HTTPS加密与证书完全指南(中)
1. 证书链详解
实际使用中,证书不是直接由根CA签发,而是通过中间CA签发。
#mermaid-svg-ZHeFXcyr0VWM28vN{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-ZHeFXcyr0VWM28vN .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-ZHeFXcyr0VWM28vN .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-ZHeFXcyr0VWM28vN .error-icon{fill:#552222;}#mermaid-svg-ZHeFXcyr0VWM28vN .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-ZHeFXcyr0VWM28vN .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-ZHeFXcyr0VWM28vN .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-ZHeFXcyr0VWM28vN .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-ZHeFXcyr0VWM28vN .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-ZHeFXcyr0VWM28vN .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-ZHeFXcyr0VWM28vN .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-ZHeFXcyr0VWM28vN .marker{fill:#333333;stroke:#333333;}#mermaid-svg-ZHeFXcyr0VWM28vN .marker.cross{stroke:#333333;}#mermaid-svg-ZHeFXcyr0VWM28vN svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-ZHeFXcyr0VWM28vN p{margin:0;}#mermaid-svg-ZHeFXcyr0VWM28vN .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-ZHeFXcyr0VWM28vN .cluster-label text{fill:#333;}#mermaid-svg-ZHeFXcyr0VWM28vN .cluster-label span{color:#333;}#mermaid-svg-ZHeFXcyr0VWM28vN .cluster-label span p{background-color:transparent;}#mermaid-svg-ZHeFXcyr0VWM28vN .label text,#mermaid-svg-ZHeFXcyr0VWM28vN span{fill:#333;color:#333;}#mermaid-svg-ZHeFXcyr0VWM28vN .node rect,#mermaid-svg-ZHeFXcyr0VWM28vN .node circle,#mermaid-svg-ZHeFXcyr0VWM28vN .node ellipse,#mermaid-svg-ZHeFXcyr0VWM28vN .node polygon,#mermaid-svg-ZHeFXcyr0VWM28vN .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-ZHeFXcyr0VWM28vN .rough-node .label text,#mermaid-svg-ZHeFXcyr0VWM28vN .node .label text,#mermaid-svg-ZHeFXcyr0VWM28vN .image-shape .label,#mermaid-svg-ZHeFXcyr0VWM28vN .icon-shape .label{text-anchor:middle;}#mermaid-svg-ZHeFXcyr0VWM28vN .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-ZHeFXcyr0VWM28vN .rough-node .label,#mermaid-svg-ZHeFXcyr0VWM28vN .node .label,#mermaid-svg-ZHeFXcyr0VWM28vN .image-shape .label,#mermaid-svg-ZHeFXcyr0VWM28vN .icon-shape .label{text-align:center;}#mermaid-svg-ZHeFXcyr0VWM28vN .node.clickable{cursor:pointer;}#mermaid-svg-ZHeFXcyr0VWM28vN .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-ZHeFXcyr0VWM28vN .arrowheadPath{fill:#333333;}#mermaid-svg-ZHeFXcyr0VWM28vN .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-ZHeFXcyr0VWM28vN .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-ZHeFXcyr0VWM28vN .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-ZHeFXcyr0VWM28vN .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-ZHeFXcyr0VWM28vN .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-ZHeFXcyr0VWM28vN .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-ZHeFXcyr0VWM28vN .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-ZHeFXcyr0VWM28vN .cluster text{fill:#333;}#mermaid-svg-ZHeFXcyr0VWM28vN .cluster span{color:#333;}#mermaid-svg-ZHeFXcyr0VWM28vN div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-ZHeFXcyr0VWM28vN .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-ZHeFXcyr0VWM28vN rect.text{fill:none;stroke-width:0;}#mermaid-svg-ZHeFXcyr0VWM28vN .icon-shape,#mermaid-svg-ZHeFXcyr0VWM28vN .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-ZHeFXcyr0VWM28vN .icon-shape p,#mermaid-svg-ZHeFXcyr0VWM28vN .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-ZHeFXcyr0VWM28vN .icon-shape .label rect,#mermaid-svg-ZHeFXcyr0VWM28vN .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-ZHeFXcyr0VWM28vN .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-ZHeFXcyr0VWM28vN .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-ZHeFXcyr0VWM28vN :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 证书链
根CA证书
离线保存
自签名
中间CA证书
在线签发
由根CA签名
服务器证书
部署在服务器
由中间CA签名
服务器 客户端 服务器 客户端 #mermaid-svg-86ejv6lyNJ4z7jmH{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-86ejv6lyNJ4z7jmH .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-86ejv6lyNJ4z7jmH .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-86ejv6lyNJ4z7jmH .error-icon{fill:#552222;}#mermaid-svg-86ejv6lyNJ4z7jmH .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-86ejv6lyNJ4z7jmH .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-86ejv6lyNJ4z7jmH .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-86ejv6lyNJ4z7jmH .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-86ejv6lyNJ4z7jmH .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-86ejv6lyNJ4z7jmH .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-86ejv6lyNJ4z7jmH .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-86ejv6lyNJ4z7jmH .marker{fill:#333333;stroke:#333333;}#mermaid-svg-86ejv6lyNJ4z7jmH .marker.cross{stroke:#333333;}#mermaid-svg-86ejv6lyNJ4z7jmH svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-86ejv6lyNJ4z7jmH p{margin:0;}#mermaid-svg-86ejv6lyNJ4z7jmH .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-86ejv6lyNJ4z7jmH text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-86ejv6lyNJ4z7jmH .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-86ejv6lyNJ4z7jmH .