1 基础知识
1.1 证书的基础知识
如果你不熟悉证书的相关知识,请参阅以下链接学习,
https://www.cmdschool.org/archives/7778
1.2 启用SSL/TLS证书的方法
– Tigase服务开启SSL或TLS通道的安全连接,需要从以下三种方法选择一种创建证书,
— 创建并加载pem文件的服务器证书
— Linux中安装StartCom证书
— 使用Keytool和Keystore创建Java服务器证书
– 创建证书后,SSL证书启用于5223端口的XMPP服务(官方使用默认证书开启,可自行更换自有证书)
– 创建证书后,TLS证书启用于5222端口的XMPP服务(官方使用默认证书开启,可自行更换自有证书,默认不强制TLS链接)
– TLS的证书通过修改以下配置文件的参数控制,
vim /etc/tigase/init.properties
通过以下默认参数启用TLS安全连接,
--sm-plugins=+starttls
如果需要禁用TLS安全连接,请使用如下方式声明,
--sm-plugins=-starttls
如果需要强制TLS安全连接,请使用如下参数声明,
--vhost-tls-required=true
1.3 创建证书的可选手法
– 可选创建自签名证书(建议用于调试环境)
– 可选创建由信任CA颁发的证书(建议用于生产环境)
注:Tigase 5.0.0及更高版本会自动为服务器配置自签名证书
1.4 PEM证书的创建与加载
1.4.1 创建PEM的规则
– PEM文件应包含服务器公钥证书
– PEM文件应包含服务器私钥证书
– PEM文件应包含证书链(即证中间证书,适用于CA颁发的证书才需要)
– PEM文件官方建议按域服务器公钥证书、服务器私钥证书、CA颁发的证书链、CA颁发的根证书的顺序排列
– PEM文件Tigase服务在加载时会自动对PEM文件中的证书进行排序
注:以上证书使用“cat”命令输出到“pem”后缀的文件
1.4.2 创建PEM证书的范例
1.4.2.1 创建自签名证书的范例
cat yourdomain.com.crt yourdomain.com.key > yourdomain.com.pem
1.4.2.2 创建第三方证书的范例
cat yourdomain.com.crt yourdomain.com.key sub.class1.xmpp.ca.crt ca.crt > yourdomain.com.pem
创建证书后,使用以下命令查看证书,
cat yourdomain.com.pem
可见如下显示,
-----BEGIN CERTIFICATE----- MIIG/TCCBeWgAwIBAgIDAOwZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ [...] pSLqw/PmSLSmUNIr8yQnhy4= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- WW91J3JlIGtpZGRpbmchISEKSSBkb24ndCBzaG93IHlvdSBvdXIgcHJpdmF0ZSBr [...] ZXkhISEhCkNyZWF0ZSB5b3VyIG93biA7KSA7KSA7KQo= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW [...] xV/stleh -----END CERTIFICATE-----
注:“[…]”表示省略
1.4.3 PEM证书的加载方法
– Tigase包含5.1.0版本内的更高版本,无需外部库和修改“init.properties”文件即可支持PEM证书加载
– Tigase需要为每个虚拟域创建一个单独的PEM文件
– Tigase的PEM文件需要存放于Tigase安装目录的“certs”文件夹,例如“/usr/tigase/certs/”
– Tigase会自动加载“certs”文件夹的证书
1.5 Keytool和Keystore的创建与加载
1.5.1 创建自签名证书的范例
keytool -genkey -alias yourdomain -keystore rsa-keystore -keyalg RSA -sigalg MD5withRSA
注:
– 普通情况“yourdomain”用自有域名代替,如自有域为“cmdschool.org”,则“yourdomain”替换为“cmdschool.org”
– 如果有多个域名(虚拟域),如“cmdschool.org”或“tigase.cmdschool.org”,则可为每个虚拟域创建单独的证书
– 如需“yourdomain”代表多域,如“cmdschool.org”和“tigase.cmdschool.org”则“yourdomain”替换为“default”
1.5.2 创建第三方证书的范例
1.5.2.1 创建证书申请
keytool -certreq -alias yourdomain -keystore rsa-keystore
注:
– 普通情况“yourdomain”用自有域名代替,如自有域为“cmdschool.org”,则“yourdomain”替换为“cmdschool.org”
– 如果有多个域名(虚拟域),如“cmdschool.org”或“tigase.cmdschool.org”,则可为每个虚拟域创建单独的证书
– 如需“yourdomain”代表多域,如“cmdschool.org”和“tigase.cmdschool.org”则“yourdomain”替换为“default”
可使用以下命令验证生成的证书,
cat rsa-keystore
可见类似如下显示,
-----BEGIN NEW CERTIFICATE REQUEST----- [...] -----END NEW CERTIFICATE REQUEST-----
以上创建的证书文件用于向CA发起证书请求,如果你通过以下命令查看证书,
cat your-certificate.cer
一般返回的证书内容如下,
-----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----
1.5.2.2 导入CA的root证书
keytool -import -keystore rsa-keystore -file rootCA.cer
注:CA的root证书需要自行到CA的官方网站下载
1.5.2.3 导入CA颁发的证书
keytool -import -alias yourdomain -keystore rsa-keystore -file your-certificate.cer
注:
– 普通情况“yourdomain”用自有域名代替,如自有域为“cmdschool.org”,则“yourdomain”替换为“cmdschool.org”
– 如果有多个域名(虚拟域),如“cmdschool.org”或“tigase.cmdschool.org”,则可为每个虚拟域创建单独的证书
– 如需“yourdomain”代表多域,如“cmdschool.org”和“tigase.cmdschool.org”则“yourdomain”替换为“default”
1.5.3 Keystore证书的导入方法
官方并没有详细的方法步骤,此问题,尚待研究
2 PEM证书配置的最佳实践
2.1 准备环境
请按如下教程部署Tigase服务器端,
https://www.cmdschool.org/archives/2478
2.2 创建自签名证书
2.2.1 创建证书目录
mkdir ~/ca
2.2.2 创建私钥和请求证书
cd ~/ca openssl req -nodes -new -newkey rsa:2048 -keyout cmdschool.org.key -out cmdschool.org.csr
创建证书的向导如下,
[...] Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Guangdong Locality Name (eg, city) [Default City]:DG Organization Name (eg, company) [Default Company Ltd]:cmdschool Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:cmdschool.org Email Address []:will@cmdschool.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
使用如下命令查看生成的证书文件,
cd ~/ca ls -l
可见如下显示,
total 8 -rw-r--r--. 1 root root 1054 Sep 24 11:21 cmdschool.org.csr -rw-r--r--. 1 root root 1704 Sep 24 11:21 cmdschool.org.key
2.2.3 手动创建自签名证书
cd ~/ca openssl x509 -req -days 365 -in cmdschool.org.csr -signkey cmdschool.org.key -out cmdschool.org.crt
2.3 配置Tigase的SSL/TLS证书
2.3.1 创建自签名PEM证书
cd ~/ca cat cmdschool.org.crt cmdschool.org.key > cmdschool.org.pem
2.3.2 备份自带的PEM证书
mkdir /backup cp -a /usr/tigase/certs/ /backup/
2.3.3 清理自带的PEM证书
rm -rf /usr/tigase/certs/*
2.3.4 部署SSL的自签名PEM证书
cd ~/ca cp cmdschool.org.pem /usr/tigase/certs/default.pem
2.3.5 部署TLS的自签名PEM证书
cd ~/ca cp cmdschool.org.pem /usr/tigase/certs/cmdschool.org.pem
2.3.6 重启服务使配置生效
/etc/init.d/tigased restart
2.4 测试Tigase的SSL/TLS证书
2.4.1 测试SSL证书
openssl s_client -connect cmdschool.org:5223 -CApath /etc/ssl/certs/
可见如下显示,
CONNECTED(00000003)
depth=0 C = CN, ST = Guangdong, L = DG, O = cmdschool, OU = it, CN = cmdschool.org, emailAddress = will@cmdschool.org
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = Guangdong, L = DG, O = cmdschool, OU = it, CN = cmdschool.org, emailAddress = will@cmdschool.org
