{"id":398,"date":"2010-03-16T17:24:20","date_gmt":"2010-03-16T09:24:20","guid":{"rendered":"http:\/\/blog.nuface.tw\/?p=398"},"modified":"2010-03-16T17:26:18","modified_gmt":"2010-03-16T09:26:18","slug":"%e5%90%84%e9%a0%85%e7%b6%b2%e8%b7%af%e6%9c%8d%e5%8b%99-ssl-%e6%87%89%e7%94%a8","status":"publish","type":"post","link":"https:\/\/blog.nuface.tw\/?p=398","title":{"rendered":"\u5404\u9805\u7db2\u8def\u670d\u52d9 + SSL \u61c9\u7528"},"content":{"rendered":"

\u81ea\u5f9e\u4e0a\u6b21\u5efa\u7f6e\u5b8c\u6210 X.509 SSL \u6191\u8b49\u5f8c\uff0c\u63a5\u8457\u5c31\u662f\u628a\u9019\u500b\u6191\u8b49\u61c9\u7528\u5728\uff0c\u5c0f\u745e\u516c\u53f8\u7684\u5404\u9805\u7db2\u8def\u670d\u52d9\u4e86\u3002<\/p>\n

\u9019\u4e9b\u7db2\u8def\u670d\u52d9\u57fa\u672c\u4e0a\u5305\u542b\u4e0b\u5217\u5e7e\u9805\uff1aHTTP \/ SMTP \/ FTP \/ IMAP \/ POP3
\n\u5de5\u7a0b\u5f88\u8017\u5927\u55ce\uff1f\u5176\u5be6\u9084\u597d\u53ea\u662f\u628a\u8a2d\u5b9a\u503c\u52a0\u4e0a\u539f\u672c\u7684config \u6a94\u4e2d\u800c\u5df2\uff0e\uff0e\uff0e
\n
\n\"easy\"<\/p>\n

\u5df2\u7d93\u5b8c\u6210\u7684\u4f5c\u696d
\n\u5982\u4f55\u88fd\u4f5c SSL X.509\u6191\u8b49<\/a><\/p>\n

\u6240\u4ee5\u6211\u5011\u624b\u4e0a\u6709
\nCA KEY<\/p>\n

\/etc\/ssl\/certs\/nuface.ca.crt.pem (\u516c\u9470)
\n\/etc\/ssl\/private\/nuface.ca.key.pem (\u79c1\u9470)<\/p><\/blockquote>\n

blog.nuface.tw \u7684SSL\u6191\u8b49<\/p>\n

\/etc\/ssl\/certs\/blog.nuface.crt.pem (\u516c\u9470)
\n\/etc\/ssl\/private\/blog.nuface.key.pem (\u79c1\u9470)<\/p><\/blockquote>\n

HTTPS<\/strong><\/p>\n

\u9650\u5b9a\u67d0\u4e00\u7279\u5b9a\u76ee\u9304\u4e00\u5b9a\u8981\u4f7f\u7528HTTPS \u4f86\u505a\u52a0\u5bc6\u9023\u7dda\uff0c\u901a\u5e38\u662f\u6709\u6a5f\u5bc6\u8cc7\u6599\u8981\u505a\u8f38\u5165\uff0c\u6216Server \u8f38\u51fa\u654f\u611f\u8cc7\u6599\uff0c\u53ef\u4ee5\u4f7f\u7528SSL\u4f86\u505a\u52a0\u5bc6\uff01<\/p>\n

OS: CentOS 5.4 2.6.18-164.11.1.el5xen
\nApache : 2.2<\/p>\n

\u4fee\u6539 httpd.conf \u8a2d\u5b9a\u6a94
\n\u5728\u8981\u505aSSL \u7684\u76ee\u9304\u4e0b\u52a0\u5165 SSLRequireSSL<\/p>\n

\uff1cDirectory \"\/var\/www\/cgi-bin\"\uff1e
\n\u3000\u3000SSLRequireSSL
\n\u3000\u3000AllowOverride None
\n\u3000\u3000Options None
\n\u3000\u3000Order allow,deny
\n\u3000\u3000Allow from all
\n\uff1c\/Directory\uff1e
\n<\/code><\/p><\/blockquote>\n

\u63a5\u8457\u4fee\u6539 ssl.conf<\/p>\n

\nvi \/etc\/httpd\/conf.d\/ssl.conf
\n# \u4fee\u6539
\nSSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt
\nSSLCertificateKeyFile \/etc\/pki\/tls\/private\/localhost.key
\n\u70ba
\nSSLCertificateFile \/etc\/ssl\/certs\/blog.nuface.crt.pem
\nSSLCertificateKeyFile \/etc\/ssl\/private\/blog.nuface.key.pem\n<\/p><\/blockquote>\n

\u63a5\u8457\u91cd\u555f httpd \u5373\u53ef<\/p>\n

service httpd restart<\/p><\/blockquote>\n

\u57fa\u672c\u4e0a\uff0c\u4e00\u500b\u7ad9\u53ea\u53ef\u4ee5\u6709\u4e00\u500bSSL \u7684\u7ad9\u53f0\uff0c\u9664\u975e\u4f7f\u7528\u4e0d\u540c\u7684port \u53bb\u505a\u5340\u9694\u624d\u6709\u8fa6\u6cd5\uff0c\u4e00\u500bIP\u4e0a\u8dd1\u591a\u500bSSL\u3002<\/p>\n

SMTPS<\/strong><\/p>\n

\u9650\u5b9a\u4f7f\u7528\u8005\u5728\u5bc4\u4fe1\u6642\u8981\u505aSMTP \u8a8d\u8b49\u6642\uff0c \u4f7f\u7528 SSL \u505a\u52a0\u5bc6\u5e33\u865f\u5bc6\u78bc\u8cc7\u6599\u3002<\/p>\n

OS: CentOS 5.4 2.6.18-164.11.1.el5xen
\nPostfix: 2.3.3 <\/p>\n

\u70ba postfix \u7684smtp \u52a0\u5165 tls \u901a\u8a0a
\nvi \/etc\/postfix\/main.cf
\n# \u627e\u5230 TLS parameters \u7684 section \uff0c\u5982\u679c\u6c92\u6709\uff0c\u81ea\u884c\u52a0\u4e0a
\n# \u5c07mark #\u53bb\u9664 , \u540c\u6642\u4fee\u6539 cert \/ \u53ca key file \u7684\u4f4d\u7f6e
\nsmtpd_use_tls = yes
\nsmtpd_tls_loglevel = 2
\nsmtpd_tls_cert_file = \/etc\/ssl\/certs\/blog.nuface.crt.pem
\nsmtpd_tls_key_file = \/etc\/ssl\/private\/blog.nuface.key.pem
\nsmtpd_tls_auth_only = no
\nsmtpd_tls_received_header = yes\n<\/p><\/blockquote>\n

\u89e3\u6c7a\u8a0e\u4eba\u53ad\u7684 Outlook 2003 \/ Outlook express \u767b\u5165\u8a8d\u8b49\u554f\u984c\uff0c\u7981\u6b62Outlook \u4f7f\u7528 PAINT \u53caLOGIN\u65b9\u5f0f\u767b\u5165<\/p>\n

vi \/etc\/postfix\/main.cf
\n# SASL paramters
\nsmtpd_sasl_auth_enable = yes
\n#smtpd_sasl_security_options = noanonymous # mark \u6389\u9019\u884c, \u6539\u70ba\u4e0b\u9762\u90a3\u884c
\nsmtpd_sasl_security_options = noplaintext
\nsmtpd_sasl_local_domain =
\nbroken_sasl_auth_clients = yes\n<\/p><\/blockquote>\n

\u91cd\u555f postfix\u5373\u53ef<\/p>\n

service postfix restart<\/p><\/blockquote>\n

\u4ee5\u5f8c\u4f7f\u7528 \u90f5\u4ef6\u8edf\u9ad4\u6642\uff0c\u5373\u53ef\u6307\u5b9a\u8aaa\u6211\u8981\u7528SMTPS<\/p>\n

\"SMTPS<\/p>\n

\"SMTPS<\/p>\n

\"SMTPS<\/p>\n

FTPS<\/strong><\/p>\n

\u5728FTP \u901a\u8a0a\u6642\uff0c\u8a8d\u8b49\u8cc7\u6599\u53ca\u50b3\u8f38\u8cc7\u6599\u505aSSL \u52a0\u5bc6<\/p>\n

OS: CentOS 5.4 2.6.18-164.11.1.el5xen
\nProftpd: 1.3.2b<\/p>\n

\u8a2d\u5b9a ftp \u4f7f\u7528tls \u901a\u8a0a
\nvi \/etc\/proftpd.cf
\n# \u627e\u5230 SSL via TLS \u7684 section
\n# \u5728\u4e0b\u9762\u76f4\u63a5\u5beb\u5165\u8a2d\u5b9a\u6a94
\n\uff1cIfModule mod_tls.c\uff1e
\n\u3000TLSEngine on \u3000
\n\u3000TLSLog \/var\/log\/proftpd\/ftp_ssl.log
\n\u3000TLSProtocol SSLv23
\n\u3000TLSOptions NoCertRequest
\n\u3000TLSRequired Off
\n\u3000TLSRSACertificateFile \/etc\/ssl\/certs\/blog.nuface.crt.pem
\n\u3000TLSRSACertificateKeyFile \/etc\/ssl\/private\/blog.nuface.key.pem
\n\u3000TLSCACertificateFile \/etc\/ssl\/certs\/nuface.ca.crt.pem
\n\u3000TLSVerifyClient off
\n\uff1c\/IfModule\uff1e\n<\/p><\/blockquote>\n

\u91cd\u555f proftpd \u5373\u53ef<\/p>\n

service proftpd restart<\/p><\/blockquote>\n

\u4f7f\u7528FTP client \u8edf\u9ad4\u6642\uff0c\u5373\u53ef\u6307\u5b9a\u4f7f\u7528TLS \/ SSL \u52a0\u5bc6\u9023\u7dda\uff01<\/p>\n

\"FTPS<\/p>\n

\"FTPS<\/p>\n

IMAPS<\/strong><\/p>\n

\u5728\u90f5\u4ef6\u4f3a\u670d\u5668\u6709\u63d0\u4f9bIMAP\u6642\uff0c\u70ba\u4f7f\u7528\u8005\u8207Server \u9593\u505aSSL \u52a0\u5bc6\uff01<\/p>\n

OS: CentOS 5.4 2.6.18-164.11.1.el5xen
\nCourier-imap: 4.7.0
\nOpenssl-perl: 0.9.8e<\/p>\n

\u5148 Rehash certs file<\/p>\n

cd \/etc\/ssl\/certs
\ncat blog.nuface.crt.pem ..\/private\/blog.nuface.key.pem > courier.pem
\ncat nuface.ca.crt.pem ..\/private\/nuface.ca.key.pem > courier.ca.pem
\nc_rehash\n<\/p><\/blockquote>\n

\u4fee\u6539 imapd-ss \u8a2d\u5b9a<\/p>\n

vi \/usr\/lib\/courier-imap\/etc\/imapd-ssl
\n#TLS_CERTFILE=\/usr\/lib\/courier-imap\/share\/imapd.pem
\n# \u6539\u70ba
\nTLS_CERTFILE=\/etc\/ssl\/certs\/courier.pem
\n# TLS_TRUSTCERTS=\/etc\/pki\/tls\/cert.pem
\n# \u6539\u70ba
\nTLS_TRUSTCERTS=\/etc\/ssl\/certs\n<\/p><\/blockquote>\n

\u91cd\u555fIMAP \u5373\u53ef<\/p>\n

service courier-imap restart<\/p><\/blockquote>\n

\u4ee5\u5f8c\u4f7f\u7528IMAP \u6642\uff0c\u5373\u53ef\u4f7f\u7528SSL \u505a\u52a0\u5bc6\u9023\u7dda\uff01<\/p>\n

\"IMAPS<\/p>\n

\"IMAPS<\/p>\n

\"IMAPS<\/p>\n

POP3S<\/strong><\/p>\n

\u7576\u90f5\u4ef6\u4f3a\u670d\u5668\u63d0\u4f9bPOP3\u6642\uff0c\u63d0\u4f9b\u4f7f\u7528\u8005\u8207Server \u9593\u7684SSL\u52a0\u5bc6\u9023\u7dda\uff01<\/p>\n

OS: CentOS 5.4 2.6.18-164.11.1.el5xen
\nCourier-imap: 4.7.0
\nOpenssl-perl: 0.9.8e<\/p>\n

\u4fee\u6539 courier-pop3-ssl\u6191\u8b49\u6a94<\/p>\n

vi \/usr\/lib\/courier-imap\/etc\/pop3d-ssl
\n#TLS_CERTFILE=\/usr\/lib\/courier-imap\/share\/pop3d.pem
\n# \u6539\u70ba
\nTLS_CERTFILE=\/etc\/ssl\/certs\/courier.pem
\n# TLS_TRUSTCERTS=\/etc\/pki\/tls\/cert.pem
\n# \u6539\u70ba
\nTLS_TRUSTCERTS=\/etc\/ssl\/certs\n<\/p><\/blockquote>\n

\u91cd\u555fIMAP \u5373\u53ef<\/p>\n

service courier-imap restart<\/p><\/blockquote>\n

\u4ee5\u5f8c\u4f7f\u7528POP3 \u6642\uff0c\u5373\u53ef\u4f7f\u7528SSL \u505a\u52a0\u5bc6\u9023\u7dda\uff01<\/p>\n

\"POP3s<\/p>\n

\"POP3s<\/p>\n

\"POP3s<\/p>\n

\"POP3s<\/p>\n

\"POP3s<\/p>\n

\"POP3s<\/p>\n

\u9019\u6a23\u5c31\u628a\u5e38\u7528\u7684\u7db2\u8def\u670d\u52d9\uff0c\u505a\u4e86SSL \u52a0\u5bc6\u56c9\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"

\u81ea\u5f9e\u4e0a\u6b21\u5efa\u7f6e\u5b8c\u6210 X.509 SSL \u6191\u8b49\u5f8c\uff0c\u63a5\u8457\u5c31\u662f\u628a\u9019\u500b\u6191\u8b49\u61c9\u7528\u5728\uff0c\u5c0f\u745e\u516c\u53f8\u7684\u5404\u9805\u7db2\u8def\u670d\u52d9\u4e86\u3002 \u9019\u4e9b\u7db2\u8def\u670d […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,24],"tags":[41,39,42,43,40,38],"class_list":["post-398","post","type-post","status-publish","format-standard","hentry","category-mistech","category-mistech-net","tag-ftps","tag-https","tag-imaps","tag-pop3s","tag-smtps","tag-ssl"],"_links":{"self":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=398"}],"version-history":[{"count":77,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/398\/revisions"}],"predecessor-version":[{"id":496,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/398\/revisions\/496"}],"wp:attachment":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}