的</span>salt<span style="font-family: '微软雅黑',sans-serif;">参数,主要用于避免密码加密后,对密钥串的反推</span>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">输出一个文件的特征码方式</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;">md5sum inittab
shalsum inittab openssl dgst -shal inittab # 利用openssl 生成文件特征码 # dgst—表示指定使用摘要命令 # -shal—表示指定摘要命令选用shal算法
<p>
<span style="font-family: '微软雅黑',sans-serif;">生成和用户一样的密码串</span>
</p>
<div class="cnblogs_code">
<pre>openssl passwd -1 <span style="color: #008000;">#</span><span style="color: #008000;"> 采用md5加密用户密码串</span></pre>
</div>
<p>
<span style="font-family: '微软雅黑',sans-serif;">生成伪随机数方法</span>
</p>
<div class="cnblogs_code">
<pre>openssl rand -base 64 45 <span style="color: #008000;">#</span><span style="color: #008000;"> 给出一个任意数字,就会生产任意的随机数</span></pre>
</div>
<h3>
<span id="154_OpenSSLCA">1.5.4 OpenSSL<span style="font-family: '微软雅黑',sans-serif;">软件建立是有</span>CA</span>
</h3>
<p style="margin-left: 42.0pt; text-indent: -21.0pt;">
<span style="font-family: Wingdings;">ü </span><strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";background: yellow;">创建私钥与公钥信息</span></strong>
</p>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">需要先给</span>ca<span style="font-family: '微软雅黑',sans-serif;">证书颁发机构生成证书,即生成一对密钥;</span>genrsa - generate an RSA private key<span style="font-family: '微软雅黑',sans-serif;">利用</span>gerusa<span style="font-family: '微软雅黑',sans-serif;">生成密钥信息。虽然只是生成私钥,但需要清除公钥是通过私钥进行提取得到的,所以只要有私钥,就可以有公钥,私钥信息是非常重要的,因此生成的私钥文件应该是</span>600<span style="font-family: '微软雅黑',sans-serif;">的权限。</span>
</p>
<div class="cnblogs_code">
<pre>openssl genrsa 1024 >server.key <span style="color: #008000;">#</span><span style="color: #008000;"> 创建私钥信息,并指定私钥的长度为2048,并将生成的私钥信息保存在一个文件中</span>
openssl genrsa -out server.key 1024 # 将私钥信息直接进行保存,加密长度一定要放在输出文件后面 (umask 077;openssl genrsa -out server1024.key 1024) # 利用小括号,实现子shell功能,临时修改umask,使之创建的私钥文件权限为600 说明:密钥文件也可以进行加密的,并且支持后期手工加密,但不建议加密,每次使用私钥文件还要进行解密,比较麻烦 openssl rsa -in server1024.key -pubout #读取私钥文件命令
<p style="margin-left: 42.0pt; text-indent: -21.0pt;">
<span style="font-family: Wingdings;">ü </span><strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";background: yellow;">生成自签署的证书</span></strong>
</p>
<div class="cnblogs_code">
<pre>[root@web01 ~]<span style="color: #008000;">#</span><span style="color: #008000;"> openssl req -new -x509 -key server1024.key -out server.crt -days 365</span>
参数说明 req # 用于创建新的证书 new # 表示创建的是新的证书 x509 # 表示定义证书的格式为标准格式 key # 表示调用的私钥文件信息 out # 表示输出证书文件信息 days # 表示证书的有效期
<p>
<span style="font-family: '微软雅黑',sans-serif;">生产自签发证书的过程。</span>
</p>
<div class="cnblogs_code">
<pre>[root@web01 key]<span style="color: #008000;">#</span><span style="color: #008000;"> openssl req -new -x509 -key server1024.key -out server.crt -days 3650</span>
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. —– Country Name (2 letter code) [XX]:CN # 定义生成证书的国家 State or Province Name (full name) []:BJ # 定义生成证书的省份 Locality Name (eg, city) [Default City]:BJ # 定义生成证书的城市 Organization Name (eg, company) [Default Company Ltd]:nmtui.com # 生成证书的组织 Organizational Unit Name (eg, section) []:ops # 生成证书的职能部门 Common Name (eg, your name or your server’s hostname) []:blog.nmtui.com # 主机名称 Email Address []:[email protected] # 邮件地址 # 说明:此输出信息非常重要,客户端在获取证书前,会利用主机名与相应服务器之间建立连接,然后获得证书。
<p>
<span style="font-family: '微软雅黑',sans-serif;">查看生成证书的信息的方法</span>
</p>
<div class="cnblogs_code">
<pre>[root@web01 key]<span style="color: #008000;">#</span><span style="color: #008000;"> openssl x509 -text -in server.crt </span>
Certificate: Data: Version: 3 (0x2) Serial Number: 9747921528343358470 (0x874792fbbb49ec06) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=BJ, L=BJ, O=nmtui.com, OU=ops, CN=blog.nmtui.com/[email protected]
<p>
CA<span style="font-family: '微软雅黑',sans-serif;">目签发证书实际创建过程</span>
</p>
<div class="cnblogs_code">
<pre>cd /etc/pki/CA/private/ <span style="color: #008000;">#</span><span style="color: #008000;"> 进入到私钥保存目录中</span>
(umask 077;openssl genrsa -out ./cakey.pem 2048) # 创建一个 ca 私钥文件 cd /etc/pki/CA # 进入到CA目签发保存目录中 openssl req -new -x509 -key private/cakey.pem -out cacert.pem # 生成自签发证书 # 说明:由于下面配置文件中定义了一些证书信息,所以默认即可。
<p style="margin-left: 42.0pt; text-indent: -21.0pt;">
<span style="font-family: Wingdings;">ü </span><strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";background: yellow;">相关配置文件参数设定</span></strong>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">证书颁发机构的配置文件信息设定</span>
</p>
<p style="text-indent: 21.0pt;">
ca<span style="font-family: '微软雅黑',sans-serif;">颁发机构的私钥和证书是不能随便放置的,并且需要配置私有颁发机构的配置文件</span>
</p>
<div class="cnblogs_code">
<pre>/etc/pki/tls/openssl.cnf<span style="text-indent: 21pt;"> </span></pre>
</div>
<p>
<strong> [ CA_default ] </strong><strong><span style="font-family: '微软雅黑',sans-serif;">模块参数说明:</span></strong>
</p>
<table style="width: 100%; border-collapse: collapse; border-width: initial; border-style: none; border-color: initial;" border="1" cellspacing="0" cellpadding="0">
<tr>
<td style="width: 16.22%; border-top: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: 1pt solid #9bbb59; border-right: none; background: #9bbb59; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">参数</span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: solid #9BBB59 1.0pt; border-left: none; border-bottom: solid #9BBB59 1.0pt; border-right: none; background: #9BBB59; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">配置</span></strong>
</p>
</td>
<td style="width: 33.62%; border-top: solid #9BBB59 1.0pt; border-left: none; border-bottom: solid #9BBB59 1.0pt; border-right: none; background: #9BBB59; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">官方配置说明</span></strong>
</p>
</td>
<td style="width: 21.68%; border-top: 1pt solid #9bbb59; border-right: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: none; background: #9bbb59; padding: 0cm 5.4pt;" width="21%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">解释配置说明</span></strong>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">dir </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= /etc/pki/CA </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">Where everything is kept</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">创建并定义</span>CA<span style="font-family: '微软雅黑',sans-serif;">目录信息</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">certs </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/certs </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">Where the issued certs are kept</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">证书文件保存目录</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">crl_dir </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/crl </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">Where the issued crl are kept</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">证书吊销文件保存目录</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">database </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/index.txt </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">database index file.</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">表示发过哪些证书,都要文件进行记录</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">new_certs_dir </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/newcerts </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">default place for new certs.</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">默认新证书的存放路径</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">certificate </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/cacert.pem </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">The CA certificate</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">定义</span>ca<span style="font-family: '微软雅黑',sans-serif;">机构自己的证书</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">serial </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/serial </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">The current serial number</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">表示证书对应的序列号,一般从</span>01<span style="font-family: '微软雅黑',sans-serif;">开始</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">crlnumber </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/crlnumber </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">the current crl number</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">表示吊销证书对应的序列号</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">crl </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/crl.pem </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">The current CRL</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">表示当前证书吊销列表文件</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">private_key </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/private/cakey.pem</span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">The private key</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">表示</span>ca<span style="font-family: '微软雅黑',sans-serif;">机构自身的私钥文件</span>
</p>
</td>
</tr>
<tr>
<td style="width: 16.22%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="16%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">RANDFILE </span></strong>
</p>
</td>
<td style="width: 28.48%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="28%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= $dir/private/.rand </span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">private random number file</span>
</p>
</td>
<td style="width: 21.68%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="21%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">私钥随机数文件,此文件默认会自己建立</span>
</p>
</td>
</tr>
<tr>
<td style="width: 100%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #92d050; padding: 0cm 5.4pt;" colspan="4" width="100%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: '微软雅黑',sans-serif;">在</span>/ctc/pki/CA</strong><strong><span style="font-family: '微软雅黑',sans-serif;">的证书路径下,还需要要有</span>certs crl newcerts</strong><strong><span style="font-family: '微软雅黑',sans-serif;">三个子目录信息</span></strong>
</p>
</td>
</tr>
</table>
<p>
<span style="font-family: '微软雅黑',sans-serif;">指定证书相关的有效期配置</span>
</p>
<table style="width: 100%; border-collapse: collapse; border-width: initial; border-style: none; border-color: initial;" border="1" cellspacing="0" cellpadding="0">
<tr>
<td style="width: 20.3%; border-top: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: 1pt solid #9bbb59; border-right: none; background: #9bbb59; padding: 0cm 5.4pt;" width="20%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">参数</span></strong>
</p>
</td>
<td style="width: 14.92%; border-top: solid #9BBB59 1.0pt; border-left: none; border-bottom: solid #9BBB59 1.0pt; border-right: none; background: #9BBB59; padding: 0cm 5.4pt 0cm 5.4pt;" width="14%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">配置</span></strong>
</p>
