Get APLawrence.com by RSSSSL,TLS,openssl
2005/04/30The Secure Sockets Layer (SSL) is what you are using when you use https instead of http for a web page. This is also referred to as TLS (Transport Layer Security) and you'll sometimes see newsgroups posts from people wondering what the difference is. Simply, TLS is the official name for the SSL standard.
What it's all about is secure transmission of data using public key authentication. There are two parts to SSL: verifying that you are talking to the server you want to be talking to, and then encrypting data sent between the two of you. The verification part is handled by the server having generated a certificate, which is actually just a public key that has been "signed" (which is encryption with a private key - see /Basics/gpg.html ).
The verification phrase is the weakest part of SSL, for several reasons. First, almost always the server's key pairs have a blank passphrase, because otherwise you'd need to provide the passphrase every time the web server was restarted, which would be inconvenient and difficult for scripts. This makes the keys easier to steal in the even of some other server compromise. But more important is that in common usage, people pay very little attention to the security that this verification phase does offer, and will happily accept and ignore any error that might be trying to warn you that you may not in fact be talking to the server you think you are.
For example, I just set up a web server at a hosting site. The provider pre-configures the machine, initializing everything to default values, and puts an "Under Construction" page in the httpdocs directory. If I replace that with my content, I can access the site by IP or point a domain I own at it. If I then access that site with https instead of http, I'll get a warning from my browser saying something like:
You have attempted to establish a connection with "xyz.com". However, the security certificate presented belongs to "plesk". It is possible, though unlikely, that someone may be trying to intercept your communication with this web site.
Unfortunately, it's the "unlikely" part that introduces the problem. Most people are just going to click the button that says "OK" or "Accept this certificate" and continue. If they really are talking to "xyz.com", that's fine. But if they are a victim of DNS poisoning, they may be connected to someone else entirely. Or it may be as simple as a typo: they thought they typed "paypal.com" but fat-fingered "payoal.co" instead. Or they were foolish enough to click on an email link that said it was going to Paypal or EBay or whatever.
You can use the "openssl" command to get all the gory details about site certificates. For example, you might do this:
# openssl s_client -host www.somewhere.com -port 443
CONNECTED(00000003)
depth=0 /C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
i:/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEfDCCA2SgAwIBAgIEQZyU8DANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMC
5y2CaL0gLHjB3DQE+ZHb9J/cp7yQZRM9yMRyYZ36ZFdg8UTB48BIbETxqwoxy55v
qzxw01fm6Vdf9XK+rXVuSyp41LvDfNSlMC3SXmx7rEYVNsrANUELK1s8QUBR/oe5
12p1gasB6fIPUulusdsz5wXwIAhvvgbTV5rfWfZbx7UgQIgznFWPElqNjxmV9r75
lwV+KXyuEngyMunw9tZhfRn/woRUB/7cNsUOhMss1SOhTtKwjia2iikmovQ+3SLd
(many lines deleted)
-----END CERTIFICATE-----
subject=/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
issuer=/C=US/ST=Virginia/L=Herndon/O=SWsoft, Inc./OU=Plesk/CN=plesk/emailAddress=info@plesk.com
---
No client certificate CA names sent
---
SSL handshake has read 1844 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 95B24DCEEE9BC8FBF7C646C5DBB3B9B9916AD9A8E68B5E07B0113EDB08EB71B6
Session-ID-ctx:
Master-Key: 070945EA7C92B7DCB4B71DA8BD90F0DCB6327802BE6E4F9CF877C7697D6EF006848869F18D63206D03088EF413AF3290
Key-Arg : None
Krb5 Principal: None
Start Time: 1114087832
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
The openssl command is also what you'd use to generate keys and certificates.
After that, SSL negotiates encryption between the machines and transmits data securely from that point on.
Although openssl is probably the best known and most common
implementation, there is also GNUTLS.
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
I sell and support
Kerio Mail server
Click here to add your comments
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar