»ç¼³ SSL ÀÎÁõ¼­ ¸¸µé±â
 ´ë¹®  ÁÖÁ¦º° º¸±â  ÇÔ¼ö»çÀü  ÄÚµå¸ðÀ½  ¹Ù²ï±Û  ¸ñ·Ï   Anonymous
ÃÑ ÆäÀÌÁö ¼ö : 3224

Àüü ÇÔ¼ö/¿ë¾î»çÀü
Facebook Joinc ±×·ì   Joinc QA »çÀÌÆ®
ÇöÀçÀ§Ä¡ : ¹Ì´Ï»çÀÌÆ®>Tip>SSL_cert



joinc´Â Firefox¿Í chrome¿¡¼­ Å×½ºÆ® Çß½À´Ï´Ù. IE¿¡¼­´Â Å×À̺íÀÌ ±úÁö°Å³ª À̹ÌÁö°¡ º¸ÀÌÁö ¾ÊÀ» ¼ö ÀÖ½À´Ï´Ù. ƯÈ÷ ±¸±Û DocsÀ̹ÌÁöÀÇ °æ¿ì ¿¢¹Úó¸®µÉ ¼ö ÀÖ½À´Ï´Ù.

»ç¼³ SSL ÀÎÁõ¼­ ¸¸µé±â

°³ÀÎÀÌ »ç¿ëÇÒ SSL ¼­¹öÀÇ ÀÎÁõ¼­¸¦ ±»ÀÌ ºñ¿ëÀÌ µé¾î°¡´Â °øÀÎ ÀÎÁõ±â°ü¿¡ ¿äûÇÒ ÇÊ¿ä´Â ¾ø´Ù. ÀÌ·²¶§´Â »ç¼³ SSL ÀÎÁõ¼­¸¦ ¸¸µé¾î »ç¿ëÇÏÀÚ. ¸ÕÀú SSL Handshake°úÁ¤À» È®ÀÎÇØ º¸ÀÚ.
  1. Ŭ¶óÀ̾ðÆ®°¡ ¼­¹ö¿¡ ¿¬°áÇϸé, ¸ÕÀú ÀÎÁõ¼­¸¦ ¿äûÇÏ°Ô µÈ´Ù. ÀÎÁõ¼­´Â À¯Àú°¡ ¼±ÅÃÇÑ »çÀÌÆ®¸¦ ½Å·ÚÇÒ¼ö ÀÎÁõÇÑ´Ù´Â °ÍÀÌ´Ù. ¾ö°ÝÈ÷ ½Å·ÚÀÖ´Ù´Â °É ÀÎÁõÇÏ·Á¸é °øÀÎµÈ ±â°üÀÌ °³ÀÔÇØ¾ß ÇÒ °ÍÀÌ´Ù. ¿ì¸®´Â »ç¼³ SSL ÀÎÁõ¼­¸¦ »ç¿ëÇÒ °ÍÀÌ°í, ¶§¹®¿¡ À¯Àú ºê¶ó¿ìÀú¿¡¼­´Â ½Å·ÚÇÒ ¼ö ¾ø´Â ÀÎÁõ¼­¸¦ Æ÷ÇÔÇÑ »çÀÌÆ®¶ó´Â °æ°í ¸Þ½ÃÁö°¡ Ãâ·ÂµÉ °ÍÀÌ´Ù. ³»ºÎÀûÀ¸·Î »ç¿ëÇÒ °ÍÀÌ´Ï ¹«½ÃÇصµ »ó°ü ¾ø´Ù.
  2. ÀÌÁ¦ µ¥ÀÌÅÍÀÇ ±â¹Ð¼ºÀ» À¯ÁöÇϱâ À§Çؼ­ µ¥ÀÌÅÍ ¾Ï/º¹È£¿Í °úÁ¤À» °ÅÄ£´Ù. ¼­¹ö¿¡¼­ Ŭ¶óÀ̾ðÆ®·Î ¼­¹öÀÇ °ø°³Å°¸¦ ÀÌ¿ëÇؼ­ Ŭ¶óÀ̾ðÆ®´Â »ý¼ºµÈ ¼¼¼ÇÅ°¸¦ ¾ÏȣȭÇؼ­ ¼­¹ö·Î Àü´ÞÇÑ´Ù. ÀÌ ¼¼¼ÇÅ°¸¦ ÀÌ¿ëÇؼ­ ¼­¹ö´Â µ¥ÀÌÅ͸¦ ¾ÏȣȭÇؼ­ Àü¼ÛÇÏ°í, Ŭ¶óÀ̾ðÆ®´Â ¹ÞÀº µ¥ÀÌÅ͸¦ º¹È£È­ ÇÑ´Ù.

  1. Ŭ¶óÀ̾ðÆ®´Â ¼­¹ö¿¡ Hello Message¸¦ Àü´ÞÇÑ´Ù.
  2. ¼­¹ö´Â Ŭ¶óÀ̾ðÆ®¿¡ Hello Message¿Í (¼­¹öÀÇ °ø°³Å°·Î ÀÎÁõÇÑ)¼­¹ö ÀÎÁõ¼­¸¦ Àü¼ÛÇÑ´Ù. ÇÊ¿ä¿¡ µû¶ó ¼­¹ö°¡ Ŭ¶óÀ̾ðÆ®ÀÇ ÀÎÁõ¼­¸¦ ¿äûÇϱ⵵ ÇÑ´Ù.
  3. Ŭ¶óÀ̾ðÆ®´Â ÀÎÁõ¼­¸¦ °ËÅäÇÑ ÈÄ, ¼­¹öÀÇ °ø°³Å°¸¦ ÃßÃâÇÑ´Ù. µ¥ÀÌÅÍ ¾Ïȣȭ¿¡ »ç¿ëÇÒ session-key¿Í Ŭ¶óÀ̾ðÆ®°¡ »ç¿ëÇÒ ¼ö ÀÖ´Â ¾Ïȣȭ ¾Ë°í¸®Áò ¼¼Æ® Áï Chiper suite¸¦ ¼­¹ö·Î Àü´ÞÇÑ´Ù. À̶§ session-key´Â °ø°³Å°·Î ¾Ïȣȭ ÇÑ´Ù.
  4. ¼­¹ö´Â Chiper suite¸¦ ¹ÞÀº ´ÙÀ½ Ŭ¶óÀ̾ðÆ®·Î Finished message¸¦ Àü¼ÛÇÑ´Ù. ¼­¹ö´Â ÀÚ½ÅÀÇ ºñ¹ÐÅ°·Î ¼¼¼ÇÅ°¸¦ º¹È£È­ÇÑ´Ù. ÀÌÁ¦ ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ® ¸ðµÎ session-key¸¦ °øÀ¯ÇÏ°Ô µÇ¾ú°í, ÀÌ session-key¸¦ ÀÌ¿ëÇؼ­ ºñ¹Ð Åë½ÅÀ» ÇÑ´Ù.
  5. ÀÌÁ¦ µ¥ÀÌÅÍ Àü¼Û ´Ü°è·Î ³Ñ¾î°¡¸é, »óÈ£ ÇùÀÇÇÑ ¾Ïȣȭ ¹æ½ÄÀ» ÀÌ¿ëÇؼ­ µ¥ÀÌÅ͸¦ ±³È¯ÇÑ´Ù.

SSL ¼­¹ö ¸¸µé±â

SSL ¼­¹ö¸¦ ¸¸µé·Á°í ÇÑ´Ù. ¼Ò½º´Â Á÷Á¢ ¸¸µé±â ±ÍÂú¾Æ¼­ ÀÎÅͳÝÀ» ã¾Æ¼­ ±¸Çß´Ù. ÀÌ ¼­¹ö ÇÁ·Î±×·¥ÀÌ ÀÛµ¿ÇÏ·Á¸é, ÀÎÁõ¼­¿Í ¼­¹öÅ°°¡ ÇÊ¿äÇÏ´Ù. À̵éÀ» ¸¸µé¾î¼­ Å×½ºÆ® Çغ¸±â·Î Çß´Ù. ´ÙÀ½Àº Å×½ºÆ®¿¡ »ç¿ëÇÒ ¼Ò½º´Ù. ÇÁ·Î±×·¥ÀÇ À̸§Àº myserver.c·Î ÇÏÀÚ. 
/* serv.cpp  -  Minimal ssleay server for Unix 
   30.9.1996, Sampo Kellomaki <sampo@iki.fi> */ 
/* mangled to work with SSLeay-0.9.0b and OpenSSL 0.9.2b 
   Simplified to be even more minimal 
   12/98 - 4/99 Wade Scholine <wades@mail.cybg.com> */ 
#include <stdio.h> 
#include <unistd.h> 
#include <stdlib.h> 
#include <memory.h> 
#include <errno.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <arpa/inet.h> 
#include <netdb.h> 
#include <openssl/rsa.h>       /* SSLeay stuff */ 
#include <openssl/crypto.h> 
#include <openssl/x509.h> 
#include <openssl/pem.h> 
#include <openssl/ssl.h> 
#include <openssl/err.h> 
 
/* define HOME to be dir for key and cert files... */ 
#define HOME "./" 
 
/* ¼­¹ö ÀÎÁõ¼­ */ 
#define CERTF  HOME "server-req.pem" 
/* ¼­¹ö ºñ¹ÐÅ° */ 
#define KEYF  HOME  "server-key.pem" 
 
#define CHK_NULL(x) if ((x)==NULL) exit (1) 
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); } 
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); } 
 
// SSL Çڵ彦ÀÌÅ© ¸Þ½ÃÁö±³È¯ °úÁ¤À» ¾Ë·ÁÁÖ´Â Äݺ¤ÇÔ¼ö 
void  ssl_info_callback(const SSL *s, int where, int ret); 
 
// È­¸é¿¡ Ç¥½Ã Çϱâ À§ÇÑ ÆÄÀÏ BIO»ý¼º 
BIO * errBIO; 
 
int main (int argc, char **argv) 
{ 
    int err; 
    int listen_sd; 
    int sd; 
    struct sockaddr_in sa_serv; 
    struct sockaddr_in sa_cli; 
    size_t client_len; 
 
    SSL_METHOD *meth; 
    SSL_CTX* ctx; 
    SSL*     ssl; 
    X509*    client_cert; 
 
    char*    str; 
    char     buf [4096]; 
 
    /* SSL preliminaries. We keep the certificate and key with the context. */ 
    // ¸ðµç ¿¡·¯ ½ºÆ®¸µ ·Îµå 
    SSL_load_error_strings(); 
    // ¸ðµç ¾Ë°í¸®Áò ·Îµå 
    SSLeay_add_ssl_algorithms(); 
    // SSL ¹öÀü3 ÇÁ·ÎÅäÄÝ »ç¿ë 
    meth = SSLv3_method(); 
    //meth = TLSv1_server    // create a new SSL_CTX object as framework for TLS/SSL enabled functions 
    // SSL ÄÁÅؽºÆ® »ý¼º 
    ctx = SSL_CTX_new (meth); 
    if (!ctx) { 
        ERR_print_errors_fp(stderr); 
        exit(2); 
    } 
 
    // SSL Çڵ彦ÀÌÅ© ¸Þ½ÃÁö±³È¯ °úÁ¤À» ¾Ë·ÁÁÖ´Â Äݺ¤ÇÔ¼ö 
    SSL_CTX_set_info_callback(ctx,ssl_info_callback); 
 
    // ÀÚ½ÅÀÇ ÀÎÁõ¼­¸¦ ÆÄÀÏ¿¡¼­ ·ÎµùÇÑ´Ù. 
    if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) { 
        ERR_print_errors_fp(stderr); 
        exit(3); 
    } 
 
    fprintf(stderr, "======== PEM pass phrease confirm here\n"); 
    // ÀÚ½ÅÀÇ °³ÀÎÅ°¸¦ ÆÄÀÏ¿¡¼­ ·ÎµùÇÑ´Ù. 
    if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) { 
        fprintf(stderr,"======== PEM pass phrase does not match the password\n"); 
        ERR_print_errors_fp(stderr); 
        exit(4); 
    } 
 
    // ÀÐÀº ÀÎÁõ¼­¿Í °³ÀÎÅ°°¡ ¸Â´ÂÁö È®ÀÎ ÇÑ´Ù. 
    if (!SSL_CTX_check_private_key(ctx)) { 
        fprintf(stderr,"Private key does not match the certificate public key\n"); 
        exit(5); 
    } 
 
    listen_sd = socket (AF_INET, SOCK_STREAM, 0); 
    CHK_ERR(listen_sd, "socket"); 
 
    memset (&sa_serv, '\0', sizeof(sa_serv)); 
    sa_serv.sin_family      = AF_INET; 
    sa_serv.sin_addr.s_addr = INADDR_ANY; 
    sa_serv.sin_port        = htons (1111);          /* Server Port number */ 
 
    err = bind(listen_sd, (struct sockaddr*) &sa_serv, sizeof (sa_serv)); 
    CHK_ERR(err, "bind"); 
 
    err = listen (listen_sd, 5); 
    CHK_ERR(err, "listen"); 
 
    client_len = sizeof(sa_cli); 
    sd = accept (listen_sd, (struct sockaddr*) &sa_cli, &client_len); 
    CHK_ERR(sd, "accept"); 
 
    close (listen_sd); 
 
    printf ("Connection from %lx, port %d\n", 
    sa_cli.sin_addr.s_addr, sa_cli.sin_port); 
 
    // TCP connection is ready. Do server side SSL. 
    // create a new SSL structure for a connection 
    // SSL ±¸Á¶Ã¼ »ý¼º 
    ssl = SSL_new (ctx); 
    CHK_NULL(ssl); 
 
    // connect the SSL object with a file descriptor 
    // ¿¬°áµÈ ¼ÒÄÏ°ú SSL°úÀÇ ¿¬°á 
    SSL_set_fd (ssl, sd); 
    // °¡Àå Áß¿äÇÑ ÇÔ¼ö, Ŭ¶óÀ̾ðÆ®¿ÍÀÇ Ãʱâ Çù»ó°úÁ¤, Áï Çڵ彦ÀÌÅ© °úÁ¤À» ¼öÇà 
    printf ("SSL_accept start =========================\n"); 
    err = SSL_accept (ssl); 
    CHK_SSL(err); 
    printf ("SSL_accept end =========================\n"); 
 
    // Get the cipher - opt 
    // ÇöÀç Ŭ¶óÀ̾ðÆ®¿Í Á¤ÀÇµÈ ¾Ïȣȭ ÆĶó¸ÞÅÍÁ¤º¸¸¦ ¾òÀ½ 
    printf ("SSL connection using %s\n", SSL_get_cipher (ssl)); 
    printf ("SSL connection using %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))); 
 
    // Get client's certificate (note: beware of dynamic allocation) - opt 
    client_cert = SSL_get_peer_certificate (ssl); 
 
 
    if (client_cert != NULL) 
    { 
        printf ("Client certificate:\n"); 
 
        str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0); 
        CHK_NULL(str); 
        printf ("\t subject: %s\n", str); 
        free (str); 
 
        str = X509_NAME_oneline (X509_get_issuer_name  (client_cert), 0, 0); 
        CHK_NULL(str); 
        printf ("\t issuer: %s\n", str); 
        free (str); 
 
        /* We could do all sorts of certificate verification stuff here before 
           deallocating the certificate. */ 
 
        X509_free (client_cert); 
    } 
    else 
    { 
        printf ("Client does not have certificate.\n"); 
    } 
 
    // DATA EXCHANGE - Receive message and send reply. 
    // Ŭ¶óÀ̾ðÆ®·Î ºÎÅÍ SSL Åë½ÅÀ» ÅëÇØ ¸Þ½ÃÁö ¹ÞÀ½ 
    err = SSL_read (ssl, buf, sizeof(buf) - 1); 
    CHK_SSL(err); 
 
    buf[err] = '\0'; 
    // ¹ÞÀº µ¥ÀÌÅ͸¦ È­¸é¿¡ Ç¥½Ã 
    printf ("Got %d chars:'%s'\n", err, buf); 
 
    // Ŭ¶óÀ̾ðÆ®¿¡°Ô SSL Åë½ÅÀ» ÅëÇØ ¸Þ½ÃÁö º¸³¿ 
    err = SSL_write (ssl, "I hear you.", strlen("I hear you.")); 
    CHK_SSL(err); 
    /* Clean up. */ 
    close (sd); 
    SSL_free (ssl); 
    SSL_CTX_free (ctx); 
} 
 
// SSL Çڵ彦ÀÌÅ© ¸Þ½ÃÁö±³È¯ °úÁ¤À» ¾Ë·ÁÁÖ´Â Äݺ¤ÇÔ¼ö 
void  ssl_info_callback(const SSL *s, int where, int ret) 
{ 
  char * writeString; 
  int w; 
  // ÇöÀç ¾î¶² ¸Þ½ÃÁö ±³È¯ °úÁ¤ÀÎÁö¸¦ ³ªÅ¸³¿ 
  w = where & ~SSL_ST_MASK; 
 
  // Ŭ¶óÀ̾ðÆ®°¡ ¿¬°á ÇßÀ» ¶§ 
  if (w & SSL_ST_CONNECT) 
    writeString="SSL_connect"; 
  // ¼­¹ö°¡ ¿¬°áÀ» ¹Þ¾ÒÀ» ¶§ 
  else if (w & SSL_ST_ACCEPT) 
    writeString="SSL_accept"; 
  // ¾Ë ¼ö ¾ø´Â °æ¿ì 
  else 
    writeString="undefined"; 
 
    fprintf(stderr, "======== writeString = [%s]\n", writeString); 
 
  // ÀϹÝÀûÀÎ Çڵ彦ÀÌÅ© ÇÁ·ÎÅäÄÝ ¸Þ½ÃÁöÀÏ °æ¿ì 
  if (where & SSL_CB_LOOP) 
  { 
    // SSL_state_string_long(s) ÇÔ¼ö·Î ºÎÅÍ ÇöÀç ÁøÇàµÇ´Â ¸Þ½ÃÁö°¡ ¹«¾ùÀÎÁö Ç¥½Ã 
    BIO_printf(errBIO,"%s:%s\n",writeString,SSL_state_string_long(s)); 
    fprintf(stderr, "======== writeString = [%s], SSL_state_string_long(s) = [%s]\n",  
        writeString, SSL_state_string_long(s)); 
  } 
  else if (where & SSL_CB_ALERT) 
  { // alert ÇÁ·ÎÅäÄÝÀÏ °æ¿ì 
    writeString=(where & SSL_CB_READ)?"read":"write"; 
    BIO_printf(errBIO,"SSL3 alert %s:%s:%s\n",writeString,SSL_alert_type_string_long(ret),SSL_alert_desc_string_long(ret)); 
    fprintf(stderr, "======== writeString = [%s], SSL_alert_type_string_long(ret) = [%s], SSL_alert_desc_string_long(ret) = [%s]\n",  
          writeString, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); 
  } 
  else if (where & SSL_CB_EXIT) 
  { // Á¾·á °úÁ¤ÀÏ °æ¿ì 
    if (ret == 0) { 
      BIO_printf(errBIO,"%s:failed in %s\n",writeString,SSL_state_string_long(s)); 
      fprintf(stderr,"======== writeString = [%s], SSL_state_string_long(s) = [%s]\n",  
          writeString, SSL_state_string_long(s)); 
    } 
    else if (ret < 0) 
    { 
      BIO_printf(errBIO,"%s:error in %s\n",writeString,SSL_state_string_long(s)); 
      fprintf(stderr,"======== writeString = [%s], SSL_state_string_long(s) = [%s]\n",  
          writeString, SSL_state_string_long(s)); 
    } 
  } 
  return 1; 
}

ÀÌÁ¦ ÀÎÁõ¼­¿Í ¼­¹öÅ°¸¦ ¸¸µé¾î¾ß ÇÑ´Ù. ´ÙÀ½Àº ÀÎÁõ¼­¿Í ¼­ºñÅ°¸¦ ¸¸µå´Â °£´ÜÇÑ ½© ÇÁ·Î±×·¥ÀÌ´Ù.
#!/bin/sh 
 
# Generates a self-signed certificate. 
# Edit dovecot-openssl.cnf before running this. 
 
OPENSSL=openssl 
SSLDIR=/etc/ssl 
OPENSSLCONFIG=myserv-openssl.cnf 
 
CERTDIR=$SSLDIR/certs 
KEYDIR=$SSLDIR/private 
 
CERTFILE=$CERTDIR/myserv.pem 
KEYFILE=$KEYDIR/myserv.pem 
 
if [ ! -d $CERTDIR ]; then 
  echo "$SSLDIR/certs directory doesn't exist" 
  exit 1 
fi 
 
if [ ! -d $KEYDIR ]; then 
  echo "$SSLDIR/private directory doesn't exist" 
  exit 1 
fi 
 
if [ -f $CERTFILE ]; then 
  echo "$CERTFILE already exists, won't overwrite" 
  exit 1 
fi 
 
if [ -f $KEYFILE ]; then 
  echo "$KEYFILE already exists, won't overwrite" 
  exit 1 
fi 
 
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 
chmod 0600 $KEYFILE 
echo  
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

´ÙÀ½Àº ÀÎÁõ¼­¸¦ ¸¸µé±â À§ÇÑ ¼³Á¤ÆÄÀÏÀÌ´Ù. ¼³Á¤ÆÄÀÏÀÇ À̸§Àº myserv-openssl.cnfÀÌ´Ù.

[ req ] 
default_bits = 1024 
encrypt_key = yes 
distinguished_name = req_dn 
x509_extensions = cert_type 
prompt = no 
 
[ req_dn ] 
# country (2 letter code) 
#C=FI 
 
# State or Province Name (full name) 
#ST= 
 
# Locality Name (eg. city) 
#L=Seoul 
 
# Organization (eg. company) 
#O=Joinc 
 
# Organizational Unit Name (eg. section) 
OU=developer 
 
# Common Name (*.example.com is also possible) 
CN=www.joinc.co.kr 
 
# E-mail contact 
emailAddress=yundream@gmail.com 
 
[ cert_type ] 
nsCertType = server

ÀÌ ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇϸé /etc/ssl/private/myserv.pem °ú /etc/ssl/certs/myserv.pem ÆÄÀÏÀÌ ¸¸µé¾îÁø´Ù. ÀüÀÚ´Â ÀÎÁõ¼­ÀÌ°í, ÈÄÀÚ´Â ¼­¹öÅ°´Ù. ÄÄÆÄÀÏ ÈÄ ½ÇÇàÇÏ°í ³ª¼­ https¸¦ Áö¿øÇÏ´Â À¥ºê¶ó¿ìÀú·Î Å×½ºÆ® ÇÒ ¼ö ÀÖ´Ù.

°ü·Ã±Û

category_º¸¾È
category__17
EmailÀ» ±âÀÔÇϸé, ´ñ±ÛÀÌ ¸ÞÀÏ·Î Àü´ÞµË´Ï´Ù.