verify return:1
---
Certificate chain
0 s:/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
i:/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCSFOsxCn4yezANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
Q04xEjAQBgNVBAgMCUd1YW5nZG9uZzELMAkGA1UEBwwCREcxEjAQBgNVBAoMCWNt
ZHNjaG9vbDELMAkGA1UECwwCaXQxFjAUBgNVBAMMDWNtZHNjaG9vbC5vcmcxITAf
BgkqhkiG9w0BCQEWEndpbGxAY21kc2Nob29sLm9yZzAeFw0xOTA5MjQxNjUyMjJa
Fw0yMDA5MjMxNjUyMjJaMIGKMQswCQYDVQQGEwJDTjESMBAGA1UECAwJR3Vhbmdk
b25nMQswCQYDVQQHDAJERzESMBAGA1UECgwJY21kc2Nob29sMQswCQYDVQQLDAJp
dDEWMBQGA1UEAwwNY21kc2Nob29sLm9yZzEhMB8GCSqGSIb3DQEJARYSd2lsbEBj
bWRzY2hvb2wub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mwg
rri79R6PCU0gnAHorYRKzneIXW8zzUmlv/Vh1QPMOX2/XDIueo7h2mf68+YP+hL1
xVU8ytOVjKoE+UOQBmcDsjPR1ZuDY0T9SR3yVOyx5G5ZABxpEisdHRO7aMdivvRd
OdHg6IqCtCN2U/ouvzubejOpGwT5Ij4W5rASxf2lIl7Q7lvgPaot/VHplqOXO0O5
4UemBfl5oLWP2njfv4qV1EblqjgEV5T96JjD+dh+b30IDGIVhHSZSsSe5Flg19Sd
rFCwvZVfhRLXt2UoUwJfXAyDOfL7epzGAhBKcVerohOaAXdHt4beB54Owc3nDPNE
ussHQP6X+Zdc2IAFfQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAjwpsbK4yF07hM
FN7/MwxBNAbo9XQQL+yrsTt5yJe2khcWQGY/ceOoITdhz7YZf/w4HajZCtDB4d0v
RVn3apb+AOArf1z0v2zx1CGLUZlWdShcRjbnYrIHv2YYDKiupnAaw1roddNtXYiQ
vQwLO0sWD49pIUJp7V63cR1WRs9v8dAptr31rR27JKK36FlwtSo8bLeuOpZsYJex
sfVes4aEIr1I16Tjs72smlzSA30x5AgVaAZxkdCPZwTGf4qMMNEDX3OAcpA2Of/p
XR0Fpyp9mwEhUDdk1OwASXMkscN8c9cc5qG6hnNKUPWNqTIvFut66GfwtT7g7slV
CXiF9PyP
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
issuer=/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1620 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES128-SHA
Session-ID: 5D9DF5B7B384AB40349999D70C652056F459DEAB51B1560B3879EFA41D74CB45
Session-ID-ctx:
Master-Key: D8CD31892E6D1938A8B22BB7A1FF1ECC15101C7E3E0325445E8BC74D6FA2B9FAC426EFCEEC21A653B17779F0A7C2450E
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1570633143
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
如果见到如下提示,则证书没有正确配置,
verify error:num=19:self signed certificate in certificate chain verify return:0
2.4.2 测试TLS证书
openssl s_client -connect cmdschool.org:5222 -CApath /etc/ssl/certs/ -starttls xmpp
可见如下显示,
CONNECTED(00000003)
depth=0 C = CN, ST = Guangdong, L = DG, O = cmdschool, OU = it, CN = cmdschool.org, emailAddress = will@cmdschool.org
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = Guangdong, L = DG, O = cmdschool, OU = it, CN = cmdschool.org, emailAddress = will@cmdschool.org
verify return:1
---
Certificate chain
0 s:/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
i:/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCSFOsxCn4yezANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
Q04xEjAQBgNVBAgMCUd1YW5nZG9uZzELMAkGA1UEBwwCREcxEjAQBgNVBAoMCWNt
ZHNjaG9vbDELMAkGA1UECwwCaXQxFjAUBgNVBAMMDWNtZHNjaG9vbC5vcmcxITAf
BgkqhkiG9w0BCQEWEndpbGxAY21kc2Nob29sLm9yZzAeFw0xOTA5MjQxNjUyMjJa
Fw0yMDA5MjMxNjUyMjJaMIGKMQswCQYDVQQGEwJDTjESMBAGA1UECAwJR3Vhbmdk
b25nMQswCQYDVQQHDAJERzESMBAGA1UECgwJY21kc2Nob29sMQswCQYDVQQLDAJp
dDEWMBQGA1UEAwwNY21kc2Nob29sLm9yZzEhMB8GCSqGSIb3DQEJARYSd2lsbEBj
bWRzY2hvb2wub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mwg
rri79R6PCU0gnAHorYRKzneIXW8zzUmlv/Vh1QPMOX2/XDIueo7h2mf68+YP+hL1
xVU8ytOVjKoE+UOQBmcDsjPR1ZuDY0T9SR3yVOyx5G5ZABxpEisdHRO7aMdivvRd
OdHg6IqCtCN2U/ouvzubejOpGwT5Ij4W5rASxf2lIl7Q7lvgPaot/VHplqOXO0O5
4UemBfl5oLWP2njfv4qV1EblqjgEV5T96JjD+dh+b30IDGIVhHSZSsSe5Flg19Sd
rFCwvZVfhRLXt2UoUwJfXAyDOfL7epzGAhBKcVerohOaAXdHt4beB54Owc3nDPNE
ussHQP6X+Zdc2IAFfQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAjwpsbK4yF07hM
FN7/MwxBNAbo9XQQL+yrsTt5yJe2khcWQGY/ceOoITdhz7YZf/w4HajZCtDB4d0v
RVn3apb+AOArf1z0v2zx1CGLUZlWdShcRjbnYrIHv2YYDKiupnAaw1roddNtXYiQ
vQwLO0sWD49pIUJp7V63cR1WRs9v8dAptr31rR27JKK36FlwtSo8bLeuOpZsYJex
sfVes4aEIr1I16Tjs72smlzSA30x5AgVaAZxkdCPZwTGf4qMMNEDX3OAcpA2Of/p
XR0Fpyp9mwEhUDdk1OwASXMkscN8c9cc5qG6hnNKUPWNqTIvFut66GfwtT7g7slV
CXiF9PyP
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
issuer=/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2321 bytes and written 632 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES128-SHA
Session-ID: 5D9DF4BD546C9A508CA0F3047927AFFBEAE1A90347C78C85466EE5598DC6ADF1
Session-ID-ctx:
Master-Key: A2753F8E1D92C49BC3B7975AD54F149FF88F2E94FEC14BFBB5D79500B6EEDDD87EF34462E7705513E853DFFF5BCD4C0A
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1570632893
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
2.4.3 使用客户端测试
请按如下向导部署并使用客户端测试,
https://www.cmdschool.org/archives/2670
参阅文档
=================
配置Tigase的SSL证书
——————
https://docs.tigase.org/tigase-server/5.2.0/admin_guide/html/#_installing_loading_certificate_to_the_tigase_server
强制使用SSL协议
——————
https://wiki.xmpp.org/web/Securing_XMPP
配置Tigase的TLS证书
——————
http://www.jfcarter.net/~jimc/documents/xmpp-1307/xmpp-tigase-1802.html
KeyStore证书的加载方法
——————-
https://github.com/fanout/tigase-server/blob/master/debian/init.properties
没有评论