SlideShare a Scribd company logo

Ssl

A
Anandraj Kulkarni

This document provides an overview of SSL (Secure Sockets Layer) technology, including why it is used, how it works, and common troubleshooting tips. SSL addresses issues with communicating securely over the internet such as verifying identities, preventing eavesdropping, and modifying data. It uses public key cryptography where each party has a public and private key to encrypt data. The SSL handshake process negotiates encryption between client and server before transmitting encrypted data. Common SSL issues involve certificate validation errors, which can be debugged using stack traces and tools like Keytool and OpenSSL.

TechnologyEducation
1 of 17
SSL Technology Overview and Troubleshooting Tips
SSL  Secure Sockets Layer, or SSL (pronounced as separate letters), is a protocol which is used to communicate over the Internet in a secure fashion. The following is a brief but comprehensive introduction to SSL technology. To better understand the need for SSL, lets first examine the difficulties of using the Internet if no SSL encryption existed.
Why Use SSL? Transferring sensitive information over a network can be risky due to the following three issues:  You cannot always be sure that the entity with whom you are communicating is really who you think it is.  Network data can be intercepted, so it is possible that it can be read by an unauthorized third party, sometimes known as an attacker.  If an attacker can intercept the data, the attacker may be able to modify the data before sending it on to the receiver. SSL addresses all these issues.
SSL Details  SSL technology relies on the concept of ‘public key cryptography’ to accomplish its tasks. In normal encryption, two communicating parties each share a password or key, and this is used to both encrypt and decrypt messages. While this is a very simple and efficient method, it doesn’t solve the problem of giving the password to someone you have not yet met or trust.  In public key cryptography, each party has two keys, a public key and a private key. Information encrypted with a person’s public key can only be decrypted with the private key and vice versa. Each user publicly tells the world what his public key is but keeps his private key for himself.
How SSL Works
       Client hello - The client sends the server information including the highest version of SSL it supports and a list of the cipher suites it supports. (TLS 1.0 is indicated as SSL 3.1.) The cipher suite information includes cryptographic algorithms and key sizes. Server hello - The server chooses the highest version of SSL and the best cipher suite that both the client and server support and sends this information to the client. Certificate - The server sends the client a certificate or a certificate chain. A certificate chain typically begins with the server's public key certificate and ends with the certificate authority's root certificate. This message is optional, but is used whenever server authentication is required. Certificate request - If the server needs to authenticate the client, it sends the client a certificate request. In Internet applications, this message is rarely sent. Server key exchange - The server sends the client a server key exchange message when the public key information sent in 3) above is not sufficient for key exchange. Server hello done - The server tells the client that it is finished with its initial negotiation messages. Certificate - If the server requests a certificate from the client in Message 4, the client sends its certificate chain, just as the server did in Message 3.
        Client key exchange - The client generates information used to create a key to use for symmetric encryption. For RSA, the client then encrypts this key information with the server's public key and sends it to the server. Certificate verify - This message is sent when a client presents a certificate as above. Its purpose is to allow the server to complete the process of authenticating the client. When this message is used, the client sends information that it digitally signs using a cryptographic hash function. When the server decrypts this information with the client's public key, the server is able to authenticate the client. Change cipher spec - The client sends a message telling the server to change to encrypted mode. Finished - The client tells the server that it is ready for secure data communication to begin. Change cipher spec - The server sends a message telling the client to change to encrypted mode. Finished - The server tells the client that it is ready for secure data communication to begin. This is the end of the SSL handshake. Encrypted data - The client and the server communicate using the symmetric encryption algorithm and the cryptographic hash function negotiated in Messages 1 and 2, and using the secret key that the client sent to the server in Message 8. Close Messages - At the end of the connection, each side will send a close_notify message to inform the peer that the connection is closed.
To set up SSL  Weblogic http://weblogic-wonders.com/weblogic/2010/11/11/configuring-sslon-weblogic-server-custom-identity-and-custom-trust/  Jboss http://weblogic-wonders.com/weblogic/2010/04/07/sslconfiguration-with-jboss-server/  Websphere http://weblogic-wonders.com/weblogic/2011/07/06/certificatemanagement-in-websphere-application-server-2/
Formats .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “ -----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" A .pem format file supports multiple digital certificates (for example, a certificate chain can be included). The order is important (include the files in the order of trust). The server digital certificate should be the first digital certificate in the file. The issuer of that digital certificate should be the next file and so on until you get to the self-signed root certificate authority certificate.   .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)  .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)  .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)  .pfx – PFX, predecessor of PKCS#12  .jks – JAVA Keystore, used to store public/private key pairs, trusted certificates
TOOLS  Keytool  OpenSSL  Portecle ( my favourite)
Keytool  keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=myserver.beasys.com, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass  keytool -selfcert -v -alias mykey -keypass mykeypass -keystore identity.jks -storepass mystorepass -storetype jks  keytool -export -v -alias mykey -file rootCA.der -keystore identity.jks storepass mystorepass  keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystore trust.jks -storepass mystorepass
OpenSSL  openssl genrsa -des3 -out server.key 1024  openssl req -config ..confopenssl.cnf -new -key server.key -out localhost  openssl x509 -req -days 730 -in localhost -signkey server.key out server.crt  openssl pkcs12 -export -out faiz.pfx -in privatepublic.pem -name faiz
Portecle  Can be used to view certificates/certificate stores, change certificate formats.
Command line -Djavax.net.ssl.trustStrore=xxxx -Djavax.net.ssl.trustStrorePassword=xxxx -Djavax.net.ssl.keyStore=xxxx -Djavax.net.ssl.keyStorePasswor=xxxx  To debug add the following -Djavax.net.debug=ssl
Common Issues      Incomplete CA Chains Invalid keys Certificate expiration Required certificate not present in trust keystore Hostname Verification Failure
Stack Traces  PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target  java.security.InvalidKeyException: Illegal key size  java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty  Signature verification failed because RSA key public exponent [3] is too small  Solutions ?? http://weblogic-wonders.com/weblogic/2010/01/28/troubleshooting-ssl-issues/
Questions?

Recommended

SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
Arpit Agarwal
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
Frank Kelly
 
ssl
sslssl
ssl
sjyuva
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
Mohammed Adam
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
ByronKimani
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
How ssl works
How ssl worksHow ssl works
How ssl works
Saptarshi Basu
 

Recommended

SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
Arpit Agarwal
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
Frank Kelly
 
ssl
sslssl
ssl
sjyuva
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
Mohammed Adam
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
ByronKimani
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
How ssl works
How ssl worksHow ssl works
How ssl works
Saptarshi Basu
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Sirish Kumar
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
keithrozario
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
Sandeep Gupta
 
SSL
SSLSSL
SSL
theekuchi
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
amanchaurasia
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
Samip jain
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
Amar Shah
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
Hrudya Balachandran
 
SSL overview
SSL overviewSSL overview
SSL overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
Worteks
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)
Vishal Kumar
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
CheapSSLUSA
 
ssl's guide
ssl's guidessl's guide
ssl's guide
Shakil Malik
 

More Related Content

What's hot

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
keithrozario
 

What's hot (20)

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
SSL
SSLSSL
SSL
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
SSL
SSLSSL
SSL
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
SSL overview
SSL overviewSSL overview
SSL overview
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)
 

Similar to Ssl

Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
Mumbai Academisc
 
Explain how SSL protocol is used to ensure the confidentiality and int.docx
Explain how SSL protocol is used to ensure the confidentiality and int.docxExplain how SSL protocol is used to ensure the confidentiality and int.docx
Explain how SSL protocol is used to ensure the confidentiality and int.docx
todd401
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
Abdulaziz Mohd
 
Improving the Secure Socket Layer by Modifying the RSA Algorithm
Improving the Secure Socket Layer by Modifying the RSA AlgorithmImproving the Secure Socket Layer by Modifying the RSA Algorithm
Improving the Secure Socket Layer by Modifying the RSA Algorithm
IJCSEA Journal
 

Similar to Ssl (20)

Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
ssl's guide
ssl's guidessl's guide
ssl's guide
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
SSL.ppt
SSL.pptSSL.ppt
SSL.ppt
 
SSL-image
SSL-imageSSL-image
SSL-image
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
Secure sockets layer, ssl presentation
Secure sockets layer, ssl presentationSecure sockets layer, ssl presentation
Secure sockets layer, ssl presentation
 
Explain how SSL protocol is used to ensure the confidentiality and int.docx
Explain how SSL protocol is used to ensure the confidentiality and int.docxExplain how SSL protocol is used to ensure the confidentiality and int.docx
Explain how SSL protocol is used to ensure the confidentiality and int.docx
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL Certificate
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
 
The last picks
The last picksThe last picks
The last picks
 
Improving the Secure Socket Layer by Modifying the RSA Algorithm
Improving the Secure Socket Layer by Modifying the RSA AlgorithmImproving the Secure Socket Layer by Modifying the RSA Algorithm
Improving the Secure Socket Layer by Modifying the RSA Algorithm
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Ssl

