APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed



The Secure Sockets Layer (SSL) is what you are using when you use https instead of http for a web page. This is also referred to as TLS (Transport Layer Security) and you'll sometimes see newsgroups posts from people wondering what the difference is. Simply, TLS is the official name for the SSL standard.

What it's all about is secure transmission of data using public key authentication. There are two parts to SSL: verifying that you are talking to the server you want to be talking to, and then encrypting data sent between the two of you. The verification part is handled by the server having generated a certificate, which is actually just a public key that has been "signed" (which is encryption with a private key - see /Basics/gpg.html ).

The verification phrase is the weakest part of SSL, for several reasons. First, almost always the server's key pairs have a blank passphrase, because otherwise you'd need to provide the passphrase every time the web server was restarted, which would be inconvenient and difficult for scripts. This makes the keys easier to steal in the even of some other server compromise. But more important is that in common usage, people pay very little attention to the security that this verification phase does offer, and will happily accept and ignore any error that might be trying to warn you that you may not in fact be talking to the server you think you are.

For example, I just set up a web server at a hosting site. The provider pre-configures the machine, initializing everything to default values, and puts an "Under Construction" page in the httpdocs directory. If I replace that with my content, I can access the site by IP or point a domain I own at it. If I then access that site with https instead of http, I'll get a warning from my browser saying something like:

You have attempted to establish a connection with "xyz.com".
However, the security certificate presented belongs to "plesk".
It is possible, though unlikely, that someone may be trying
to intercept your communication with this web site.

Unfortunately, it's the "unlikely" part that introduces the problem. Most people are just going to click the button that says "OK" or "Accept this certificate" and continue. If they really are talking to "xyz.com", that's fine. But if they are a victim of DNS poisoning, they may be connected to someone else entirely. Or it may be as simple as a typo: they thought they typed "paypal.com" but fat-fingered "payoal.co" instead. Or they were foolish enough to click on an email link that said it was going to Paypal or EBay or whatever.

You can use the "openssl" command to get all the gory details about site certificates. For example, you might do this:

# openssl s_client -host www.somewhere.com -port 443


depth=0 /C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
verify return:1
Certificate chain
 0 s:/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
   i:/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
Server certificate

(many lines deleted)

subject=/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
issuer=/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
No client certificate CA names sent
SSL handshake has read 1844 bytes and written 340 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 95B24DCEEE9BC8FBF7C646C5DBB3B9B9916AD9A8E68B5E07B0113EDB08EB71B6
    Master-Key: 070945EA7C92B7DCB4B71DA8BD90F0DCB6327802BE6E4F9CF877C7697D6EF006848869F18D63206D03088EF413AF3290
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1114087832
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

The openssl command is also what you'd use to generate keys and certificates.

After that, SSL negotiates encryption between the machines and transmits data securely from that point on.

Although openssl is probably the best known and most common implementation, there is also GNUTLS


Got something to add? Send me email.

Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Tony Lawrence

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Doing linear scans over an associative array is like trying to club someone to death with a loaded Uzi. (Larry Wall)

This post tagged: