Π tinakambirana za kufunikira kwa kutsimikizika kwazinthu ziwiri pazipata zamakampani. Nthawi yapitayi tidawonetsa momwe mungakhazikitsire kutsimikizika kotetezeka mu seva ya intaneti ya IIS.
Mu ndemanga, tidafunsidwa kuti tilembe malangizo a ma seva omwe amapezeka kwambiri pa Linux - nginx ndi Apache.
Munafunsa - tinalemba.
Mukufunikira chiyani kuti muyambe?
- Kugawa kwa Linux kwamakono. Ndinapanga mayeso pa MX Linux 18.2_x64. Izi sizodziwikiratu kugawa kwa seva, koma sizingatheke kuti pakhale kusiyana kulikonse kwa Debian. Kwa magawo ena, njira zopita ku library zosinthira zitha kusiyanasiyana pang'ono.
- Chizindikiro. Timapitiriza kugwiritsa ntchito chitsanzo , yomwe ili yabwino malinga ndi mawonekedwe othamanga kuti agwiritse ntchito makampani.
- Kuti mugwire ntchito ndi chizindikiro ku Linux, muyenera kukhazikitsa maphukusi awa:
libccid libpcsclite1 pcscd pcsc-zida opensc
Kupereka ziphaso
M'nkhani zam'mbuyomu, tidadalira kuti ziphaso za seva ndi kasitomala zidzaperekedwa pogwiritsa ntchito Microsoft CA. Koma popeza tikukhazikitsa zonse mu Linux, tikuwuzaninso za njira ina yoperekera ziphaso izi - osasiya Linux.
Tidzagwiritsa ntchito XCA ngati CA (), yomwe imapezeka pamagawidwe aliwonse amakono a Linux. Zochita zonse zomwe tingachite mu XCA zitha kuchitika munjira yolamula pogwiritsa ntchito zida za OpenSSL ndi pkcs11, koma kuti zikhale zosavuta komanso zomveka bwino, sitizipereka m'nkhaniyi.
Kuyamba
- Ikani:
$ apt-get install xca - Ndipo timathamanga:
$ xca - Timapanga database yathu ya CA - /root/CA.xdb
Tikukulimbikitsani kusunga nkhokwe ya Certificate Authority mufoda yomwe ndi woyang'anira yekha ndi amene ali ndi mwayi. Izi ndizofunikira kuteteza makiyi achinsinsi a ziphaso za mizu, zomwe zimagwiritsidwa ntchito kusaina ziphaso zina zonse.
Pangani makiyi ndi satifiketi ya CA ya mizu
A Public Key Infrastructure (PKI) imachokera ku dongosolo la hierarchical system. Chinthu chachikulu mu dongosolo lino ndi mizu certification ulamuliro kapena muzu CA. Satifiketi yake iyenera kupangidwa kaye.
- Timapanga kiyi yachinsinsi ya RSA-2048 ya CA. Kuti muchite izi, dinani pa tabu Mafungulo Achinsinsi Kankhani Chinsinsi Chatsopano ndikusankha mtundu woyenera.
- Khazikitsani dzina la makiyi atsopano. Ndinatcha CA Key.
- Timapereka satifiketi ya CA yokha, pogwiritsa ntchito makiyi omwe adapangidwa. Kuti muchite izi, pitani ku tabu zikalata ndikudina Satifiketi Yatsopano.
- Onetsetsani kuti mwasankha SHA-256, chifukwa kugwiritsa ntchito SHA-1 sikungakhalenso kotetezeka.
- Onetsetsani kuti mwasankha ngati template [zosasinthika] CA. Osayiwala kudina Ikani zonse, apo ayi template sikugwiritsidwa ntchito.
- Mu tabu mutu sankhani makiyi athu awiri. Kumeneko mukhoza kudzaza madera onse akuluakulu a satifiketi.
Pangani makiyi ndi satifiketi ya seva ya https
- Mofananamo, timapanga chinsinsi chachinsinsi cha RSA-2048 cha seva, ndinachitcha kuti Server Key.
- Popanga satifiketi, timasankha kuti satifiketi ya seva iyenera kusainidwa ndi satifiketi ya CA.
- Osayiwala kusankha SHA-256.
- Timasankha ngati template [zosasinthika] HTTPS_server. Dinani pa Ikani zonse.
- Ndiye pa tabu mutu sankhani fungulo lathu ndikudzaza magawo ofunikira.
Pangani makiyi ndi satifiketi kwa wogwiritsa ntchito
- Kiyi yachinsinsi ya wogwiritsayo idzasungidwa pa chizindikiro chathu. Kuti mugwiritse ntchito, muyenera kukhazikitsa laibulale ya PKCS#11 kuchokera patsamba lathu. Pamagawidwe otchuka, timagawira mapepala okonzeka, omwe ali pano - . Tilinso ndi misonkhano ya arm64, armv7el, armv7hf, e2k, mipso32el, yomwe imatha kutsitsidwa kuchokera ku SDK yathu - . Kuphatikiza pamisonkhano ya Linux, palinso misonkhano ya macOS, freebsd ndi android.
- Kuwonjezera PKCS#11 Wothandizira watsopano ku XCA. Kuti muchite izi, pitani ku menyu Zosintha ku tab PKCS#11 Wopereka.
- Timasindikiza kuwonjezera ndikusankha njira yopita ku laibulale ya PKCS#11. Kwa ine ndi usrliblibrtpkcs11ecp.so.
- Tidzafunika chizindikiro cha Rutoken EDS PKI. Tsitsani chida cha rtAdmin -
- kuchita
$ rtAdmin -f -q -z /usr/lib/librtpkcs11ecp.so -u <PIN-ΠΊΠΎΠ΄ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ> - Timasankha fungulo la RSA-2048 la Rutoken EDS PKI monga mtundu wofunikira. Ndinayitcha Key Client Key.
- Lowetsani PIN code. Ndipo timadikirira kutsirizika kwa kupanga zida zamagulu awiri ofunikira
- Timapanga satifiketi ya wogwiritsa ntchito mofananiza ndi satifiketi ya seva. Nthawi ino timasankha template [zosasinthika] HTTPS_client ndipo musaiwale kudina Ikani zonse.
- Mu tabu mutu lowetsani zambiri za wogwiritsa ntchito. Timayankha motsimikiza pempho loti tisunge chiphaso cha chizindikirocho.
Chifukwa chake, pa tabu Zikalata mu XCA muyenera kupeza chonga ichi.
Makiyi ochepa awa ndi ziphaso ndizokwanira kuti muyambe kukhazikitsa ma seva okha.
Kuti tikonze, tifunika kutumiza satifiketi ya CA, satifiketi ya seva ndi kiyi yachinsinsi ya seva.
Kuti muchite izi, sankhani zomwe mukufuna pa tabu yofananira mu XCA ndikudina Tumizani.
Nginx
Sindidzalemba momwe mungayikitsire ndikuyendetsa seva ya nginx - pali zolemba zokwanira pamutuwu pa intaneti, osatchulanso zolemba zovomerezeka. Tiyeni tiwongolere kukhazikitsa HTTPS ndi kutsimikizika kwazinthu ziwiri pogwiritsa ntchito chizindikiro.
Onjezani mizere yotsatirayi ku gawo la seva mu nginx.conf:
server {
listen 443 ssl;
ssl_verify_depth 1;
ssl_certificate /etc/nginx/Server.crt;
ssl_certificate_key /etc/nginx/ServerKey.pem;
ssl_client_certificate /etc/nginx/CA.crt;
ssl_verify_client on;
}Kufotokozera mwatsatanetsatane magawo onse okhudzana ndi kukonza ssl mu nginx angapezeke apa -
Ndingofotokoza mwachidule zomwe ndidadzifunsa:
- ssl_verify_client - imatanthawuza kuti mndandanda wodalirika wa satifiketi uyenera kutsimikiziridwa.
- ssl_verify_depth - Imatanthawuza kuya kwa kusaka kwa chiphaso cha mizu yodalirika mu unyolo. Popeza satifiketi yathu ya kasitomala imasainidwa nthawi yomweyo pa chiphaso cha mizu, kuya kumayikidwa ku 1. Ngati chiphaso cha wosuta chasindikizidwa pa CA yapakatikati, ndiye kuti 2 iyenera kufotokozedwa mu parameter iyi, ndi zina zotero.
- ssl_client_certificate - imatchula njira yopita ku chiphaso chodalirika cha mizu, chomwe chimagwiritsidwa ntchito poyang'ana chikhulupiliro cha wogwiritsa ntchito.
- ssl_certificate/ssl_certificate_key - onetsani njira yopita ku setifiketi ya seva/chinsinsi chachinsinsi.
