First understand the changes in the http protocol.
http1.0 defaults to short connection, 1.1 defaults to long connection and can be piped, but there is a head-of-line blocking problem;
https is an SSL/TLS layer added between tcp and http.
http2 is also safe, the improvement is hpack binary and encoding compression to reduce the size, the stream is not blocked by the head of the queue (the TCP layer still exists), and the server actively pushes the function; http3 turns
TCP into udp, and uses the QUIC protocol to guarantee it on the upper layer Reliable transmission, faster speed, and QUIC, TLS can be combined at the first layer, so the connection only needs 1RTT, and connection migration can also be realized based on the connection id.
SSL/TLS
tls is an upgraded version of ssl. After ssl reaches 3.0, it will be renamed tls1.0. SSL is divided into two layers: SSL record protocol and SSL handshake protocol. The recording protocol is mainly responsible for encapsulating, compressing and encrypting tcp data, which is equivalent to the presentation layer. The handshake protocol is often referred to as the four-way handshake process of https (establishing a connection, negotiating a secret key, and negotiating an encryption algorithm), but the four-way handshake also involves the verification of the CA certificate. ssl called used
The improvement of tls lies in: the HMAC algorithm guarantees a more secure MAC function; more alarm codes; and the supported encryption algorithms are different.
So far, it seems that https includes ssl/tls, and then the ssl protocol will involve the verification process of CA certificates to ensure the reliability of both parties. And encryption and digital digests ensure that messages are not monitored and tampered with.
(About encryption algorithm
Symmetric encryption algorithm: use one kind of encryption and decryption, DES, DES3, etc., but because it is possible that the symmetric key transmission process will be stolen, it is not safe; asymmetric
encryption: public key encryption, private key decryption. Such as RSA , because the private key will not be transmitted, so the information cannot be stolen. But the speed is slow, so it is generally used to encrypt the secret key. The general
process of the four-way handshake: Hello, send the password list version number and random number to the server, The server will also generate a random number to determine the password list to the client; there is a CA certificate verification process in the middle to ensure that the server is legal; the last two times are the client encrypting a random number with the public key of the server, and using these three random numbers Generate a symmetric key, then try to encrypt the message and digest the message to see if it works.
)
CA:
It is an authority that issues digital certificates . Examples include GlobalSign, DigiCert, and GoDaddy. The CA certificates used by general browsers exist in the browser and the operating system, so the security of the CA certificates can be guaranteed.
The role of CA: to confirm that the server is reliable; and the public key inside can generate a symmetric secret key from three random numbers and then combine it with the private key of the server to realize data encryption .
C certificate chain structure, each CA has several sub-CAs, trust chain, so if the browser does not go to the operating system to find the root certificate chain during programming, otherwise it will take time.
What are the CA certificates:
There are different formats, some are editable PEM, and binary DEM. Among them, X.509 is one of the editable ones.
The specific CA certificate is in the X509 format. It mainly includes the following three files:
key, csr, crt.
key is the server's private key, which is not transmitted and is used for encryption and decryption.
csr is a signature request file for CA to sign it, and the signature is valid;
crt: signed or self-signed (rusttls) certificate: including server public key, server id information, and signer information.
How does rusttls implement the signature?
1. The certify library mainly uses internal algorithms to generate a CA organization, and then signs the csr of the client server to the CA. Get
the crt file and save it in a directory.
2. Generate clientconfig and serverconfig according to the certificate obtained above;
3. Use the connect function inside the two parts to convert stream into tlsstream. (actually from into trait)
In the development and testing environment, common open source tools for SSL certificate generation include openssl, rusttls, etc. The latter I use, compared to openssl, is simpler to compile and connect, and faster.