- step 1: 127.0.0.1 123456.dev-server.aaa.com
- step 2: createCertificateAndKeyStore
- step 3: nginx config and start
- step 4: clientCertificationTest
- certificates and keystore file: https://github.com/wutingting1993/ClientCertificate/tree/master/certificates
- nginx.config: https://github.com/wutingting1993/ClientCertificate/blob/master/src/main/resources/nginx.conf
- Create a Root CA
- Issue a private certificate and download private-key
certificates/issued
- IssuedCert.pem
- Private.pem
- RootCert.pem
server {
client_max_body_size 100M;
listen 443 ssl;
#server_name 9a2fjk9c79.dev-server.aaa.com
ssl_certificate "server.pem";
ssl_certificate_key "server_private_key.key";
ssl_password_file "server_password.sh";
# self sign certificate
#ssl_client_certificate "client.crt";
ssl_client_certificate "RootCert.pem"; <<<<<<<<<<<<<<< Root CA
ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
...
}
https://blog.csdn.net/u012175637/article/details/84138925
红色部分为服务器端消息,紫色部分为客户端消息,黑色部分为双向认证需要的消息,绿色部分为某些情况下的特殊需求,这里不做详细的解释。
下图内容都可以通过wireshare 抓包看到具体的内容,有什么不清楚的可以通过wireshare 抓包自己看一下就会一目了然了。
简单来说SSL握手的目的就是为了获得客户端和服务器进行通信时使用的秘钥,根据不同的需求选择单向认证或者双向认证
- if can get session from cache, will resume the session, and session hold the certificates and private-key. Therefore, even if the keystore is reloaded, the session certificate and private key will not be updated.
- session default ttl is 24H, and we can change the ttl.
- if session is invalid (expire,local sessionId not equal to endpoint given sessionId), will be removed form cache.