</td>
<td style="width: 31.18%; border-top: solid #9BBB59 1.0pt; border-left: none; border-bottom: solid #9BBB59 1.0pt; border-right: none; background: #9BBB59; padding: 0cm 5.4pt 0cm 5.4pt;" width="31%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">官方配置说明</span></strong>
</p>
</td>
<td style="width: 33.62%; border-top: 1pt solid #9bbb59; border-right: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: none; background: #9bbb59; padding: 0cm 5.4pt;" width="33%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">解释配置说明</span></strong>
</p>
</td>
</tr>
<tr>
<td style="width: 20.3%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="20%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">default_days </span></strong>
</p>
</td>
<td style="width: 14.92%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="14%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= 365 </span>
</p>
</td>
<td style="width: 31.18%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="31%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">how long to certify for</span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">定义证书的有效期</span>
</p>
</td>
</tr>
<tr>
<td style="width: 20.3%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="20%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">default_crl_days</span></strong>
</p>
</td>
<td style="width: 14.92%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="14%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= 30 </span>
</p>
</td>
<td style="width: 31.18%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="31%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">how long before next CRL</span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">默认证书放置到吊销列表中的保存时间</span>
</p>
</td>
</tr>
<tr>
<td style="width: 20.3%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="20%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">default_md </span></strong>
</p>
</td>
<td style="width: 14.92%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="14%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= default</span>
</p>
</td>
<td style="width: 31.18%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="31%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">use public key default MD</span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">指定单向加密算法采用的是默认的</span>
</p>
</td>
</tr>
<tr>
<td style="width: 20.3%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="20%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">preserve </span></strong>
</p>
</td>
<td style="width: 14.92%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="14%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= no </span>
</p>
</td>
<td style="width: 31.18%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="31%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">keep passed DN ordering</span>
</p>
</td>
<td style="width: 33.62%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="33%">
<p style="text-align: justify; text-justify: inter-ideograph;">
-
</p>
</td>
</tr>
</table>
<p>
<span style="font-family: '微软雅黑',sans-serif;">定义</span>[ req_distinguished_name ]<span style="font-family: '微软雅黑',sans-serif;">模块参数信息,即指定证书中的一些基本属性信息</span>
</p>
<table style="border-collapse: collapse; border-width: initial; border-style: none; border-color: initial; width: 100%;" border="1" cellspacing="0" cellpadding="0">
<tr>
<td style="width: 35.92%; border-top: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: 1pt solid #9bbb59; border-right: none; background: #9bbb59; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">参数</span></strong>
</p>
</td>
<td style="width: 26.4%; border-top: solid #9BBB59 1.0pt; border-left: none; border-bottom: solid #9BBB59 1.0pt; border-right: none; background: #9BBB59; padding: 0cm 5.4pt 0cm 5.4pt;" width="26%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">配置</span></strong>
</p>
</td>
<td style="width: 24.4%; border-top: solid #9BBB59 1.0pt; border-left: none; border-bottom: solid #9BBB59 1.0pt; border-right: none; background: #9BBB59; padding: 0cm 5.4pt 0cm 5.4pt;" width="24%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">举例配置</span></strong>
</p>
</td>
<td style="width: 13.28%; border-top: 1pt solid #9bbb59; border-right: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: none; background: #9bbb59; padding: 0cm 5.4pt;" width="13%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">解释配置说明</span></strong>
</p>
</td>
</tr>
<tr>
<td style="width: 35.92%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">countryName_default</span></strong>
</p>
</td>
<td style="width: 26.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="26%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= XX</span>
</p>
</td>
<td style="width: 24.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="24%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= CN</span>
</p>
</td>
<td style="width: 13.28%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="13%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">国家或地区</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.92%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">stateOrProvinceName_default</span></strong>
</p>
</td>
<td style="width: 26.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="26%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 宋体;">=</span><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;"> Default Province</span>
</p>
</td>
<td style="width: 24.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="24%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= BJ</span>
</p>
</td>
<td style="width: 13.28%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="13%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">省份</span>/<span style="font-family: '微软雅黑',sans-serif;">州</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.92%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">localityName_default</span></strong>
</p>
</td>
<td style="width: 26.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="26%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 宋体;">=</span><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;"> Default City</span>
</p>
</td>
<td style="width: 24.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="24%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= BJ</span>
</p>
</td>
<td style="width: 13.28%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="13%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">城市名称</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.92%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">0.organizationName_default</span></strong>
</p>
</td>
<td style="width: 26.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="26%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 宋体;">=</span><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;"> Default Company Ltd</span>
</p>
</td>
<td style="width: 24.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="24%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= nmtui.com</span>
</p>
</td>
<td style="width: 13.28%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="13%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">公司组织名称</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.92%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">organizationalUnitName_default</span></strong>
</p>
</td>
<td style="width: 26.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="26%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">=</span>
</p>
</td>
<td style="width: 24.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="24%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= ops</span>
</p>
</td>
<td style="width: 13.28%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="13%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">部门名称</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.92%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">commonName_default</span></strong>
</p>
</td>
<td style="width: 26.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="26%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">-</span>
</p>
</td>
<td style="width: 24.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="24%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= blog.nmtui.com</span>
</p>
</td>
<td style="width: 13.28%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="13%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">主机名</span>/<span style="font-family: '微软雅黑',sans-serif;">域名</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.92%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong><span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">emailAddress_default</span></strong>
</p>
</td>
<td style="width: 26.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="26%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">-</span>
</p>
</td>
<td style="width: 24.4%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="24%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: 'Yu Gothic UI Semibold',sans-serif;">= [email protected]</span>
</p>
</td>
<td style="width: 13.28%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="13%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">邮件地址</span>
</p>
</td>
</tr>
</table>
<h3>
<span id="155">1.5.5 <span style="font-family: '微软雅黑',sans-serif;">公司中申请证书文件的流程</span></span>
</h3>
<div class="cnblogs_code">
<pre><span style="color: #008000;">#</span><span style="color: #008000;"> 第一步创建私钥文件:</span>
(umask 077;openssl genrsa -out httpd.key 1024) # 模拟客户端,创建web服务的私钥 # 第二步创建证书请求文件 openssl req -new -key httpd.key -out httpd.csr # 创建向CA申请证书的请求证书 # 第三步将请求文件发送给证书颁发机构
<h2>
<span id="16_WEBHTTPS">1.6 WEB<span style="font-family: '微软雅黑',sans-serif;">服务实现</span>HTTPS<span style="font-family: '微软雅黑',sans-serif;">访问</span></span>
</h2>
<h3>
<span id="161">1.6.1 <span style="font-family: '微软雅黑',sans-serif;">证书的创建</span></span>
</h3>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">说明:再测试环境中,可以使用只生产的证书进行测试(使用只生产的证书在访问时会报证书不安全!),自生产证书的方法如上所示。</span>
</p>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">这是使用的时腾讯云申请的免费</span>SSL<span style="font-family: '微软雅黑',sans-serif;">证书进行测试。</span>
</p>
<p style="text-indent: 21.0pt;">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";background: yellow;">证书获取方法:</span></strong>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">登陆腾讯云,访问</span><a href="https://console.cloud.tencent.com/ssl">https://console.cloud.tencent.com/ssl</a><span style="font-family: '微软雅黑',sans-serif;">证书管理。</span>
</p>
<p style="text-align: center;" align="center">
<img data-original="https://clsn.io/wp-content/uploads/2018/03/1190037-20180119110835209-1554995470.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="HTTPS 原理与证书实践" alt="" />
</p>
<p style="text-align: center;" align="center">
