Directory Navigation
Foreword
1. Understand the principles of client requests and server
2.HTTP agreement and its components
3.Https interactive Principle Analysis
Http protocol consisting of
We can capture tool, Fillder or other arrested to a request, and then can see the following request data and response data. Divided into two parts, a client is a request, a response message to the server. Arrested following information to
request
POST https://re.csdn.net/csdnbi HTTP/1.1 方法 url/uri 协议的版本号 1.1
Host: re.csdn.net
Connection: keep-alive
Content-Length: 167
Accept: */*
Origin: https://www.csdn.net User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.23 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Referer: https://www.csdn.net/ Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9
Cookie: uuid_tt_dd=10_19119862890-1514946902631-
786149;
__utma=17226283.1502834598.1514952032.1514952032.
1514952032.1;
__utmz=17226283.1514952032.1.1.utmcsr=(direct)|ut
mccn=(direct)|utmcmd=(none); kd_user_id=accb9177-
52d8-41f3-b69e-54bb338ffb23; UN=q331464542;
UM_distinctid=1610314af5bb3a-012f62bad56aa5-
71103742-1fa400-1610314af5ca34;
Hm_ct_6bcd52f51e9b3dce32bec4a3997715ac=1788*1*PC_
VC; BT=1523867282719;
smidV2=20180517165125ad3024b867497a0fbd79f81ef81c
dd4400ceee13dc5e27d30;
dc_session_id=10_1527227855207.688716;
Hm_lvt_6bcd52f51e9b3dce32bec4a3997715ac=152741308
2,1527413263,1527413731,1527415074;
Hm_lpvt_6bcd52f51e9b3dce32bec4a3997715ac=15274229
24; dc_tos=p9dz2k
--------------
[{"headers":{"component":"enterprise","datatype": "re","version":"v1"},"body":"{\"re\":\"ref=-&mtp=4&mod=ad_popu_131&con=ad_content_2961%2Cad_o rder_731&uid=-&ck=-\"}"}]
response
HTTP/1.1 200 OK
协议版本号 响应状态码 状态码对应的原因
Server: openresty
Date: Sun, 27 May 2018 12:08:44 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Access-Control-Allow-Origin: https://www.csdn.net
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,body
2
ok
0
URL(Uniform Resource Locator)
URL (Uniform Resource Locator) address is used to describe a resource on the network, the basic format
E.g:
http://www.gupaoedu.com:80/java/index.html?name=mic#head schema://host[:port#]/path/…/?[url-params]#[ query-string]
scheme specified application layer protocol (for example: http, https, ftp)
IP address or domain name host HTTP server
The default port is port # HTTP server 80, the lower end of case
Slogan can be omitted. If you use another port, you must specify, for example http://www.gupaoedu.com:8080/
Path path to access a resource
query-string query string
#
Fragment identifier (using the segment identifier has been generally marked
Gets the child resource in (a location within a document))
URI(Uniform Resource Identifier)
Each web server resource has a name, so that the client can find the corresponding resource according to the name, this resource is called (Uniform Resource Identifier)
Overall: URI is a string to represent a particular resource on the Internet. The URL represents the (position where the Internet) site resources
method
Each HTTP request is initiated, you need to tell to tell the server what action to perform, then
This action is seen in the front of the packet [method]. http protocol provides a number of parties
Method, using different methods scenes are not the same
GET: client is generally used to send a URI address to the server's access to resources (general
For query operations)
POST: general user client entity to a transmission to the server, so the server to save (a
General operations for creating)
PUT: transmitting data to the server, typically for the operation of update data
HEAD: used to initiate a query request to the server to obtain head information, such as access
The effectiveness of index.html, last updated time.
DELETE: Delete client initiates a request requires the server to delete certain data (generally for deletion)
OPTIONS: URI query specifies the type of support methods (get / post)
http1.1 also supports trace (track path) and connect method type
Features of the HTTP protocol
HTTP protocol is stateless, stateless what is it? That HTTP protocol itself do not save communication state between the request and response.