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-86ejv6lyNJ4z7jmH .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-86ejv6lyNJ4z7jmH .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-86ejv6lyNJ4z7jmH #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-86ejv6lyNJ4z7jmH .sequenceNumber{fill:white;}#mermaid-svg-86ejv6lyNJ4z7jmH #sequencenumber{fill:#333;}#mermaid-svg-86ejv6lyNJ4z7jmH #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-86ejv6lyNJ4z7jmH .messageText{fill:#333;stroke:none;}#mermaid-svg-86ejv6lyNJ4z7jmH .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-86ejv6lyNJ4z7jmH .labelText,#mermaid-svg-86ejv6lyNJ4z7jmH .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-86ejv6lyNJ4z7jmH .loopText,#mermaid-svg-86ejv6lyNJ4z7jmH .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-86ejv6lyNJ4z7jmH .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-86ejv6lyNJ4z7jmH .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-86ejv6lyNJ4z7jmH .noteText,#mermaid-svg-86ejv6lyNJ4z7jmH .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-86ejv6lyNJ4z7jmH .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-86ejv6lyNJ4z7jmH .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-86ejv6lyNJ4z7jmH .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-86ejv6lyNJ4z7jmH .actorPopupMenu{position:absolute;}#mermaid-svg-86ejv6lyNJ4z7jmH .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-86ejv6lyNJ4z7jmH .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-86ejv6lyNJ4z7jmH .actor-man circle,#mermaid-svg-86ejv6lyNJ4z7jmH line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-86ejv6lyNJ4z7jmH :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 客户端本地有预装的根CA证书 步骤1:验证服务器证书 用中间CA证书验证服务器证书的签名 验证通过 ✓ 步骤2:验证中间CA证书 用根CA证书验证中间CA证书的签名 验证通过 ✓ 信任链完整,连接建立 发送证书链服务器证书+中间CA证书
形象类比: 证书链 = 公务员任命体系
- 根CA = 国家主席(最高权力,自己任命自己)
- 中间CA = 省长(由国家主席任命)
- 服务器证书 = 县长(由省长任命)
你认识县长,但不认识省长和国家主席?
没关系,往上查:县长→省长→国家主席,一路追溯到你认识的人
为什么需要中间CA?
- 根CA私钥必须离线保存(物理隔离)
- 中间CA可以在线签发证书
- 根CA泄露=整个信任体系崩塌,中间CA泄露=只影响它签发的证书
2. 证书吊销机制
证书在有效期内可能出问题(私钥泄露、公司倒闭等),需要提前作废。
2.1 CRL(证书吊销列表)
#mermaid-svg-1G3hF18bsqjg9U6f{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-1G3hF18bsqjg9U6f .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-1G3hF18bsqjg9U6f .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-1G3hF18bsqjg9U6f .error-icon{fill:#552222;}#mermaid-svg-1G3hF18bsqjg9U6f .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-1G3hF18bsqjg9U6f .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-1G3hF18bsqjg9U6f .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-1G3hF18bsqjg9U6f .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-1G3hF18bsqjg9U6f .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-1G3hF18bsqjg9U6f .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-1G3hF18bsqjg9U6f .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-1G3hF18bsqjg9U6f .marker{fill:#333333;stroke:#333333;}#mermaid-svg-1G3hF18bsqjg9U6f .marker.cross{stroke:#333333;}#mermaid-svg-1G3hF18bsqjg9U6f svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-1G3hF18bsqjg9U6f p{margin:0;}#mermaid-svg-1G3hF18bsqjg9U6f .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-1G3hF18bsqjg9U6f .cluster-label text{fill:#333;}#mermaid-svg-1G3hF18bsqjg9U6f .cluster-label span{color:#333;}#mermaid-svg-1G3hF18bsqjg9U6f .cluster-label span p{background-color:transparent;}#mermaid-svg-1G3hF18bsqjg9U6f .label text,#mermaid-svg-1G3hF18bsqjg9U6f span{fill:#333;color:#333;}#mermaid-svg-1G3hF18bsqjg9U6f .node rect,#mermaid-svg-1G3hF18bsqjg9U6f .node circle,#mermaid-svg-1G3hF18bsqjg9U6f .node ellipse,#mermaid-svg-1G3hF18bsqjg9U6f .node polygon,#mermaid-svg-1G3hF18bsqjg9U6f .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-1G3hF18bsqjg9U6f .rough-node .label text,#mermaid-svg-1G3hF18bsqjg9U6f .node .label text,#mermaid-svg-1G3hF18bsqjg9U6f .image-shape .label,#mermaid-svg-1G3hF18bsqjg9U6f .icon-shape .label{text-anchor:middle;}#mermaid-svg-1G3hF18bsqjg9U6f .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-1G3hF18bsqjg9U6f .rough-node .label,#mermaid-svg-1G3hF18bsqjg9U6f .node .label,#mermaid-svg-1G3hF18bsqjg9U6f .image-shape .label,#mermaid-svg-1G3hF18bsqjg9U6f .icon-shape .label{text-align:center;}#mermaid-svg-1G3hF18bsqjg9U6f .node.clickable{cursor:pointer;}#mermaid-svg-1G3hF18bsqjg9U6f .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-1G3hF18bsqjg9U6f .arrowheadPath{fill:#333333;}#mermaid-svg-1G3hF18bsqjg9U6f .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-1G3hF18bsqjg9U6f .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-1G3hF18bsqjg9U6f .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-1G3hF18bsqjg9U6f .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-1G3hF18bsqjg9U6f .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-1G3hF18bsqjg9U6f .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-1G3hF18bsqjg9U6f .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-1G3hF18bsqjg9U6f .cluster text{fill:#333;}#mermaid-svg-1G3hF18bsqjg9U6f .cluster span{color:#333;}#mermaid-svg-1G3hF18bsqjg9U6f div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-1G3hF18bsqjg9U6f .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-1G3hF18bsqjg9U6f rect.text{fill:none;stroke-width:0;}#mermaid-svg-1G3hF18bsqjg9U6f .icon-shape,#mermaid-svg-1G3hF18bsqjg9U6f .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-1G3hF18bsqjg9U6f .icon-shape p,#mermaid-svg-1G3hF18bsqjg9U6f .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-1G3hF18bsqjg9U6f .icon-shape .label rect,#mermaid-svg-1G3hF18bsqjg9U6f .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-1G3hF18bsqjg9U6f .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-1G3hF18bsqjg9U6f .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-1G3hF18bsqjg9U6f :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 在列表中
不在列表中
CA维护吊销列表
定期发布CRL文件
客户端下载CRL
检查证书是否在列表中
拒绝连接
继续验证
形象类比: CRL = 银行挂失名单
银行定期把挂失的银行卡号发给各网点,你拿挂失卡去取钱,网点一查名单就知道不能用
缺点: 列表可能很大,更新不及时
2.2 OCSP(在线证书状态协议)
OCSP服务器 服务器 客户端 OCSP服务器 服务器 客户端 #mermaid-svg-6fJrgenvpE9Xtx6G{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-6fJrgenvpE9Xtx6G .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-6fJrgenvpE9Xtx6G .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-6fJrgenvpE9Xtx6G .error-icon{fill:#552222;}#mermaid-svg-6fJrgenvpE9Xtx6G .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-6fJrgenvpE9Xtx6G .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-6fJrgenvpE9Xtx6G .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-6fJrgenvpE9Xtx6G .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-6fJrgenvpE9Xtx6G .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-6fJrgenvpE9Xtx6G .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-6fJrgenvpE9Xtx6G .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-6fJrgenvpE9Xtx6G .marker{fill:#333333;stroke:#333333;}#mermaid-svg-6fJrgenvpE9Xtx6G .marker.cross{stroke:#333333;}#mermaid-svg-6fJrgenvpE9Xtx6G svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-6fJrgenvpE9Xtx6G p{margin:0;}#mermaid-svg-6fJrgenvpE9Xtx6G .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-6fJrgenvpE9Xtx6G text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-6fJrgenvpE9Xtx6G .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-6fJrgenvpE9Xtx6G .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-6fJrgenvpE9Xtx6G .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-6fJrgenvpE9Xtx6G .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-6fJrgenvpE9Xtx6G #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-6fJrgenvpE9Xtx6G .sequenceNumber{fill:white;}#mermaid-svg-6fJrgenvpE9Xtx6G #sequencenumber{fill:#333;}#mermaid-svg-6fJrgenvpE9Xtx6G #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-6fJrgenvpE9Xtx6G .messageText{fill:#333;stroke:none;}#mermaid-svg-6fJrgenvpE9Xtx6G .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-6fJrgenvpE9Xtx6G .labelText,#mermaid-svg-6fJrgenvpE9Xtx6G .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-6fJrgenvpE9Xtx6G .loopText,#mermaid-svg-6fJrgenvpE9Xtx6G .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-6fJrgenvpE9Xtx6G .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-6fJrgenvpE9Xtx6G .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-6fJrgenvpE9Xtx6G .noteText,#mermaid-svg-6fJrgenvpE9Xtx6G .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-6fJrgenvpE9Xtx6G .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-6fJrgenvpE9Xtx6G .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-6fJrgenvpE9Xtx6G .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-6fJrgenvpE9Xtx6G .actorPopupMenu{position:absolute;}#mermaid-svg-6fJrgenvpE9Xtx6G .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-6fJrgenvpE9Xtx6G .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-6fJrgenvpE9Xtx6G .actor-man circle,#mermaid-svg-6fJrgenvpE9Xtx6G line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-6fJrgenvpE9Xtx6G :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 请求连接 发送证书 查询证书状态(实时) 返回状态(good/revoked/unknown) 继续或拒绝
形象类比: OCSP = 实时查询银行客服
不用等挂失名单寄到,直接打电话问"这张卡还能用吗?"
优点: 实时性好
缺点: 增加一次网络请求,有隐私泄露风险
2.3 OCSP Stapling(装订)
OCSP服务器 服务器 客户端 OCSP服务器 服务器 客户端 #mermaid-svg-frMLwAMioLgdNnRq{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-frMLwAMioLgdNnRq .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-frMLwAMioLgdNnRq .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-frMLwAMioLgdNnRq .error-icon{fill:#552222;}#mermaid-svg-frMLwAMioLgdNnRq .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-frMLwAMioLgdNnRq .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-frMLwAMioLgdNnRq .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-frMLwAMioLgdNnRq .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-frMLwAMioLgdNnRq .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-frMLwAMioLgdNnRq .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-frMLwAMioLgdNnRq .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-frMLwAMioLgdNnRq .marker{fill:#333333;stroke:#333333;}#mermaid-svg-frMLwAMioLgdNnRq .marker.cross{stroke:#333333;}#mermaid-svg-frMLwAMioLgdNnRq svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-frMLwAMioLgdNnRq p{margin:0;}#mermaid-svg-frMLwAMioLgdNnRq .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-frMLwAMioLgdNnRq text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-frMLwAMioLgdNnRq .