<span style="font-family: '微软雅黑',sans-serif;">图</span> - <span style="font-family: '微软雅黑',sans-serif;">申请证书</span>
</p>
<p style="text-align: center;" align="center">
<img data-original="https://clsn.io/wp-content/uploads/2018/03/1190037-20180119110844349-536824876.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="HTTPS 原理与证书实践" alt="" />
</p>
<p style="text-align: center;" align="center">
<span style="font-family: '微软雅黑',sans-serif;">图</span> - <span style="font-family: '微软雅黑',sans-serif;">选择《亚洲诚信》免费证书</span>
</p>
<p style="text-align: center;" align="center">
<img data-original="https://clsn.io/wp-content/uploads/2018/03/1190037-20180119110851443-358141036.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="HTTPS 原理与证书实践" alt="" />
</p>
<p style="text-align: center;" align="center">
<span style="font-family: '微软雅黑',sans-serif;">图</span> - <span style="font-family: '微软雅黑',sans-serif;">输入域名信息</span>
</p>
<p style="text-align: center;" align="center">
<span style="font-family: '微软雅黑',sans-serif;">注意:域名需要为你所持有的域名</span>
</p>
<p style="text-align: center;" align="center">
<img data-original="https://clsn.io/wp-content/uploads/2018/03/1190037-20180119110858396-267584542.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="HTTPS 原理与证书实践" alt="" />
</p>
<p style="text-align: center;" align="center">
<span style="font-family: '微软雅黑',sans-serif;">图</span> - <span style="font-family: '微软雅黑',sans-serif;">验证域名的所有权</span>
</p>
<p style="text-align: center;" align="center">
<span style="font-family: '微软雅黑',sans-serif;">域名验证通过后,即可下载生成的密钥</span>
</p>
<p style="text-align: center;" align="center">
<img data-original="https://clsn.io/wp-content/uploads/2018/03/1190037-20180119110904928-336310638.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="HTTPS 原理与证书实践" alt="" />
</p>
<p style="text-align: center;" align="center">
<span style="font-family: '微软雅黑',sans-serif;">图</span> - <span style="font-family: '微软雅黑',sans-serif;">下载证书文件</span>
</p>
<p style="text-align: center;" align="center">
<img data-original="https://clsn.io/wp-content/uploads/2018/03/1190037-20180119110910678-1786088765.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="HTTPS 原理与证书实践" alt="" />
</p>
<p style="text-align: center;" align="center">
<span style="font-family: '微软雅黑',sans-serif;">图</span> - <span style="font-family: '微软雅黑',sans-serif;">得到的证书文件</span>
</p>
<h3>
<span id="162_nginxhttps">1.6.2 nginx<span style="font-family: '微软雅黑',sans-serif;">配置</span>https<span style="font-family: '微软雅黑',sans-serif;">访问</span></span>
</h3>
<p style="text-indent: 15.75pt;">
nginx<span style="font-family: '微软雅黑',sans-serif;">的搭建参考:</span><a href="/wp-content/themes/clsn-003/inc/go.php?url=http://www.cnblogs.com/clsn/p/8025324.html" >http://www.cnblogs.com/clsn/p/8025324.html</a>
</p>
<p style="margin-left: 7.1pt; text-indent: 8.65pt;">
<span style="font-family: '微软雅黑',sans-serif;">创建证书存放目录,讲获取的证书放到这个目录</span>
</p>
<div class="cnblogs_code">
<pre>[root@web01 key]<span style="color: #008000;">#</span><span style="color: #008000;"> mkdir -p cd /application/nginx/conf/key/</span>
[root@web01 ~]# cd /application/nginx/conf/key/ [root@web01 key]# ll total 8 -rw-r–r– 1 www www 3307 Jan 18 10:48 1_blog.nmtui.com_bundle.crt -rw-r–r– 1 www www 1700 Jan 18 10:48 2_blog.nmtui.com.key
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">主配置文件</span>
</p>
<div class="cnblogs_code">
<pre>[root@web01 ~]<span style="color: #008000;">#</span><span style="color: #008000;"> cat /application/nginx/conf/nginx.conf</span>
worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; client_max_body_size 1000M; client_body_buffer_size 10M; log_format main ’$remote_addr - $remote_user [$time_local] “$request” ’ ’$status $body_bytes_sent “$http_referer” ’ ’"$http_user_agent" “$http_x_forwarded_for”’;
include extra</span>/<span style="color: #000000;">blog.conf;
}
<p style="text-indent: 15.75pt;">
blog<span style="font-family: '微软雅黑',sans-serif;">站点配置文件</span>
</p>
<div class="cnblogs_code">
<pre>[root@web01 ~]<span style="color: #008000;">#</span><span style="color: #008000;"> cat /application/nginx/conf/extra/blog.conf </span>
server{
listen 80;
server_name blog.nmtui.com;
rewrite ^(.) https://$host$1 permanent;
}
server {
listen 443;
server_name blog.nmtui.com;
ssl on;
ssl_certificate /application/nginx/conf/key/1_blog.nmtui.com_bundle.crt;
ssl_certificate_key /application/nginx/conf/key/2_blog.nmtui.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root html/blog;
try_files $uri $uri/ /index.php?$args;
index index.php index.html index.htm;
}
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~ .*.(php|php5)?$ {
root html/blog;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
access_log logs/access_blog.log main;
}
<p>
<span style="font-family: '微软雅黑',sans-serif;">创建测试面页</span>
</p>
<div class="cnblogs_code">
<pre>[root@web01 ~]<span style="color: #008000;">#</span><span style="color: #008000;"> cat >> /application/nginx/html/blog/clsn.html <<EOF</span>
web01 https://blog.nmtui.com EOF
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">配置完成后重启,在浏览器进访问测试</span>
</p>
<p style="text-align: center; text-indent: 15.75pt;" align="center">
<img data-original="https://clsn.io/wp-content/uploads/2018/03/1190037-20180119111202803-936086090.png" src="/wp-content/themes/clsn-003/img/blank.gif" alt="HTTPS 原理与证书实践" alt="" />
</p>
<h3>
<span id="163_httphttps">1.6.3 <span style="font-family: '微软雅黑',sans-serif;">实现</span>http<span style="font-family: '微软雅黑',sans-serif;">访问自动跳转到</span>https<span style="font-family: '微软雅黑',sans-serif;">的方法</span></span>
</h3>
<p>
<span style="font-family: '微软雅黑',sans-serif;">方法一:利用地址重写功能</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;">server {
listen </span>80<span style="color: #000000;">;
server_name blog.nmtui.com;
rewrite </span>^(.*)$ https://$host$1<span style="color: #000000;"> permanent;
} # 说明:在https配置server基础上再添加http跳转server
<p>
<span style="font-family: '微软雅黑',sans-serif;">方法二:利用</span>error_page<span style="font-family: '微软雅黑',sans-serif;">识别错误码信息进行跳转</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;">server {
listen </span>443<span style="color: #000000;">;
listen </span>80<span style="color: #000000;">;
server_name blog.nmtui.com;
ssl on;
ssl_certificate </span>/application/nginx/conf/key/<span style="color: #000000;">1_blog.nmtui.com_bundle.crt;
ssl_certificate_key </span>/application/nginx/conf/key/<span style="color: #000000;">2_blog.nmtui.com.key;
location </span>/<span style="color: #000000;"> {
root html</span>/<span style="color: #000000;">www;
index index.html index.htm;
}
error_page </span>497 https://<span style="color: #000000;">$host$uri;
}
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">说明:</span>497<span style="font-family: '微软雅黑',sans-serif;">为内置错误码,当访问</span>http<span style="font-family: '微软雅黑',sans-serif;">无法处理,需要利用</span>https<span style="font-family: '微软雅黑',sans-serif;">处理时</span>
</p>
<h3>
<span id="164_nginxhttphttps">1.6.4 <span style="font-family: '微软雅黑',sans-serif;">利用</span>nginx<span style="font-family: '微软雅黑',sans-serif;">反向代理服务器进行</span>http<span style="font-family: '微软雅黑',sans-serif;">到</span>https<span style="font-family: '微软雅黑',sans-serif;">跳转</span></span>
</h3>
<p>
<span style="font-family: '微软雅黑',sans-serif;">第一个里程碑:修改地址池信息</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;"> upstream www_server_pools {
server </span>10.0.0.8:443<span style="color: #000000;">;
}</span></pre>
</div>
<p>
<span style="font-family: '微软雅黑',sans-serif;">第二个里程碑:修改地址池调用信息</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;"> server {
listen </span>443<span style="color: #000000;">;
server_name blog.nmtui.com;
ssl on;
ssl_certificate </span>/application/nginx/conf/key/<span style="color: #000000;">1_blog.nmtui.com_bundle.crt;
ssl_certificate_key </span>/application/nginx/conf/key/<span style="color: #000000;">2_blog.nmtui.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.</span>1 TLSv1.2<span style="color: #000000;">;
ssl_ciphers ECDHE</span>-RSA-AES128-GCM-<span style="color: #000000;">SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location </span>/<span style="color: #000000;"> {
proxy_pass https:</span>//<span style="color: #000000;">server_pools;
}
}</span></pre>
</div>
<p>
<span style="font-family: '微软雅黑',sans-serif;">第三个里程碑:定义</span>http<span style="font-family: '微软雅黑',sans-serif;">到</span>https<span style="font-family: '微软雅黑',sans-serif;">跳转配置信息</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;"> server {
listen </span>80<span style="color: #000000;">;
server_name blog.nmtui.com;
rewrite </span>^(.*)$ https://$host$1<span style="color: #000000;"> permanent;
}</span></pre>
</div>
<h2>
<span id="17_-_ngx_http_ssl_module">1.7 <span style="font-family: '微软雅黑',sans-serif;">附录</span> - ngx_http_ssl_module<span style="font-family: '微软雅黑',sans-serif;">模块说明</span></span>
</h2>
<p style="text-indent: 21.0pt;">
ngx_http_ssl_module<span style="font-family: '微软雅黑',sans-serif;">模块为实现</span> HTTPS<span style="font-family: '微软雅黑',sans-serif;">提供了必要的支持。</span>
</p>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">此模块不是在默认情况下生成的</span>, <span style="font-family: '微软雅黑',sans-serif;">在安装</span>nginx<span style="font-family: '微软雅黑',sans-serif;">时使用</span>--with-http_ssl_module<span style="font-family: '微软雅黑',sans-serif;">配置参数启用它。此模块需要</span><span style="text-decoration: underline;">OpenSSL</span><span style="font-family: '微软雅黑',sans-serif;">库。详情参照:</span><a href="/wp-content/themes/clsn-003/inc/go.php?url=http://www.cnblogs.com/clsn/p/8025324.html#_label3" >http://www.cnblogs.com/clsn/p/8025324.html#_label3</a>
</p>
<h3>
<span id="171">1.7.1 <span style="font-family: '微软雅黑',sans-serif;">示例配置</span></span>
</h3>
<p>
<span style="font-family: '微软雅黑',sans-serif;">为了减轻处理器负载,建议</span>
</p>
<p style="margin-left: 42.0pt; text-indent: -21.0pt;">
<span style="font-family: Wingdings;">ü </span><span style="font-family: '微软雅黑',sans-serif;">设置工作进程的数量等于处理器的数量;</span>
</p>
<p style="margin-left: 42.0pt; text-indent: -21.0pt;">
<span style="font-family: Wingdings;">ü </span><span style="font-family: '微软雅黑',sans-serif;">启用保持连接;</span>
</p>
<p style="margin-left: 42.0pt; text-indent: -21.0pt;">
<span style="font-family: Wingdings;">ü </span><span style="font-family: '微软雅黑',sans-serif;">启用共享会话缓存;</span>
</p>
<p style="margin-left: 42.0pt; text-indent: -21.0pt;">
<span style="font-family: Wingdings;">ü </span><span style="font-family: '微软雅黑',sans-serif;">禁用内置的会话缓存;</span>
</p>
<p style="margin-left: 42.0pt; text-indent: -21.0pt;">
<span style="font-family: Wingdings;">ü </span><span style="font-family: '微软雅黑',sans-serif;">建议增加会话超时时间</span> <span style="font-family: '微软雅黑',sans-serif;">(默认为</span>5<span style="font-family: '微软雅黑',sans-serif;">分钟)。</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;">worker_processes auto;
http {
...