Musaiwale kuthamanga nginx -t kuti muwone ngati palibe typos mu config, ndi kuti mafayilo onse ali pamalo oyenera, ndi zina zotero.
Ndipo ndizo zonse! Monga mukuonera, kukhazikitsa ndikosavuta.
Kuwona kuti ikugwira ntchito mu Firefox
Popeza timachita zonse kwathunthu mu Linux, tidzaganiza kuti ogwiritsa ntchito athu amagwiranso ntchito ku Linux (ngati ali ndi Windows, ndiye .
- Tiyeni tiyambitse Firefox.
- Tiyeni tiyesetse kulowa popanda chizindikiro choyamba. Tikupeza chithunzi ichi:
- Tiyeni tipite za: zokonda # zachinsinsi, ndipo timapita Zida Zachitetezoβ¦
- Timasindikiza katundukuwonjezera PKCS#11 Chipangizo Dalaivala watsopano ndi kufotokoza njira yathu librtpkcs11ecp.so.
- Kuti muwone ngati satifiketi ikuwoneka, mutha kupita ku Woyang'anira satifiketi. Mudzafunsidwa kuti mulowetse PIN yanu. Mukalowetsa zolondola, mutha kuwona zomwe zili pa tabu Zikalata zanu satifiketi yathu kuchokera pachizindikirocho idawonekera.
- Tsopano tiyeni tipite ndi chizindikiro. Firefox imakulimbikitsani kuti musankhe satifiketi yomwe idzasankhidwe pa seva. Sankhani satifiketi yathu.
- ZIMENE MUNGACHITE!
Kukonzekera kwachitika kamodzi, ndipo monga mukuwonera pazenera la pempho la satifiketi, titha kusunga zomwe tasankha. Pambuyo pa izi, nthawi iliyonse tikalowa mu portal, tidzangofunika kuyika chizindikiro ndikulowetsa nambala ya PIN yomwe idatchulidwa panthawi yojambula. Pambuyo pa kutsimikizika kotere, seva imadziwa kale kuti ndi wogwiritsa ntchito ndani ndipo simungathe kupanga zina zowonjezera windows kuti zitsimikizidwe, koma nthawi yomweyo mulole wogwiritsa ntchitoyo ku akaunti yake.
Apache
Monga ndi nginx, palibe amene ayenera kukhala ndi vuto kukhazikitsa apache. Ngati simukudziwa kukhazikitsa seva iyi, ingogwiritsani ntchito zolembedwa zovomerezeka.
Ndipo timayamba kukhazikitsa HTTPS yathu ndi kutsimikizika kwazinthu ziwiri:
- Choyamba muyenera kuyambitsa mod_ssl:
$ a2enmod ssl - Kenako yambitsani zoikamo za HTTPS zokhazikika patsambalo:
$ a2ensite default-ssl - Tsopano tikusintha fayilo yosinthira: /etc/apache2/sites-enabled/default-ssl.conf:
SSLEngine on SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/sites-enabled/Server.crt SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt SSLVerifyClient require SSLVerifyDepth 10Monga mukuwonera, mayina a magawowa amagwirizana ndi mayina a magawo mu nginx, chifukwa chake sindiwafotokozera. Apanso, aliyense amene ali ndi chidwi ndi zambiri ndi olandiridwa ku zolembazo.
Tsopano tikuyambitsanso seva yathu:$ service apache2 reload $ service apache2 restart
Monga mukuwonera, kukhazikitsa kutsimikizika kwazinthu ziwiri pa seva iliyonse yapaintaneti, kaya pa Windows kapena Linux, kumatenga ola limodzi. Ndipo kukhazikitsa asakatuli kumatenga pafupifupi mphindi 5. Anthu ambiri amaganiza kuti kukhazikitsa ndikugwira ntchito ndi kutsimikizika kwazinthu ziwiri ndikovuta komanso kosamveka. Ndikukhulupirira kuti nkhani yathu idzathetsa nthano iyi, osachepera pang'ono.
Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. chonde.
Kodi mukufunikira malangizo okhazikitsa TLS ndi ziphaso malinga ndi GOST 34.10-2012:
-
Inde, TLS-GOST ndiyofunikira kwambiri
-
Ayi, kukonza ma aligorivimu a GOST sizosangalatsa
Ogwiritsa ntchito 44 adavota. Ogwiritsa 9 adakana.
Source: www.habr.com