木偶https通讯如何工作?
[英]how puppet https communication works?
问题描述
I am trying to understand the HTTPS communication between Puppet Master and Puppet Nodes. 
我试图了解Puppet Master和Puppet节点之间的HTTPS通信。 I understood there will be a common ca.pem, server.pem, private and public keys for server will be created. 我知道将创建一个通用的ca.pem,server.pem,服务器的私钥和公钥。 The same will be created at node side and in master we have to trust the node's certificate in order to make secure connection. 相同的操作将在节点侧创建,而在主节点中,我们必须信任节点的证书才能进行安全连接。
But after this while communicating which keys will be used? 但是在此之后,在交流时将使用哪些键?
source: How does SSL really work? 来源: SSL如何真正起作用?
If anyone can explain by comparing the above diagram it will be great. 如果有人可以通过比较上面的图来解释,那就太好了。 Thanks in advance. 提前致谢。
1 个解决方案
解决方案1
3 已采纳 2016-03-28 16:43:36
The diagram you present describes the situation wherein only one side identifies itself to the other via an SSL certificate. 您呈现的图描述了一种情况,其中只有一侧通过SSL证书向另一侧标识。 This is very common on the web, but it is insufficient for Puppet. 这在网络上很常见,但对于Puppet来说是不够的。
With a Puppet agent / master setup, not only must the master prove its identity to agents, but the agents must also prove their identities to the master. 随着木偶剂/主安装,不仅必须在主证明其身份代理商,同时代理还必须证明其身份的主人。 This is an example of an arrangement sometimes called "mutual authentication". 这是有时称为“相互认证”的布置的示例。 Each side does this by presenting an SSL certificate to the other that the other is prepared to trust, on account of that certificate being signed by a trusted authority. 一方通过向另一方准备信任的另一方提供SSL证书来实现此目的,因为该证书已由受信任的权威机构签名。 This additional exchange looks like your diagram's steps 2 and 3, but running in the opposite direction. 这种额外的交换看起来像您的图表的步骤2和3,但方向相反。
Most commonly in Puppet, the master and agents all rely on and trust a private CA run by the master, but they may instead rely on an external CA. 在Puppet中,最常见的是,主服务器和代理都依赖并信任由主服务器运行的私有CA,但是它们可能依赖于外部CA。 Wherever they reside and whoever operates them, CAs are identified by their own certificates. 无论它们位于何处,无论由谁操作,CA均由其自己的证书标识。 These are involved in determining whether other certificates are trusted, but not in encrypting the data exchanged by communicating parties. 这些涉及确定其他证书是否受信任,但不涉及对通信双方交换的数据进行加密。 Your diagram does not cover obtaining a certificate, and it summarizes all aspects of whether a given certificate is trusted as "3. Browser validates". 您的图不涉及获取证书,而是概括了给定证书是否受信任的所有方面,如“ 3.浏览器验证”。
Having established that agent and master each know and trust the other, securing data transmission over the connection proceeds just the same way in a mutual authentication system that it does in a server-authentication system. 建立代理和主控方彼此了解并信任彼此之后,通过相互身份验证系统中的连接来确保数据传输的安全性与在服务器身份验证系统中相同。 Data passing in both directions (not shown in your diagram) is encrypted with the negotiated symmetric cipher and key. 双向协商的数据(未在图中显示)使用协商的对称密码和密钥加密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.