server {
listen </span>443<span style="color: #000000;"> ssl;
keepalive_timeout </span>70<span style="color: #000000;">;
ssl_protocols TLSv1 TLSv1.</span>1 TLSv1.2<span style="color: #000000;">;
ssl_ciphers AES128</span>-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-<span style="color: #000000;">MD5;
ssl_certificate </span>/usr/local/nginx/conf/<span style="color: #000000;">cert.pem;
ssl_certificate_key </span>/usr/local/nginx/conf/<span style="color: #000000;">cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
...
}</span><span style="text-indent: -21pt;"> </span></pre>
</div>
<h3>
<span id="172_SSL">1.7.2 SSL<span style="font-family: '微软雅黑',sans-serif;">模块指令说明</span></span>
</h3>
<h4>
<span id="1721nbspssl"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.1 </span></strong><strong><span style="background: yellow;">ssl</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre>Syntax: ssl on |<span style="color: #000000;"> off;
Default: ssl off; Context: http, server
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">为指定的虚拟服务器启用</span>HTTPS<span style="font-family: '微软雅黑',sans-serif;">协议,默认关闭。</span>
</p>
<h4>
<span id="1722nbspssl_buffer_size"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.2 </span></strong><strong><span style="background: yellow;">ssl_buffer_size</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_buffer_size size;
Default: ssl_buffer_size 16k; Context: http, server # This directive appeared in version 1.5.9.
<p>
<span style="font-family: '微软雅黑',sans-serif;">该指令用于设置用于发送数据的缓冲区的大小。</span>
</p>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">默认情况下,缓冲区大小为</span>16k<span style="font-family: '微软雅黑',sans-serif;">,这对应于发送大响应时的最小开销。为了将发送第一个字节的时间减少,可以使用较小的值,例如:</span>
</p>
<div class="cnblogs_code">
<pre>ssl_buffer_size 4k;<span style="text-indent: 21pt;"> </span></pre>
</div>
<h4>
<span id="1723nbspssl_certificate"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.3 </span></strong><strong><span style="background: yellow;">ssl_certificate</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_certificate file;
Default: — Context: http, server
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">指定虚拟主机的</span> PEM <span style="font-family: '微软雅黑',sans-serif;">格式的<strong><span style="text-decoration: underline;"><span style="color: red;">证书文件</span></span></strong>路径</span> <span style="font-family: '微软雅黑',sans-serif;">。如果除了主证书外</span>,<span style="font-family: '微软雅黑',sans-serif;">还要指定中间证书</span>, <span style="font-family: '微软雅黑',sans-serif;">则应按以下顺序在同一文件中指定它们</span>: <span style="font-family: '微软雅黑',sans-serif;">主证书首先出现</span>, <span style="font-family: '微软雅黑',sans-serif;">然后是中间证书。</span>PEM <span style="font-family: '微软雅黑',sans-serif;">格式的密钥可以放在同一个文件中。</span>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">从</span>1.11.0<span style="font-family: '微软雅黑',sans-serif;">版本开始,可以多次使用该指令来加载不同类型的证书,例如</span>RSA<span style="font-family: '微软雅黑',sans-serif;">和</span>ECDSA<span style="font-family: '微软雅黑',sans-serif;">:</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;">server {
listen </span>443<span style="color: #000000;"> ssl;
server_name example.com;
ssl_certificate example.com.rsa.crt;
ssl_certificate_key example.com.rsa.key;
ssl_certificate example.com.ecdsa.crt;
ssl_certificate_key example.com.ecdsa.key;
...
}
<p>
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new"; color: red;">注意:</span></strong><span style="font-family: '微软雅黑',sans-serif;">只有</span><span style="text-decoration: underline;">OpenSSL 1.0.2</span><span style="font-family: '微软雅黑',sans-serif;">及以上版本,支持加载不同类型的证书。对于较旧的版本,只能使用同一类型的单个证书。</span>
</p>
<p>
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new"; color: red;">注意:使用</span><span style="color: red;">nginx</span></strong><strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new"; color: red;">配置</span><span style="color: red;">HTTPS</span></strong><strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new"; color: red;">多虚拟主机时,不同的主机要监听不同的地址,否则在初次访问时,</span><span style="color: red;">SSL</span></strong><strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">连接在浏览器发送</span><span style="color: red;">HTTPs</span></strong><strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">请求之前建立,而</span><span style="color: red;">nginx</span></strong><strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">不知道请求的服务器的名称。因此,它只能提供默认的服务器证书。将会导致业务的异常。详情参照:</span></strong><a href="/wp-content/themes/clsn-003/inc/go.php?url=http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers" >http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers</a>
</p>
<h4>
<span id="1724nbspssl_certificate_key"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.4 </span></strong><strong><span style="background: yellow;">ssl_certificate_key</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_certificate_key file;
Default: — Context: http, server
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">指定虚拟主机的</span> PEM <span style="font-family: '微软雅黑',sans-serif;">格式的<strong><span style="text-decoration: underline;"><span style="color: red;">密钥文件</span></span></strong>存放路径</span> <span style="font-family: '微软雅黑',sans-serif;">。</span>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">在</span>1.7.9<span style="font-family: '微软雅黑',sans-serif;">版本</span><em>engine:name:id </em><span style="font-family: '微软雅黑',sans-serif;">可以指定替代密钥文件,该指令能够从</span>OpenSSL<span style="font-family: '微软雅黑',sans-serif;">中加载指定</span>ID<span style="font-family: '微软雅黑',sans-serif;">的密钥</span> <em>name</em><span style="font-family: '微软雅黑',sans-serif;">。</span>
</p>
<h4>
<span id="1725nbspssl_ciphers"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.5 </span></strong><strong><span style="background: yellow;">ssl_ciphers</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_ciphers ciphers;
Default: ssl_ciphers HIGH:!aNULL:!MD5; Context: http, server
<p>
<span style="font-family: '微软雅黑',sans-serif;">指定证书的加密方式。加密方式要是</span>openssl<span style="font-family: '微软雅黑',sans-serif;">可以识别的方式,例如:</span>
</p>
<div class="cnblogs_code">
<pre>ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;</pre>
</div>
<p>
<span style="font-family: '微软雅黑',sans-serif;">所有的加密方式可以在系统中通过</span>openssl ciphers<span style="font-family: '微软雅黑',sans-serif;">命令查看。</span>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">选用加密方式时要注意不同版本之间的兼容性问题,详情参考</span><a href="/wp-content/themes/clsn-003/inc/go.php?url=http://nginx.org/en/docs/http/configuring_https_servers.html#compatibility" >http://nginx.org/en/docs/http/configuring_https_servers.html#compatibility</a>
</p>
<h4>
<span id="1726nbspssl_client_certificate"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.6 </span></strong><strong><span style="background: yellow;">ssl_client_certificate</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_client_certificate file;
Default: — Context: http, server
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">如果启用了</span>ssl_stapling<span style="font-family: '微软雅黑',sans-serif;">,则需要指定</span>PEM<span style="font-family: '微软雅黑',sans-serif;">格式的可信</span>CA<span style="font-family: '微软雅黑',sans-serif;">证书文件路径,用于验证客户端证书和</span>OCSP(Online Certificate Status Protocol<span style="font-family: '微软雅黑',sans-serif;">,在线证书状态协议</span>)<span style="font-family: '微软雅黑',sans-serif;">响应。</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">注意</span>:<span style="font-family: '微软雅黑',sans-serif;">使用该参数时证书列表将被发送给客户。如果不需要,可以使用</span>ssl_trusted_certificate <span style="font-family: '微软雅黑',sans-serif;">指令。</span>
</p>
<h4>
<span id="1727nbspssl_crl"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.7 </span></strong><strong><span style="background: yellow;">ssl_crl</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_crl file;
Default: — Context: http, server # This directive appeared in version 0.8.7.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">指定用于验证客户端证书的</span> PEM <span style="font-family: '微软雅黑',sans-serif;">格式指定具有吊销证书</span> (CRL) <span style="font-family: '微软雅黑',sans-serif;">的文件</span> <span style="font-family: '微软雅黑',sans-serif;">。</span>
</p>
<h4>
<span id="1728nbspssl_dhparam"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.8 </span></strong><strong><span style="background: yellow;">ssl_dhparam</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_dhparam file;
Default: — Context: http, server # This directive appeared in version 0.7.2.