How to implement stateful protocol
Http protocol introduced cookie technology, to solve the problem of stateless http protocol. Pass
through the Cookie is written in the information request message and the response to control the state of the client; Cookie header will be called Set-Cookie field information in accordance with a response packet transmitted from the server notifies the client to save Cookie. When the next time the client sends a request to the server go down, clients automatically added Cookie value in the request message sent. Based tomcat jsp / servlet container such, the session will provide a mechanism to save the state of server-side objects. So the whole process is such a state agreement
HTTP protocol flaw
1. The communication process is the use of plain text content may be eavesdropping
2. does not verify the identity of the two sides of communication
3. Unable to verify the integrity of the message, the message may be tampered
HTTPS principle
HTTPS Introduction
Insecurity of the HTTP protocol for communication, so that it was in order to prevent information leaks during transmission or tampering with, out of the transmission channel for wanted encrypted manner https. https is an encrypted Hypertext Transfer Protocol, HTTP and it lies in the process of data transmission, the data do https protocol differences fully encrypted. Since the http protocol or https protocol is TCP is above the transport layer, network protocol is a layered structure, on tcp protocol layer adds a layer SSL (Secure Socket Layer, Layer Security) or TLS (Transport layer security) security layer transport protocol used in combination for constructing an encrypted channel;
The principle of HTTPS
- Client sends a request (Client Hello packet)
- Three-way handshake to establish a TCP connection
- Supported protocol version (TLS / SSL)
- The client generates a random number client.random, subsequent for generating a "session key"
- Clients support encryption algorithms
- sessionid, for holding the same session (if the client and the server had to be painstakingly built a HTTPS link, just finished building cut off, but also a pity)
- The service receiving the request, then the response (Server Hello)
- Confirm encrypted channel protocol version
- The server generates a random number server.random, subsequent for generating a "session key"
- Confirm encryption algorithm (for subsequent handshake message is signed to prevent tampering)
- The server certificate (certificate issued by the CA to the server side)
- The client received a certificate for authentication
- Verify that the certificate is issued by the parent CA, when verification of the certificate, the browser will call the system of certificate management interface for all certificates in the certification path to validate a level, only the path of all certificates are trusted , the overall result is the trusted authentication
- Certificates have returned from the server will be included in the certificate, you can verify whether the certificate is expired by the expiry date
- Verify that the certificate is revoked
- We know that in front of a CA certificate when issued, will use its private key to sign the certificate, a certificate of representation CA Signature Algorithm field sha256RSA institution uses sha256
the certificate summary, and then use the RSA algorithm to digest private key signature, and we also know that RSA algorithm, after the signature using the private key, only the public key can be signed inspection. - Built-in browser uses the public key of the CA on the operating system of the server's certificate of inspection signed. Determine the certificate is not issued by a formal institution. After the inspection agency that CA signed the certificate using sha256 summary, then the client certificate for re-use sha256 a summary of the content, the same digest after the inspection certificate signed If the resulting value returned from the server, indicates that the certificate has not been modified
- After the verification is passed, it will display the word green safety
- The client generates a random number after the authentication is passed, the client generates a random number
pre-master secret, according to the previous client: + + pre-master key is then generated using a symmetric Client.random sever.random public key certificate encryption, while taking advantage of the foregoing the negotiated encryption algorithm, the handshake messages take HASH value, then handshake message with "encrypted random number" + HASH value handshake message (signed) "and then passed to the server; (where reason to take handshake HASH value of the message, the main message is do grasp the hand of a signature for authentication handshake messages during transmission has not been tampered with.)
- The server receives the random number
- After the server receives the encrypted data from the client, with their own private key to decrypt the ciphertext. Then give client.random / server.random / pre-master secret., Then the decryption random number HASH value with the handshake message, and make comparison with pass over the HASH value to confirm the same.
- Then some random password encryption handshake message (message + HASH value handshake message of the handshake) to the client
- The client receives a message
- The client decrypts the random number and calculates a HASH handshake message sent to the server and if the HASH, where this end of the handshake procedure,
- After all of the data prior to communication by the interaction generated pre master secret / client.random / server.random algorithmically derived session Key, as the symmetric key during subsequent interactions
postscript
Link: Recommended PDF