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-frMLwAMioLgdNnRq .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-frMLwAMioLgdNnRq .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-frMLwAMioLgdNnRq .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-frMLwAMioLgdNnRq #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-frMLwAMioLgdNnRq .sequenceNumber{fill:white;}#mermaid-svg-frMLwAMioLgdNnRq #sequencenumber{fill:#333;}#mermaid-svg-frMLwAMioLgdNnRq #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-frMLwAMioLgdNnRq .messageText{fill:#333;stroke:none;}#mermaid-svg-frMLwAMioLgdNnRq .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-frMLwAMioLgdNnRq .labelText,#mermaid-svg-frMLwAMioLgdNnRq .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-frMLwAMioLgdNnRq .loopText,#mermaid-svg-frMLwAMioLgdNnRq .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-frMLwAMioLgdNnRq .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-frMLwAMioLgdNnRq .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-frMLwAMioLgdNnRq .noteText,#mermaid-svg-frMLwAMioLgdNnRq .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-frMLwAMioLgdNnRq .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-frMLwAMioLgdNnRq .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-frMLwAMioLgdNnRq .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-frMLwAMioLgdNnRq .actorPopupMenu{position:absolute;}#mermaid-svg-frMLwAMioLgdNnRq .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-frMLwAMioLgdNnRq .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-frMLwAMioLgdNnRq .actor-man circle,#mermaid-svg-frMLwAMioLgdNnRq line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-frMLwAMioLgdNnRq :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 缓存OCSP响应 无需单独查询OCSP 定期查询证书状态 返回签名的OCSP响应 请求连接 发送证书 + OCSP响应(一起发)
形象类比: OCSP Stapling = 快递员帮你查
你不用自己去查包裹状态,快递员定期查好,送包裹时直接告诉你
最佳实践: 服务器开启OCSP Stapling,兼顾实时性和性能
3. 证书透明度(CT)
CT(Certificate Transparency)是防止CA伪造证书的监控机制。
#mermaid-svg-dwEbFUmY7RVwBFuQ{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-dwEbFUmY7RVwBFuQ .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-dwEbFUmY7RVwBFuQ .error-icon{fill:#552222;}#mermaid-svg-dwEbFUmY7RVwBFuQ .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-dwEbFUmY7RVwBFuQ .marker{fill:#333333;stroke:#333333;}#mermaid-svg-dwEbFUmY7RVwBFuQ .marker.cross{stroke:#333333;}#mermaid-svg-dwEbFUmY7RVwBFuQ svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-dwEbFUmY7RVwBFuQ p{margin:0;}#mermaid-svg-dwEbFUmY7RVwBFuQ .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-dwEbFUmY7RVwBFuQ .cluster-label text{fill:#333;}#mermaid-svg-dwEbFUmY7RVwBFuQ .cluster-label span{color:#333;}#mermaid-svg-dwEbFUmY7RVwBFuQ .cluster-label span p{background-color:transparent;}#mermaid-svg-dwEbFUmY7RVwBFuQ .label text,#mermaid-svg-dwEbFUmY7RVwBFuQ span{fill:#333;color:#333;}#mermaid-svg-dwEbFUmY7RVwBFuQ .node rect,#mermaid-svg-dwEbFUmY7RVwBFuQ .node circle,#mermaid-svg-dwEbFUmY7RVwBFuQ .node ellipse,#mermaid-svg-dwEbFUmY7RVwBFuQ .node polygon,#mermaid-svg-dwEbFUmY7RVwBFuQ .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-dwEbFUmY7RVwBFuQ .rough-node .label text,#mermaid-svg-dwEbFUmY7RVwBFuQ .node .label text,#mermaid-svg-dwEbFUmY7RVwBFuQ .image-shape .label,#mermaid-svg-dwEbFUmY7RVwBFuQ .icon-shape .label{text-anchor:middle;}#mermaid-svg-dwEbFUmY7RVwBFuQ .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-dwEbFUmY7RVwBFuQ .rough-node .label,#mermaid-svg-dwEbFUmY7RVwBFuQ .node .label,#mermaid-svg-dwEbFUmY7RVwBFuQ .image-shape .label,#mermaid-svg-dwEbFUmY7RVwBFuQ .icon-shape .label{text-align:center;}#mermaid-svg-dwEbFUmY7RVwBFuQ .node.clickable{cursor:pointer;}#mermaid-svg-dwEbFUmY7RVwBFuQ .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-dwEbFUmY7RVwBFuQ .arrowheadPath{fill:#333333;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-dwEbFUmY7RVwBFuQ .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-dwEbFUmY7RVwBFuQ .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-dwEbFUmY7RVwBFuQ .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-dwEbFUmY7RVwBFuQ .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-dwEbFUmY7RVwBFuQ .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-dwEbFUmY7RVwBFuQ .cluster text{fill:#333;}#mermaid-svg-dwEbFUmY7RVwBFuQ .cluster span{color:#333;}#mermaid-svg-dwEbFUmY7RVwBFuQ div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-dwEbFUmY7RVwBFuQ .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-dwEbFUmY7RVwBFuQ rect.text{fill:none;stroke-width:0;}#mermaid-svg-dwEbFUmY7RVwBFuQ .icon-shape,#mermaid-svg-dwEbFUmY7RVwBFuQ .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-dwEbFUmY7RVwBFuQ .icon-shape p,#mermaid-svg-dwEbFUmY7RVwBFuQ .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-dwEbFUmY7RVwBFuQ .icon-shape .label rect,#mermaid-svg-dwEbFUmY7RVwBFuQ .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-dwEbFUmY7RVwBFuQ .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-dwEbFUmY7RVwBFuQ .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-dwEbFUmY7RVwBFuQ :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 监控机制
公开的日志
任何人都可以监控
发现可疑证书可报警
CT工作流程
CA签发证书
提交到CT日志服务器
日志服务器返回SCT签名
证书中包含SCT
浏览器验证SCT
形象类比: CT = 公示栏
公安局发的每张身份证都要在公示栏贴出来,大家都看到了,就没法偷偷给人发假证了
作用:
- 所有证书签发都留记录
- 任何人都可以监控是否有可疑证书
- CA无法偷偷签发恶意证书
4. HSTS(HTTP严格传输安全)
HSTS告诉浏览器:这个网站只能用HTTPS访问,不要用HTTP。
#mermaid-svg-IvnMHT09adOEqKyN{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-IvnMHT09adOEqKyN .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-IvnMHT09adOEqKyN .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-IvnMHT09adOEqKyN .error-icon{fill:#552222;}#mermaid-svg-IvnMHT09adOEqKyN .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-IvnMHT09adOEqKyN .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-IvnMHT09adOEqKyN .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-IvnMHT09adOEqKyN .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-IvnMHT09adOEqKyN .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-IvnMHT09adOEqKyN .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-IvnMHT09adOEqKyN .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-IvnMHT09adOEqKyN .marker{fill:#333333;stroke:#333333;}#mermaid-svg-IvnMHT09adOEqKyN .marker.cross{stroke:#333333;}#mermaid-svg-IvnMHT09adOEqKyN svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-IvnMHT09adOEqKyN p{margin:0;}#mermaid-svg-IvnMHT09adOEqKyN .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-IvnMHT09adOEqKyN .cluster-label text{fill:#333;}#mermaid-svg-IvnMHT09adOEqKyN .cluster-label span{color:#333;}#mermaid-svg-IvnMHT09adOEqKyN .cluster-label span p{background-color:transparent;}#mermaid-svg-IvnMHT09adOEqKyN .label text,#mermaid-svg-IvnMHT09adOEqKyN span{fill:#333;color:#333;}#mermaid-svg-IvnMHT09adOEqKyN .node rect,#mermaid-svg-IvnMHT09adOEqKyN .node circle,#mermaid-svg-IvnMHT09adOEqKyN .node ellipse,#mermaid-svg-IvnMHT09adOEqKyN .node polygon,#mermaid-svg-IvnMHT09adOEqKyN .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-IvnMHT09adOEqKyN .rough-node .label text,#mermaid-svg-IvnMHT09adOEqKyN .node .label text,#mermaid-svg-IvnMHT09adOEqKyN .image-shape .label,#mermaid-svg-IvnMHT09adOEqKyN .icon-shape .label{text-anchor:middle;}#mermaid-svg-IvnMHT09adOEqKyN .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-IvnMHT09adOEqKyN .rough-node .label,#mermaid-svg-IvnMHT09adOEqKyN .node .label,#mermaid-svg-IvnMHT09adOEqKyN .image-shape .label,#mermaid-svg-IvnMHT09adOEqKyN .icon-shape .label{text-align:center;}#mermaid-svg-IvnMHT09adOEqKyN .node.clickable{cursor:pointer;}#mermaid-svg-IvnMHT09adOEqKyN .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-IvnMHT09adOEqKyN .arrowheadPath{fill:#333333;}#mermaid-svg-IvnMHT09adOEqKyN .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-IvnMHT09adOEqKyN .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-IvnMHT09adOEqKyN .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-IvnMHT09adOEqKyN .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-IvnMHT09adOEqKyN .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-IvnMHT09adOEqKyN .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-IvnMHT09adOEqKyN .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-IvnMHT09adOEqKyN .cluster text{fill:#333;}#mermaid-svg-IvnMHT09adOEqKyN .cluster span{color:#333;}#mermaid-svg-IvnMHT09adOEqKyN div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-IvnMHT09adOEqKyN .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-IvnMHT09adOEqKyN rect.text{fill:none;stroke-width:0;}#mermaid-svg-IvnMHT09adOEqKyN .icon-shape,#mermaid-svg-IvnMHT09adOEqKyN .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-IvnMHT09adOEqKyN .icon-shape p,#mermaid-svg-IvnMHT09adOEqKyN .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-IvnMHT09adOEqKyN .icon-shape .label rect,#mermaid-svg-IvnMHT09adOEqKyN .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-IvnMHT09adOEqKyN .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-IvnMHT09adOEqKyN .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-IvnMHT09adOEqKyN :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 首次访问example.com
服务器返回HSTS头
浏览器记住:只能用HTTPS
下次访问时自动用HTTPS
即使输入http://也自动转https://
HSTS响应头:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload| 指令 | 作用 |
|---|---|
| max-age | 浏览器记住的时间(秒) |
| includeSubDomains | 包含所有子域名 |
| preload | 提交到浏览器预加载列表 |
形象类比: HSTS = 门卫只认VIP卡
第一次进门后,门卫记住"这个人以后只能刷VIP卡进,不能走普通通道"
即使有人冒充普通访客,门卫也不让进
防什么?
- SSL剥离攻击(把HTTPS降级为HTTP)
- 中间人攻击
5. 证书固定(Certificate Pinning)
客户端只信任特定的证书,不信任其他CA签发的证书。
#mermaid-svg-mYw7CgykCmkbq6pQ{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-mYw7CgykCmkbq6pQ .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-mYw7CgykCmkbq6pQ .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-mYw7CgykCmkbq6pQ .error-icon{fill:#552222;}#mermaid-svg-mYw7CgykCmkbq6pQ .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-mYw7CgykCmkbq6pQ .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-mYw7CgykCmkbq6pQ .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-mYw7CgykCmkbq6pQ .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-mYw7CgykCmkbq6pQ .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-mYw7CgykCmkbq6pQ .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-mYw7CgykCmkbq6pQ .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-mYw7CgykCmkbq6pQ .marker{fill:#333333;stroke:#333333;}#mermaid-svg-mYw7CgykCmkbq6pQ .marker.cross{stroke:#333333;}#mermaid-svg-mYw7CgykCmkbq6pQ svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-mYw7CgykCmkbq6pQ p{margin:0;}#mermaid-svg-mYw7CgykCmkbq6pQ .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-mYw7CgykCmkbq6pQ .cluster-label text{fill:#333;}#mermaid-svg-mYw7CgykCmkbq6pQ .cluster-label span{color:#333;}#mermaid-svg-mYw7CgykCmkbq6pQ .cluster-label span p{background-color:transparent;}#mermaid-svg-mYw7CgykCmkbq6pQ .label text,#mermaid-svg-mYw7CgykCmkbq6pQ span{fill:#333;color:#333;}#mermaid-svg-mYw7CgykCmkbq6pQ .node rect,#mermaid-svg-mYw7CgykCmkbq6pQ .node circle,#mermaid-svg-mYw7CgykCmkbq6pQ .node ellipse,#mermaid-svg-mYw7CgykCmkbq6pQ .node polygon,#mermaid-svg-mYw7CgykCmkbq6pQ .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-mYw7CgykCmkbq6pQ .rough-node .label text,#mermaid-svg-mYw7CgykCmkbq6pQ .node .label text,#mermaid-svg-mYw7CgykCmkbq6pQ .image-shape .label,#mermaid-svg-mYw7CgykCmkbq6pQ .icon-shape .label{text-anchor:middle;}#mermaid-svg-mYw7CgykCmkbq6pQ .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-mYw7CgykCmkbq6pQ .rough-node .label,#mermaid-svg-mYw7CgykCmkbq6pQ .node .label,#mermaid-svg-mYw7CgykCmkbq6pQ .image-shape .label,#mermaid-svg-mYw7CgykCmkbq6pQ .icon-shape .label{text-align:center;}#mermaid-svg-mYw7CgykCmkbq6pQ .node.clickable{cursor:pointer;}#mermaid-svg-mYw7CgykCmkbq6pQ .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-mYw7CgykCmkbq6pQ .arrowheadPath{fill:#333333;}#mermaid-svg-mYw7CgykCmkbq6pQ .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-mYw7CgykCmkbq6pQ .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-mYw7CgykCmkbq6pQ .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-mYw7CgykCmkbq6pQ .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-mYw7CgykCmkbq6pQ .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-mYw7CgykCmkbq6pQ .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-mYw7CgykCmkbq6pQ .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-mYw7CgykCmkbq6pQ .cluster text{fill:#333;}#mermaid-svg-mYw7CgykCmkbq6pQ .cluster span{color:#333;}#mermaid-svg-mYw7CgykCmkbq6pQ div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-mYw7CgykCmkbq6pQ .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-mYw7CgykCmkbq6pQ rect.text{fill:none;stroke-width:0;}#mermaid-svg-mYw7CgykCmkbq6pQ .icon-shape,#mermaid-svg-mYw7CgykCmkbq6pQ .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-mYw7CgykCmkbq6pQ .icon-shape p,#mermaid-svg-mYw7CgykCmkbq6pQ .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-mYw7CgykCmkbq6pQ .icon-shape .label rect,#mermaid-svg-mYw7CgykCmkbq6pQ .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-mYw7CgykCmkbq6pQ .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-mYw7CgykCmkbq6pQ .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-mYw7CgykCmkbq6pQ :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 证书固定
是
否
客户端内置证书哈希
收到服务器证书
计算证书哈希
哈希匹配?
信任连接
拒绝连接
形象类比: 证书固定 = 公司门禁只认工牌
不管你说你是谁,我只认这张特定的工牌
即使有人伪造了一张"看起来一样"的工牌,门禁也能识别
应用场景:
- 银行APP(防止伪造银行服务器)
- 企业内部应用
- 高安全要求的服务
缺点: 证书轮换困难,需要发新版APP
6. 双向 TLS 认证(mTLS)
普通 HTTPS 只验证服务器 身份("我是真正的服务器")。mTLS(mutual TLS)在此基础上让服务器也验证客户端身份,实现双向身份确认。
服务器 客户端 服务器 客户端 #mermaid-svg-Omqh1NGxAA6r1QuE{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-Omqh1NGxAA6r1QuE .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-Omqh1NGxAA6r1QuE .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-Omqh1NGxAA6r1QuE .error-icon{fill:#552222;}#mermaid-svg-Omqh1NGxAA6r1QuE .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-Omqh1NGxAA6r1QuE .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-Omqh1NGxAA6r1QuE .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-Omqh1NGxAA6r1QuE .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-Omqh1NGxAA6r1QuE .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-Omqh1NGxAA6r1QuE .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-Omqh1NGxAA6r1QuE .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-Omqh1NGxAA6r1QuE .marker{fill:#333333;stroke:#333333;}#mermaid-svg-Omqh1NGxAA6r1QuE .marker.cross{stroke:#333333;}#mermaid-svg-Omqh1NGxAA6r1QuE svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-Omqh1NGxAA6r1QuE p{margin:0;}#mermaid-svg-Omqh1NGxAA6r1QuE .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-Omqh1NGxAA6r1QuE text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-Omqh1NGxAA6r1QuE .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-Omqh1NGxAA6r1QuE .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-Omqh1NGxAA6r1QuE .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-Omqh1NGxAA6r1QuE .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-Omqh1NGxAA6r1QuE #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-Omqh1NGxAA6r1QuE .sequenceNumber{fill:white;}#mermaid-svg-Omqh1NGxAA6r1QuE #sequencenumber{fill:#333;}#mermaid-svg-Omqh1NGxAA6r1QuE #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-Omqh1NGxAA6r1QuE .messageText{fill:#333;stroke:none;}#mermaid-svg-Omqh1NGxAA6r1QuE .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-Omqh1NGxAA6r1QuE .labelText,#mermaid-svg-Omqh1NGxAA6r1QuE .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-Omqh1NGxAA6r1QuE .loopText,#mermaid-svg-Omqh1NGxAA6r1QuE .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-Omqh1NGxAA6r1QuE .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-Omqh1NGxAA6r1QuE .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-Omqh1NGxAA6r1QuE .noteText,#mermaid-svg-Omqh1NGxAA6r1QuE .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-Omqh1NGxAA6r1QuE .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-Omqh1NGxAA6r1QuE .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-Omqh1NGxAA6r1QuE .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-Omqh1NGxAA6r1QuE .actorPopupMenu{position:absolute;}#mermaid-svg-Omqh1NGxAA6r1QuE .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-Omqh1NGxAA6r1QuE .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-Omqh1NGxAA6r1QuE .actor-man circle,#mermaid-svg-Omqh1NGxAA6r1QuE line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-Omqh1NGxAA6r1QuE :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 阶段一:客户端验证服务器(同普通 HTTPS) 验证服务器证书 阶段二:服务器验证客户端(mTLS 特有) 验证客户端证书的 CA 签名 协商密钥并加密通信 Client Hello Server Hello + 服务器证书 CertificateRequest(索要客户端证书) 客户端证书(client.crt) Finished Finished
形象类比: mTLS = 进出国安全门
- 普通 HTTPS = 进小区:保安只查你有没有访客身份(验证服务器)
- mTLS = 进出实验室:保安既要确认你是合法员工,你也要确认保安是真的,双向查验工作证
与单向 TLS 的对比:
| 维度 | 单向 TLS(HTTPS) | mTLS |
|---|---|---|
| 谁有证书 | 仅服务器 | 服务器 + 客户端 |
| 谁验证谁 | 客户端验证服务器 | 双向互相验证 |
| 客户端身份 | 无保证(任何人可连) | 凭证书才能连 |
| 适用场景 | 公开网站 | 内部服务 API、服务网格、零信任网络 |
典型应用场景:
- 微服务之间的内部调用(Istio、Linkerd 等服务网格默认开启 mTLS)
- 企业 API 网关(只允许持有客户端证书的应用访问)
- 云手机/物联网设备回连控制端
Nginx 开启 mTLS(示例):
nginx
server {
listen 443 ssl;
server_name api.example.com;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
# 关键:开启客户端证书验证,并指定信任的客户端 CA
ssl_client_certificate /etc/ssl/client-ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
}客户端发起请求时需带上 client.crt 与 client.key:
bash
curl --cert client.crt --key client.key \
--cacert ca.crt https://api.example.com7. 前向保密(PFS)
即使服务器私钥泄露,历史通信也无法被解密。
#mermaid-svg-lco0VgnfGbmSiof7{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-lco0VgnfGbmSiof7 .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-lco0VgnfGbmSiof7 .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-lco0VgnfGbmSiof7 .error-icon{fill:#552222;}#mermaid-svg-lco0VgnfGbmSiof7 .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-lco0VgnfGbmSiof7 .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-lco0VgnfGbmSiof7 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-lco0VgnfGbmSiof7 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-lco0VgnfGbmSiof7 .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-lco0VgnfGbmSiof7 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-lco0VgnfGbmSiof7 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-lco0VgnfGbmSiof7 .marker{fill:#333333;stroke:#333333;}#mermaid-svg-lco0VgnfGbmSiof7 .marker.cross{stroke:#333333;}#mermaid-svg-lco0VgnfGbmSiof7 svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-lco0VgnfGbmSiof7 p{margin:0;}#mermaid-svg-lco0VgnfGbmSiof7 .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-lco0VgnfGbmSiof7 .cluster-label text{fill:#333;}#mermaid-svg-lco0VgnfGbmSiof7 .cluster-label span{color:#333;}#mermaid-svg-lco0VgnfGbmSiof7 .cluster-label span p{background-color:transparent;}#mermaid-svg-lco0VgnfGbmSiof7 .label text,#mermaid-svg-lco0VgnfGbmSiof7 span{fill:#333;color:#333;}#mermaid-svg-lco0VgnfGbmSiof7 .node rect,#mermaid-svg-lco0VgnfGbmSiof7 .node circle,#mermaid-svg-lco0VgnfGbmSiof7 .node ellipse,#mermaid-svg-lco0VgnfGbmSiof7 .node polygon,#mermaid-svg-lco0VgnfGbmSiof7 .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-lco0VgnfGbmSiof7 .rough-node .label text,#mermaid-svg-lco0VgnfGbmSiof7 .node .label text,#mermaid-svg-lco0VgnfGbmSiof7 .image-shape .label,#mermaid-svg-lco0VgnfGbmSiof7 .icon-shape .label{text-anchor:middle;}#mermaid-svg-lco0VgnfGbmSiof7 .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-lco0VgnfGbmSiof7 .rough-node .label,#mermaid-svg-lco0VgnfGbmSiof7 .node .label,#mermaid-svg-lco0VgnfGbmSiof7 .image-shape .label,#mermaid-svg-lco0VgnfGbmSiof7 .icon-shape .label{text-align:center;}#mermaid-svg-lco0VgnfGbmSiof7 .node.clickable{cursor:pointer;}#mermaid-svg-lco0VgnfGbmSiof7 .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-lco0VgnfGbmSiof7 .arrowheadPath{fill:#333333;}#mermaid-svg-lco0VgnfGbmSiof7 .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-lco0VgnfGbmSiof7 .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-lco0VgnfGbmSiof7 .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-lco0VgnfGbmSiof7 .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-lco0VgnfGbmSiof7 .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-lco0VgnfGbmSiof7 .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-lco0VgnfGbmSiof7 .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-lco0VgnfGbmSiof7 .cluster text{fill:#333;}#mermaid-svg-lco0VgnfGbmSiof7 .cluster span{color:#333;}#mermaid-svg-lco0VgnfGbmSiof7 div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-lco0VgnfGbmSiof7 .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-lco0VgnfGbmSiof7 rect.text{fill:none;stroke-width:0;}#mermaid-svg-lco0VgnfGbmSiof7 .icon-shape,#mermaid-svg-lco0VgnfGbmSiof7 .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-lco0VgnfGbmSiof7 .icon-shape p,#mermaid-svg-lco0VgnfGbmSiof7 .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-lco0VgnfGbmSiof7 .icon-shape .label rect,#mermaid-svg-lco0VgnfGbmSiof7 .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-lco0VgnfGbmSiof7 .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-lco0VgnfGbmSiof7 .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-lco0VgnfGbmSiof7 :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 没有PFS
服务器私钥泄露
攻击者解密所有历史流量
所有通信内容暴露
#mermaid-svg-F4cUHDWKA9Ume8xh{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-F4cUHDWKA9Ume8xh .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-F4cUHDWKA9Ume8xh .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-F4cUHDWKA9Ume8xh .error-icon{fill:#552222;}#mermaid-svg-F4cUHDWKA9Ume8xh .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-F4cUHDWKA9Ume8xh .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-F4cUHDWKA9Ume8xh .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-F4cUHDWKA9Ume8xh .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-F4cUHDWKA9Ume8xh .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-F4cUHDWKA9Ume8xh .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-F4cUHDWKA9Ume8xh .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-F4cUHDWKA9Ume8xh .marker{fill:#333333;stroke:#333333;}#mermaid-svg-F4cUHDWKA9Ume8xh .marker.cross{stroke:#333333;}#mermaid-svg-F4cUHDWKA9Ume8xh svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-F4cUHDWKA9Ume8xh p{margin:0;}#mermaid-svg-F4cUHDWKA9Ume8xh .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-F4cUHDWKA9Ume8xh .cluster-label text{fill:#333;}#mermaid-svg-F4cUHDWKA9Ume8xh .cluster-label span{color:#333;}#mermaid-svg-F4cUHDWKA9Ume8xh .cluster-label span p{background-color:transparent;}#mermaid-svg-F4cUHDWKA9Ume8xh .label text,#mermaid-svg-F4cUHDWKA9Ume8xh span{fill:#333;color:#333;}#mermaid-svg-F4cUHDWKA9Ume8xh .node rect,#mermaid-svg-F4cUHDWKA9Ume8xh .node circle,#mermaid-svg-F4cUHDWKA9Ume8xh .node ellipse,#mermaid-svg-F4cUHDWKA9Ume8xh .node polygon,#mermaid-svg-F4cUHDWKA9Ume8xh .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-F4cUHDWKA9Ume8xh .rough-node .label text,#mermaid-svg-F4cUHDWKA9Ume8xh .node .label text,#mermaid-svg-F4cUHDWKA9Ume8xh .image-shape .label,#mermaid-svg-F4cUHDWKA9Ume8xh .icon-shape .label{text-anchor:middle;}#mermaid-svg-F4cUHDWKA9Ume8xh .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-F4cUHDWKA9Ume8xh .rough-node .label,#mermaid-svg-F4cUHDWKA9Ume8xh .node .label,#mermaid-svg-F4cUHDWKA9Ume8xh .image-shape .label,#mermaid-svg-F4cUHDWKA9Ume8xh .icon-shape .label{text-align:center;}#mermaid-svg-F4cUHDWKA9Ume8xh .node.clickable{cursor:pointer;}#mermaid-svg-F4cUHDWKA9Ume8xh .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-F4cUHDWKA9Ume8xh .arrowheadPath{fill:#333333;}#mermaid-svg-F4cUHDWKA9Ume8xh .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-F4cUHDWKA9Ume8xh .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-F4cUHDWKA9Ume8xh .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-F4cUHDWKA9Ume8xh .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-F4cUHDWKA9Ume8xh .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-F4cUHDWKA9Ume8xh .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-F4cUHDWKA9Ume8xh .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-F4cUHDWKA9Ume8xh .cluster text{fill:#333;}#mermaid-svg-F4cUHDWKA9Ume8xh .cluster span{color:#333;}#mermaid-svg-F4cUHDWKA9Ume8xh div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-F4cUHDWKA9Ume8xh .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-F4cUHDWKA9Ume8xh rect.text{fill:none;stroke-width:0;}#mermaid-svg-F4cUHDWKA9Ume8xh .icon-shape,#mermaid-svg-F4cUHDWKA9Ume8xh .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-F4cUHDWKA9Ume8xh .icon-shape p,#mermaid-svg-F4cUHDWKA9Ume8xh .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-F4cUHDWKA9Ume8xh .icon-shape .label rect,#mermaid-svg-F4cUHDWKA9Ume8xh .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-F4cUHDWKA9Ume8xh .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-F4cUHDWKA9Ume8xh .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-F4cUHDWKA9Ume8xh :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 有PFS
使用临时密钥交换
每次会话用不同的对称密钥
即使私钥泄露,历史会话密钥已销毁
历史通信无法解密
形象类比: PFS = 用完即焚的密码本
- 没有PFS:所有通信用同一个密码本,偷到就能解密所有历史
- 有PFS:每次通信用完密码本就烧掉,即使偷到现在的密码本,以前的也解不了
实现方式: 使用ECDHE(椭圆曲线Diffie-Hellman临时密钥交换)
TLS 1.3强制使用PFS,TLS 1.2可选
8. 常见TLS攻击
8.1 BEAST(浏览器漏洞攻击)
| 项目 | 说明 |
|---|---|
| 攻击方式 | 利用TLS 1.0的CBC模式漏洞 |
| 影响 | 可窃取Cookie等敏感数据 |
| 修复 | 升级到TLS 1.2+,使用AEAD加密套件 |
8.2 POODLE(降级攻击)
| 项目 | 说明 |
|---|---|
| 攻击方式 | 强制浏览器降级到SSL 3.0 |
| 影响 | 可窃取加密数据 |
| 修复 | 禁用SSL 3.0,只允许TLS 1.2+ |
8.3 Heartbleed(心脏出血)
| 项目 | 说明 |
|---|---|
| 攻击方式 | OpenSSL的缓冲区溢出漏洞 |
| 影响 | 可读取服务器内存中的敏感数据(私钥、密码) |
| 修复 | 升级OpenSSL版本 |
8.4 降级攻击
| 项目 | 说明 |
|---|---|
| 攻击方式 | 中间人篡改握手消息,强制使用弱加密 |
| 影响 | 使用可被破解的加密算法 |
| 修复 | 服务器只接受强加密套件,启用HSTS |
安全建议:
- 始终使用TLS 1.2+
- 禁用SSL 2.0/3.0和TLS 1.0/1.1
- 只使用AEAD加密套件(AES-GCM、ChaCha20)
- 定期更新服务器软件