<p>
<span style="font-family: '微软雅黑',sans-serif;">指定</span>DHE<span style="font-family: '微软雅黑',sans-serif;">加密方式的</span>DH<span style="font-family: '微软雅黑',sans-serif;">证书文件位置。</span>
</p>
<h4>
<span id="1729nbspssl_ecdh_curve"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.9 </span></strong><strong><span style="background: yellow;">ssl_ecdh_curve</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_ecdh_curve curve;
Default:
ssl_ecdh_curve auto;
Context: http, server
# This directive appeared in versions 1.1.0 and 1.0.6.
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">指定一个</span>curve<span style="font-family: '微软雅黑',sans-serif;">用于</span>ECDHE<span style="font-family: '微软雅黑',sans-serif;">密码。</span>
</p>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">当使用的</span>OpenSSL 1.0.2<span style="font-family: '微软雅黑',sans-serif;">或更高版本时,可以指定多</span>curve<span style="font-family: '微软雅黑',sans-serif;">(</span>1.11.0<span style="font-family: '微软雅黑',sans-serif;">),例如:</span>
</p>
<div class="cnblogs_code">
<pre>ssl_ecdh_curve prime256v1:secp384r1;</pre>
</div>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">特殊值</span>auto<span style="font-family: '微软雅黑',sans-serif;">(</span>1.11.0<span style="font-family: '微软雅黑',sans-serif;">)指示</span>nginx<span style="font-family: '微软雅黑',sans-serif;">在使用</span>OpenSSL 1.0.2<span style="font-family: '微软雅黑',sans-serif;">或更高版本时使用</span>OpenSSL<span style="font-family: '微软雅黑',sans-serif;">库中内置的列表为</span>prime256v1<span style="font-family: '微软雅黑',sans-serif;">,或使用旧版本。</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">在版本</span>1.11.0 <span style="font-family: '微软雅黑',sans-serif;">之前</span>, <span style="font-family: '微软雅黑',sans-serif;">默认</span>curve<span style="font-family: '微软雅黑',sans-serif;">为</span>prime256v1<span style="font-family: '微软雅黑',sans-serif;">。</span>
</p>
<h4>
<span id="17210nbspnbspnbspnbsp_ssl_password_file"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.10<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_password_file</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_password_file file;
Default: — Context: http, server # This directive appeared in version 1.7.3.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">为密钥指定一个<span style="text-decoration: underline;">密码文件</span></span> , <span style="font-family: '微软雅黑',sans-serif;">其中每个口令都在单独的行上指定密码。密码在加载密钥时依次尝试。</span>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">示例:</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;">http {
ssl_password_file </span>/etc/keys/<span style="color: #0000ff;">global</span>.<span style="color: #0000ff;">pass</span><span style="color: #000000;">;
...
server {
server_name www1.example.com;
ssl_certificate_key </span>/etc/keys/<span style="color: #000000;">first.key;
}
server {
server_name www2.example.com;
</span><span style="color: #008000;">#</span><span style="color: #008000;"> named pipe can also be used instead of a file</span>
ssl_password_file /etc/keys/<span style="color: #000000;">fifo;
ssl_certificate_key </span>/etc/keys/<span style="color: #000000;">second.key;
}
}
<h4>
<span id="17211nbspnbspnbspnbsp_ssl_prefer_server_ciphers"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.11<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_prefer_server_ciphers</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre>Syntax: ssl_prefer_server_ciphers on |<span style="color: #000000;"> off;
Default: ssl_prefer_server_ciphers off; Context: http, server
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">指定在使用</span> SSLv3 <span style="font-family: '微软雅黑',sans-serif;">和</span> TLS <span style="font-family: '微软雅黑',sans-serif;">协议时</span>, <span style="font-family: '微软雅黑',sans-serif;">服务器密码应优先于客户端密码。</span>
</p>
<h4>
<span id="17212nbspnbspnbspnbsp_ssl_protocols"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.12<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_protocols</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre>Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3<span style="color: #000000;">];
Default: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Context: http, server
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">启用指定的</span>SSL<span style="font-family: '微软雅黑',sans-serif;">协议。</span>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">说明:</span>
</p>
<div class="cnblogs_code">
<pre>TLSv1.1和 TLSv1.2参数 (1.1.13、1.0.12) 仅在使用 OpenSSL 1.0.1<span style="color: #000000;"> 或更高时才起作用。
TLSv1.3参数 (1.13.0) 仅在使用用 TLSv1.3 仅在使用 OpenSSL 1.1.1 时有效。
<h4>
<span id="17213nbspnbspnbspnbsp_ssl_session_cache"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.13<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_session_cache</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre>Syntax: ssl_session_cache off | none |<span style="color: #000000;"> [builtin[:size]] [shared:name:size];
Default: ssl_session_cache none; Context: http, server
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">设置存储会话参数的高速缓存的类型和大小。缓存可以是以下任何一种类型:</span>
</p>
<table style="width: 100%; border-collapse: collapse; border-width: initial; border-style: none; border-color: initial;" border="1" cellspacing="0" cellpadding="0">
<tr>
<td style="width: 24.36%; border-top: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: 1pt solid #9bbb59; border-right: none; background: #9bbb59; padding: 0cm 5.4pt;" width="24%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">类型</span></strong>
</p>
</td>
<td style="width: 75.64%; border-top: 1pt solid #9bbb59; border-right: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: none; background: #9bbb59; padding: 0cm 5.4pt;" width="75%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">类型说明</span></strong>
</p>
</td>
</tr>
<tr>
<td style="width: 24.36%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="24%">
<p style="text-align: center;" align="center">
<strong>off</strong>
</p>
</td>
<td style="width: 75.64%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="75%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">严格禁止使用会话缓存</span>: nginx <span style="font-family: '微软雅黑',sans-serif;">会明确告诉客户端会话可能无法重用。</span>
</p>
</td>
</tr>
<tr>
<td style="width: 24.36%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="24%">
<p style="text-align: center;" align="center">
<strong>none</strong>
</p>
</td>
<td style="width: 75.64%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="75%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">不允许使用会话缓存</span>: nginx <span style="font-family: '微软雅黑',sans-serif;">告诉客户端会话可以重用</span>, <span style="font-family: '微软雅黑',sans-serif;">但实际上不会将会话参数存储在缓存中。</span>
</p>
</td>
</tr>
<tr>
<td style="width: 24.36%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="24%">
<p style="text-align: center;" align="center">
<strong>builtin</strong>
</p>
</td>
<td style="width: 75.64%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="75%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">建立</span> OpenSSL <span style="font-family: '微软雅黑',sans-serif;">的缓存:仅由一个工作进程使用。缓存大小在会话中指定。如果未给定大小</span>, <span style="font-family: '微软雅黑',sans-serif;">则默认为</span>20480<span style="font-family: '微软雅黑',sans-serif;">个会话。</span>
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">注意:使用内置缓存会导致产生内存碎片。</span>
</p>
</td>
</tr>
<tr>
<td style="width: 24.36%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="24%">
<p style="text-align: center;" align="center">
<strong>shared</strong>
</p>
</td>
<td style="width: 75.64%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="75%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">所有工作进程之间共享的缓存:缓存大小以字节为单位指定,一兆字节可以存储大约</span>4000<span style="font-family: '微软雅黑',sans-serif;">个会话。每个共享缓存都应具有名称。可以在多个虚拟服务器中使用同名的缓存。</span>
</p>
</td>
</tr>
</table>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">两种不同的缓存类型都可以同时使用</span>, <span style="font-family: '微软雅黑',sans-serif;">例如</span>:
</p>
<div class="cnblogs_code">
<pre>ssl_session_cache builtin:1000 shared:SSL:10m;</pre>
</div>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">但是</span>, <span style="font-family: '微软雅黑',sans-serif;">在没有内置缓存的情况下使用共享缓存才会更有效。</span>
</p>
<h4>
<span id="17214nbspnbspnbspnbsp_ssl_session_ticket_key"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.14<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_session_ticket_key</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_session_ticket_key file;
Default: — Context: http, server # This directive appeared in version 1.5.7.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">指定用于加密和解密</span>TLS<span style="font-family: '微软雅黑',sans-serif;">会话令牌的密钥文件存放位置。如果需要在多个服务器之间共享相同的密钥</span>,<span style="font-family: '微软雅黑',sans-serif;">则需要使用该指令。默认情况下</span>, <span style="font-family: '微软雅黑',sans-serif;">使用随机生成的密钥。</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">如果指定了多个密钥</span>, <span style="font-family: '微软雅黑',sans-serif;">则仅使用第一个密钥对</span> TLS <span style="font-family: '微软雅黑',sans-serif;">会话进行加密。密钥对时可以进行轮换的,例如:</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;">ssl_session_ticket_key current.key;
ssl_session_ticket_key previous.key;
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">该文件必须包含</span>80<span style="font-family: '微软雅黑',sans-serif;">或</span>48<span style="font-family: '微软雅黑',sans-serif;">字节的随机数</span>, <span style="font-family: '微软雅黑',sans-serif;">可以使用以下命令进行创建:</span>
</p>
<div class="cnblogs_code">
<pre>openssl rand 80 > ticket.key</pre>
</div>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">根据文件大小的不同</span>, AES256 (<span style="font-family: '微软雅黑',sans-serif;">对于</span>80<span style="font-size: 13.5pt; font-family: 微软雅黑, sans-serif; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">字节密钥</span><span style="font-family: '微软雅黑',sans-serif;">、</span>1.11.8) <span style="font-family: '微软雅黑',sans-serif;">或</span> AES128 (<span style="font-family: '微软雅黑',sans-serif;">对于</span>48<span style="font-size: 13.5pt; font-family: 微软雅黑, sans-serif; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">字节密钥</span>) <span style="font-family: '微软雅黑',sans-serif;">用于加密。</span>
</p>
<h4>
<span id="17215nbspnbspnbspnbsp_ssl_session_tickets"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.15<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_session_tickets</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre>Syntax: ssl_session_tickets on |<span style="color: #000000;"> off;
Default: ssl_session_tickets on; Context: http, server # This directive appeared in version 1.5.9.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">通过</span>TLS session tickets<span style="font-family: '微软雅黑',sans-serif;">启用或禁用会话恢复</span> <span style="font-family: '微软雅黑',sans-serif;">。详情参考:</span><a href="https://tools.ietf.org/html/rfc5077">https://tools.ietf.org/html/rfc5077</a>
</p>
<h4>
<span id="17216nbspnbspnbspnbsp_ssl_session_timeout"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.16<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_session_timeout</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_session_timeout time;
Default: ssl_session_timeout 5m; Context: http, server
<p>
<span style="font-family: '微软雅黑',sans-serif;">指定客户端可以重用会话参数的时间。</span>
</p>
<h4>
<span id="17217nbspnbspnbspnbsp_ssl_stapling"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.17<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_stapling</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre>Syntax: ssl_stapling on |<span style="color: #000000;"> off;
Default: ssl_stapling off; Context: http, server # This directive appeared in version 1.3.7.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">启用或禁用服务器对</span>OSCP<span style="font-family: '微软雅黑',sans-serif;">的响应,详情参考:</span><a href="https://tools.ietf.org/html/rfc4366#section-3.6">https://tools.ietf.org/html/rfc4366#section-3.6</a>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">配置示例:</span>
</p>
<div class="cnblogs_code">
<pre><span style="color: #000000;">ssl_stapling on;
resolver 192.0.2.1;
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">要使</span> OCSP <span style="font-family: '微软雅黑',sans-serif;">正常工作</span>, <span style="font-family: '微软雅黑',sans-serif;">需要知道服务器证书颁发者的证书</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">如果</span>ssl_certificate<span style="font-family: '微软雅黑',sans-serif;">文件不包含中间证书</span>, <span style="font-family: '微软雅黑',sans-serif;">则应在</span>ssl_trusted_certificate<span style="font-family: '微软雅黑',sans-serif;">文件中显示服务器证书颁发者的证书。</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">对于</span> OCSP <span style="font-family: '微软雅黑',sans-serif;">响应方主机名的解析</span>, <span style="font-family: '微软雅黑',sans-serif;">还应指定解析程序指令。</span>
</p>
<h4>
<span id="17218nbspnbspnbspnbsp_ssl_stapling_file"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.18<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_stapling_file</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_stapling_file file;
Default: — Context: http, server # This directive appeared in version 1.3.7.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">设置后,将从指定的</span>file<span style="font-family: '微软雅黑',sans-serif;">中采取订阅的</span> ocsp <span style="font-family: '微软雅黑',sans-serif;">响应</span>, <span style="font-family: '微软雅黑',sans-serif;">而不是查询在服务器证书中指定的</span> ocsp <span style="font-family: '微软雅黑',sans-serif;">应答器。</span>
</p>
<div class="cnblogs_code">
<pre>该文件应该是由“ openssl ocsp”命令产生的DER格式。</pre>
</div>
<h4>
<span id="17219nbspnbspnbspnbsp_ssl_stapling_responder"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.19<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_stapling_responder</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_stapling_responder url;
Default: — Context: http, server # This directive appeared in version 1.3.7.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">重写在</span> "<span style="font-family: '微软雅黑',sans-serif;">颁发机构信息访问</span>" <span style="font-family: '微软雅黑',sans-serif;">证书扩展中指定的</span> OCSP <span style="font-family: '微软雅黑',sans-serif;">响应程序的</span> URL<span style="font-family: '微软雅黑',sans-serif;">。</span>
</p>
<p>
<span style="font-family: '微软雅黑',sans-serif;">参考文献:</span><a href="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">https://tools.ietf.org/html/rfc5280#section-4.2.2.1</a>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">仅支持</span> "http://" OCSP <span style="font-family: '微软雅黑',sans-serif;">响应程序,例如</span>:
</p>
<div class="cnblogs_code">
<pre>ssl_stapling_responder http://ocsp.example.com/;</pre>
</div>
<h4>
<span id="17220nbspnbspnbspnbsp_ssl_stapling_verify"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.20<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_stapling_verify</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre>Syntax: ssl_stapling_verify on |<span style="color: #000000;"> off;
Default: ssl_stapling_verify off; Context: http, server # This directive appeared in version 1.3.7.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">启用或禁用服务器对</span> OCSP <span style="font-family: '微软雅黑',sans-serif;">响应的验证。</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">要进行验证</span>, <span style="font-family: '微软雅黑',sans-serif;">应使用</span>ssl_trusted_certificate<span style="font-family: '微软雅黑',sans-serif;">指令将服务器证书颁发者、根证书和所有中间证书的证书配置为受信任。</span>
</p>
<h4>
<span id="17221nbspnbspnbspnbsp_ssl_trusted_certificate"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.21<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_trusted_certificate</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_trusted_certificate file;
Default: — Context: http, server # This directive appeared in version 1.3.7.
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">指定一个</span> PEM <span style="font-family: '微软雅黑',sans-serif;">格式的文件</span> , <span style="font-family: '微软雅黑',sans-serif;">其中带有用于验证</span> <span style="text-decoration: underline;">ssl_stapling</span><span style="font-family: '微软雅黑',sans-serif;">启用时使用的校验证书和</span> OCSP <span style="font-family: '微软雅黑',sans-serif;">进行验证。</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">与</span><span style="text-decoration: underline;">ssl_client_certificate</span><span style="font-family: '微软雅黑',sans-serif;">设置的证书正好相反</span>, <span style="font-family: '微软雅黑',sans-serif;">这些证书的列表将不会发送到客户端。</span>
</p>
<h4>
<span id="17222nbspnbspnbspnbsp_ssl_verify_client"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.22<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_verify_client</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre>Syntax: ssl_verify_client on | off | optional |<span style="color: #000000;"> optional_no_ca;
Default: ssl_verify_client off; Context: http, server
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">启用对客户端证书的验证。验证结果存储在</span> <em>$ssl_client_verify</em><span style="font-family: '微软雅黑',sans-serif;">变量中。</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">可选参数</span><span style="text-decoration: underline;">optional</span><span style="text-decoration: underline;"><span style="font-family: '微软雅黑',sans-serif;">(</span>0.8.7+</span><span style="text-decoration: underline;"><span style="font-family: '微软雅黑',sans-serif;">)</span></span><span style="font-family: '微软雅黑',sans-serif;">请求客户端证书、验证证书是否存在。</span>
</p>
<p style="text-indent: 15.75pt;">
<span style="font-family: '微软雅黑',sans-serif;">可选参数</span><span style="text-decoration: underline;">optional_no_ca (1.3.8, 1.2.5)</span><span style="font-family: '微软雅黑',sans-serif;">请求客户端证书而不需要将签署由受信任的</span>CA<span style="font-family: '微软雅黑',sans-serif;">证书。这适用于</span>nginx<span style="font-family: '微软雅黑',sans-serif;">外部的服务运行实际证书验证的情况。证书的内容可以通过变量</span><em>$ssl_client_cert</em><em><span style="font-family: '微软雅黑',sans-serif;">进行</span></em><span style="font-family: '微软雅黑',sans-serif;">访问</span> <span style="font-family: '微软雅黑',sans-serif;">。</span>
</p>
<h4>
<span id="17223nbspnbspnbspnbsp_ssl_verify_depth"><strong><span style="courier new"4courier new"; background: yellow;">1.7.2.23<span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span></strong><strong><span style="background: yellow;">ssl_verify_depth</span></strong></span>
</h4>
<div class="cnblogs_code">
<pre><span style="color: #000000;">Syntax: ssl_verify_depth number;
Default: ssl_verify_depth 1; Context: http, server
<p style="text-indent: 15.75pt;">
<span style="font-size: 13.5pt; font-family: 微软雅黑, sans-serif; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">设置客户端证书的验证深度。</span>
</p>
<h3>
<span id="173_ngx_http_ssl_module">1.7.3 ngx_http_ssl_module<span style="font-family: '微软雅黑',sans-serif;">模块中常见错误处理</span></span>
</h3>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">在</span>ngx_http_ssl_module<span style="font-family: '微软雅黑',sans-serif;">模块支持几种非标准错误代码</span>, <span style="font-family: '微软雅黑',sans-serif;">可用于使用</span>error_page<span style="font-family: '微软雅黑',sans-serif;">指令进行重定向。</span>
</p>
<table style="width: 100%; border-collapse: collapse; border-width: initial; border-style: none; border-color: initial;" border="1" cellspacing="0" cellpadding="0">
<tr>
<td style="width: 14.88%; border-top: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: 1pt solid #9bbb59; border-right: none; background: #9bbb59; padding: 0cm 5.4pt;" width="14%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">错误代码</span></strong>
</p>
</td>
<td style="width: 85.12%; border-top: 1pt solid #9bbb59; border-right: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: none; background: #9bbb59; padding: 0cm 5.4pt;" width="85%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">产生原因</span></strong>
</p>
</td>
</tr>
<tr>
<td style="width: 14.88%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="14%">
<p style="text-align: center;" align="center">
<strong>495</strong>
</p>
</td>
<td style="width: 85.12%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="85%">
<p style="text-align: justify; text-justify: inter-ideograph;">
an error has occurred during the client certificate verification;
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">在客户端证书验证过程中发生错误</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 14.88%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="14%">
<p style="text-align: center;" align="center">
<strong>496</strong>
</p>
</td>
<td style="width: 85.12%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="85%">
<p style="text-align: justify; text-justify: inter-ideograph;">
a client has not presented the required certificate;
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">客户未出示所需证书</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 14.88%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="14%">
<p style="text-align: center;" align="center">
<strong>497</strong>
</p>
</td>
<td style="width: 85.12%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="85%">
<p style="text-align: justify; text-justify: inter-ideograph;">
a regular request has been sent to the HTTPS port.
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">常规请求已发送到</span>HTTPS<span style="font-family: '微软雅黑',sans-serif;">端口。</span>
</p>
</td>
</tr>
</table>
<p style="text-indent: 21.0pt;">
<span style="font-family: '微软雅黑',sans-serif;">在对请求进行了完全分析并且变量</span> (<span style="font-family: '微软雅黑',sans-serif;">如</span>$request_uri<span style="font-family: '微软雅黑',sans-serif;">、</span> $uri<span style="font-family: '微软雅黑',sans-serif;">、</span> $args<span style="font-family: '微软雅黑',sans-serif;">和其他项</span>) <span style="font-family: '微软雅黑',sans-serif;">可用之后</span>, <span style="font-family: '微软雅黑',sans-serif;">重定向发生。</span>
</p>
<h3>
<span id="174_ngx_http_ssl_module">1.7.4 ngx_http_ssl_module<span style="font-family: '微软雅黑',sans-serif;">模块中嵌入变量</span></span>
</h3>
<p style="text-indent: 7.1pt;">
ngx_http_ssl_module<span style="font-family: '微软雅黑',sans-serif;">模块支持多个嵌入变量:</span>
</p>
<table style="width: 100%; border-collapse: collapse; border-width: initial; border-style: none; border-color: initial;" border="1" cellspacing="0" cellpadding="0">
<tr>
<td style="width: 35.12%; border-top: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: 1pt solid #9bbb59; border-right: none; background: #9bbb59; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">变量</span></strong>
</p>
</td>
<td style="width: 64.88%; border-top: 1pt solid #9bbb59; border-right: 1pt solid #9bbb59; border-bottom: 1pt solid #9bbb59; border-left: none; background: #9bbb59; padding: 0cm 5.4pt;" width="64%">
<p style="text-align: center;" align="center">
<strong><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: white;">变量说明</span></strong>
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_cipher</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回用于已建立的</span> SSL <span style="font-family: '微软雅黑',sans-serif;">连接的密码字符串</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_ciphers</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回客户端支持的密码列表(</span>1.11.7<span style="font-family: '微软雅黑',sans-serif;">)。</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_escaped_cert</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">以</span> PEM <span style="font-family: '微软雅黑',sans-serif;">格式</span> (urlencoded) <span style="font-family: '微软雅黑',sans-serif;">返回已建立的</span> SSL <span style="font-family: '微软雅黑',sans-serif;">连接</span> (1.13.5) <span style="font-family: '微软雅黑',sans-serif;">的客户端证书。</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_cert</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">以建立的</span>SSL<span style="font-family: '微软雅黑',sans-serif;">连接的</span>PEM<span style="font-family: '微软雅黑',sans-serif;">格式返回客户端证书,除第一行之外的每一行都加上制表符</span>; <span style="font-family: '微软雅黑',sans-serif;">这是为了在</span> proxy_set_header<span style="font-family: '微软雅黑',sans-serif;">指令中使用</span>;
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">该变量已被弃用,</span><span style="color: red;">$ssl_client_escaped_cert</span><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">应该使用该变量。</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_fingerprint</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">为建立的</span>SSL<span style="font-family: '微软雅黑',sans-serif;">连接(</span>1.7.1<span style="font-family: '微软雅黑',sans-serif;">)返回客户端证书的</span>SHA1<span style="font-family: '微软雅黑',sans-serif;">指纹</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_i_dn</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">根据</span>RFC 2253 (1.11.6) <span style="font-family: '微软雅黑',sans-serif;">返回已建立的</span> SSL <span style="font-family: '微软雅黑',sans-serif;">连接的客户端证书的</span> "<span style="font-family: '微软雅黑',sans-serif;">颁发者</span> DN" <span style="font-family: '微软雅黑',sans-serif;">字符串</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_i_dn_legacy</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回已建立的</span> SSL <span style="font-family: '微软雅黑',sans-serif;">连接的客户端证书的</span> "<span style="font-family: '微软雅黑',sans-serif;">颁发者</span> DN" <span style="font-family: '微软雅黑',sans-serif;">字符串</span>;
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">在版本</span><span style="color: red;">1.11.6 </span><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new"; color: red;">之前</span><span style="color: red;">, </span><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">变量名为</span><span style="color: red;">$ssl_client_i_dn.</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_raw_cert</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">以</span> PEM <span style="font-family: '微软雅黑',sans-serif;">格式返回已建立的</span> SSL <span style="font-family: '微软雅黑',sans-serif;">连接的客户端证书</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_s_dn</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">根据</span>RFC 2253<span style="font-family: '微软雅黑',sans-serif;">(</span>1.11.6<span style="font-family: '微软雅黑',sans-serif;">),为建立的</span>SSL<span style="font-family: '微软雅黑',sans-serif;">连接返回客户端证书的“主题</span>DN<span style="font-family: '微软雅黑',sans-serif;">”字符串</span> ;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_s_dn_legacy</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">为建立的</span>SSL<span style="font-family: '微软雅黑',sans-serif;">连接返回客户端证书的“主题</span>DN<span style="font-family: '微软雅黑',sans-serif;">”字符串</span>;
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">在版本</span><span style="color: red;">1.11.6</span><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new"; color: red;">之前,变量名是</span><span style="color: red;">$ssl_client_s_dn</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_serial</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">为建立的</span>SSL<span style="font-family: '微软雅黑',sans-serif;">连接返回客户端证书的序列号</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_v_end</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回客户端证书的结束日期(</span>1.11.7<span style="font-family: '微软雅黑',sans-serif;">)</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_v_remain</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回客户端证书过期的天数(</span>1.11.7<span style="font-family: '微软雅黑',sans-serif;">)</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_v_start</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回客户端证书的开始日期(</span>1.11.7<span style="font-family: '微软雅黑',sans-serif;">)</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_client_verify</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">如果证书不存在,则</span> <span style="font-family: '微软雅黑',sans-serif;">返回客户端证书验证的结果:“</span> SUCCESS<span style="font-family: '微软雅黑',sans-serif;">”,“</span> FAILED:reason<span style="font-family: '微软雅黑',sans-serif;">”和“</span> NONE<span style="font-family: '微软雅黑',sans-serif;">”</span>;
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">在版本</span><span style="color: red;">1.11.7</span><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new"; color: red;">之前,“</span><span style="color: red;"> FAILED</span><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new";color: red;">”结果不包含</span><span style="color: red;">reason</span><span style="font-family: '微软雅黑',sans-serif; courier new"4courier new"; color: red;">字符串。</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_curves</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回由客户端</span> (1.11.7) <span style="font-family: '微软雅黑',sans-serif;">支持的</span><span style="font-size: 13.5pt; background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial;">curves</span>
</p>
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">仅当使用</span> OpenSSL <span style="font-family: '微软雅黑',sans-serif;">版本</span>1.0.2 <span style="font-family: '微软雅黑',sans-serif;">或更高时</span>, <span style="font-family: '微软雅黑',sans-serif;">才支持该变量。</span>
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_protocol</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回已建立的</span> SSL <span style="font-family: '微软雅黑',sans-serif;">连接的协议</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_server_name</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">通过</span>SNI <span style="font-family: '微软雅黑',sans-serif;">(</span>1.7.0<span style="font-family: '微软雅黑',sans-serif;">)返回请求的服务器名称</span> ;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; background: #eaf1dd; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_session_id</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; background: #EAF1DD; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">返回建立的</span>SSL<span style="font-family: '微软雅黑',sans-serif;">连接的会话标识符</span>;
</p>
</td>
</tr>
<tr>
<td style="width: 35.12%; border-right: 1pt solid #c2d69b; border-bottom: 1pt solid #c2d69b; border-left: 1pt solid #c2d69b; border-top: none; padding: 0cm 5.4pt;" width="35%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<strong>$ssl_session_reused</strong>
</p>
</td>
<td style="width: 64.88%; border-top: none; border-left: none; border-bottom: solid #C2D69B 1.0pt; border-right: solid #C2D69B 1.0pt; padding: 0cm 5.4pt 0cm 5.4pt;" width="64%">
<p style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: '微软雅黑',sans-serif;">如果重新使用了</span> SSL <span style="font-family: '微软雅黑',sans-serif;">会话</span>, <span style="font-family: '微软雅黑',sans-serif;">则返回</span> "r", <span style="font-family: '微软雅黑',sans-serif;">否则为</span> "." (1.5.11)<span style="font-family: '微软雅黑',sans-serif;">。</span>
</p>
</td>
</tr>
</table>
<h2>
<span id="18">1.8 <span style="font-family: '微软雅黑',sans-serif;">参考文献</span></span>
</h2>
<blockquote>
<p>
<span style="background-color: initial;">[1] </span><a style="background-color: initial;" href="https://cloud.tencent.com/document/product/400/4143">https://cloud.tencent.com/document/product/400/4143</a>
</p>
<p>
[2] <a href="https://www.openssl.org/">https://www.openssl.org</a>
</p>
<p>
[3] <a href="/wp-content/themes/clsn-003/inc/go.php?url=http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers" >http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers</a>
</p>
<p>
[4] <a href="https://baike.baidu.com/item/openssl/5454803?fr=aladdin">https://baike.baidu.com/item/openssl/5454803?fr=aladdin</a>
</p>
<p>
[5] <a href="/wp-content/themes/clsn-003/inc/go.php?url=http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers" >http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers</a>
</p>
</blockquote>
<p>
</p>
<div id="toc_container" class="toc_white have_bullets">
<ul class="toc_list">
<li>
<a href="#11">1.1 网络安全知识</a><ul>
<li>
<a href="#111">1.1.1 网结安全出现背景</a>
</li>
<li>
<a href="#112">1.1.2 网络安全涉及问题</a>
</li>
</ul>
</li>
<li>
<a href="#12">1.2 网络安全问题的解决</a><ul>
<li>
<a href="#121">1.2.1 网络安全解决问题--如何保证数据的机密性</a>
</li>
<li>
<a href="#122">1.2.2 网络安全解决问题-如何保证数据的完整</a>
</li>
<li>
<a href="#123">1.2.3 网络安全解决问题-如何进行传输双方身份验证</a>
</li>
</ul>
</li>
<li>
<a href="#13">1.3 证书的由来</a><ul>
<li>
<a href="#131">1.3.1 如何获取公钥信息</a>
</li>
<li>
<a href="#132">1.3.2 证书信息所包含什么内容</a>
</li>
</ul>
</li>
<li>
<a href="#14">1.4 加密算法的简介</a><ul>
<li>
<a href="#141">1.4.1 对称加密算法</a>
</li>
<li>
<a href="#142">1.4.2 单向加密算法</a>
</li>
<li>
<a href="#143">1.4.3 非对称加密算法</a>
</li>
</ul>
</li>
<li>
<a href="#15_OpenSSL">1.5 OpenSSL软件介绍</a><ul>
<li>
<a href="#151_OpenSSL">1.5.1 OpenSSL软件概念说明</a>
</li>
<li>
<a href="#152_OpenSSL">1.5.2 OpenSSL软件组成部分</a>
</li>
<li>
<a href="#153_OpenSSL">1.5.3 OpenSSL的使用</a>
</li>
<li>
<a href="#154_OpenSSLCA">1.5.4 OpenSSL软件建立是有CA</a>
</li>
<li>
<a href="#155">1.5.5 公司中申请证书文件的流程</a>
</li>
</ul>
</li>
<li>
<a href="#16_WEBHTTPS">1.6 WEB服务实现HTTPS访问</a><ul>
<li>
<a href="#161">1.6.1 证书的创建</a>
</li>
<li>
<a href="#162_nginxhttps">1.6.2 nginx配置https访问</a>
</li>
<li>
<a href="#163_httphttps">1.6.3 实现http访问自动跳转到https的方法</a>
</li>
<li>
<a href="#164_nginxhttphttps">1.6.4 利用nginx反向代理服务器进行http到https跳转</a>
</li>
</ul>
</li>
<li>
<a href="#17_-_ngx_http_ssl_module">1.7 附录 - ngx_http_ssl_module模块说明</a><ul>
<li>
<a href="#171">1.7.1 示例配置</a>
</li>
<li>
<a href="#172_SSL">1.7.2 SSL模块指令说明</a><ul>
<li>
<a href="#1721nbspssl">1.7.2.1 ssl</a>
</li>
<li>
<a href="#1722nbspssl_buffer_size">1.7.2.2 ssl_buffer_size</a>
</li>
<li>
<a href="#1723nbspssl_certificate">1.7.2.3 ssl_certificate</a>
</li>
<li>
<a href="#1724nbspssl_certificate_key">1.7.2.4 ssl_certificate_key</a>
</li>
<li>
<a href="#1725nbspssl_ciphers">1.7.2.5 ssl_ciphers</a>
</li>
<li>
<a href="#1726nbspssl_client_certificate">1.7.2.6 ssl_client_certificate</a>
</li>
<li>
<a href="#1727nbspssl_crl">1.7.2.7 ssl_crl</a>
</li>
<li>
<a href="#1728nbspssl_dhparam">1.7.2.8 ssl_dhparam</a>
</li>
<li>
<a href="#1729nbspssl_ecdh_curve">1.7.2.9 ssl_ecdh_curve</a>
</li>
<li>
<a href="#17210nbspnbspnbspnbsp_ssl_password_file">1.7.2.10 ssl_password_file</a>
</li>
<li>
<a href="#17211nbspnbspnbspnbsp_ssl_prefer_server_ciphers">1.7.2.11 ssl_prefer_server_ciphers</a>
</li>
<li>
<a href="#17212nbspnbspnbspnbsp_ssl_protocols">1.7.2.12 ssl_protocols</a>
</li>
<li>
<a href="#17213nbspnbspnbspnbsp_ssl_session_cache">1.7.2.13 ssl_session_cache</a>
</li>
<li>
<a href="#17214nbspnbspnbspnbsp_ssl_session_ticket_key">1.7.2.14 ssl_session_ticket_key</a>
</li>
<li>
<a href="#17215nbspnbspnbspnbsp_ssl_session_tickets">1.7.2.15 ssl_session_tickets</a>
</li>
<li>
<a href="#17216nbspnbspnbspnbsp_ssl_session_timeout">1.7.2.16 ssl_session_timeout</a>
</li>
<li>
<a href="#17217nbspnbspnbspnbsp_ssl_stapling">1.7.2.17 ssl_stapling</a>
</li>
<li>
<a href="#17218nbspnbspnbspnbsp_ssl_stapling_file">1.7.2.18 ssl_stapling_file</a>
</li>
<li>
<a href="#17219nbspnbspnbspnbsp_ssl_stapling_responder">1.7.2.19 ssl_stapling_responder</a>
</li>
<li>
<a href="#17220nbspnbspnbspnbsp_ssl_stapling_verify">1.7.2.20 ssl_stapling_verify</a>
</li>
<li>
<a href="#17221nbspnbspnbspnbsp_ssl_trusted_certificate">1.7.2.21 ssl_trusted_certificate</a>
</li>
<li>
<a href="#17222nbspnbspnbspnbsp_ssl_verify_client">1.7.2.22 ssl_verify_client</a>
</li>
<li>
<a href="#17223nbspnbspnbspnbsp_ssl_verify_depth">1.7.2.23 ssl_verify_depth</a>
</li>
</ul>
</li>
<li>
<a href="#173_ngx_http_ssl_module">1.7.3 ngx_http_ssl_module模块中常见错误处理</a>
</li>
<li>
<a href="#174_ngx_http_ssl_module">1.7.4 ngx_http_ssl_module模块中嵌入变量</a>
</li>
</ul>
</li>
<li>
<a href="#18">1.8 参考文献</a>
</li>
</ul>
</div>- 原文作者:惨绿少年
- 原文链接:https://clsn.io/clsn/lx212.html
- 版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可,非商业转载请注明出处(作者,原文链接),商业转载请联系作者获得授权。