  • 2. SSL  Secure Sockets Layer, or SSL (pronounced as separate letters), is a protocol which is used to communicate over the Internet in a secure fashion. The following is a brief but comprehensive introduction to SSL technology. To better understand the need for SSL, lets first examine the difficulties of using the Internet if no SSL encryption existed.
  • 3. Why Use SSL? Transferring sensitive information over a network can be risky due to the following three issues:  You cannot always be sure that the entity with whom you are communicating is really who you think it is.  Network data can be intercepted, so it is possible that it can be read by an unauthorized third party, sometimes known as an attacker.  If an attacker can intercept the data, the attacker may be able to modify the data before sending it on to the receiver. SSL addresses all these issues.
  • 4. SSL Details  SSL technology relies on the concept of ‘public key cryptography’ to accomplish its tasks. In normal encryption, two communicating parties each share a password or key, and this is used to both encrypt and decrypt messages. While this is a very simple and efficient method, it doesn’t solve the problem of giving the password to someone you have not yet met or trust.  In public key cryptography, each party has two keys, a public key and a private key. Information encrypted with a person’s public key can only be decrypted with the private key and vice versa. Each user publicly tells the world what his public key is but keeps his private key for himself.
  • 6.        Client hello - The client sends the server information including the highest version of SSL it supports and a list of the cipher suites it supports. (TLS 1.0 is indicated as SSL 3.1.) The cipher suite information includes cryptographic algorithms and key sizes. Server hello - The server chooses the highest version of SSL and the best cipher suite that both the client and server support and sends this information to the client. Certificate - The server sends the client a certificate or a certificate chain. A certificate chain typically begins with the server's public key certificate and ends with the certificate authority's root certificate. This message is optional, but is used whenever server authentication is required. Certificate request - If the server needs to authenticate the client, it sends the client a certificate request. In Internet applications, this message is rarely sent. Server key exchange - The server sends the client a server key exchange message when the public key information sent in 3) above is not sufficient for key exchange. Server hello done - The server tells the client that it is finished with its initial negotiation messages. Certificate - If the server requests a certificate from the client in Message 4, the client sends its certificate chain, just as the server did in Message 3.
  • 7.         Client key exchange - The client generates information used to create a key to use for symmetric encryption. For RSA, the client then encrypts this key information with the server's public key and sends it to the server. Certificate verify - This message is sent when a client presents a certificate as above. Its purpose is to allow the server to complete the process of authenticating the client. When this message is used, the client sends information that it digitally signs using a cryptographic hash function. When the server decrypts this information with the client's public key, the server is able to authenticate the client. Change cipher spec - The client sends a message telling the server to change to encrypted mode. Finished - The client tells the server that it is ready for secure data communication to begin. Change cipher spec - The server sends a message telling the client to change to encrypted mode. Finished - The server tells the client that it is ready for secure data communication to begin. This is the end of the SSL handshake. Encrypted data - The client and the server communicate using the symmetric encryption algorithm and the cryptographic hash function negotiated in Messages 1 and 2, and using the secret key that the client sent to the server in Message 8. Close Messages - At the end of the connection, each side will send a close_notify message to inform the peer that the connection is closed.
  • 8. To set up SSL  Weblogic http://weblogic-wonders.com/weblogic/2010/11/11/configuring-sslon-weblogic-server-custom-identity-and-custom-trust/  Jboss http://weblogic-wonders.com/weblogic/2010/04/07/sslconfiguration-with-jboss-server/  Websphere http://weblogic-wonders.com/weblogic/2011/07/06/certificatemanagement-in-websphere-application-server-2/
  • 9. Formats .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “ -----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" A .pem format file supports multiple digital certificates (for example, a certificate chain can be included). The order is important (include the files in the order of trust). The server digital certificate should be the first digital certificate in the file. The issuer of that digital certificate should be the next file and so on until you get to the self-signed root certificate authority certificate.   .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)  .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)  .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)  .pfx – PFX, predecessor of PKCS#12  .jks – JAVA Keystore, used to store public/private key pairs, trusted certificates
  • 10. TOOLS  Keytool  OpenSSL  Portecle ( my favourite)
  • 11. Keytool  keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=myserver.beasys.com, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass  keytool -selfcert -v -alias mykey -keypass mykeypass -keystore identity.jks -storepass mystorepass -storetype jks  keytool -export -v -alias mykey -file rootCA.der -keystore identity.jks storepass mystorepass  keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystore trust.jks -storepass mystorepass
  • 12. OpenSSL  openssl genrsa -des3 -out server.key 1024  openssl req -config ..confopenssl.cnf -new -key server.key -out localhost  openssl x509 -req -days 730 -in localhost -signkey server.key out server.crt  openssl pkcs12 -export -out faiz.pfx -in privatepublic.pem -name faiz
  • 13. Portecle  Can be used to view certificates/certificate stores, change certificate formats.
  • 15. Common Issues      Incomplete CA Chains Invalid keys Certificate expiration Required certificate not present in trust keystore Hostname Verification Failure
  • 16. Stack Traces  PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target  java.security.InvalidKeyException: Illegal key size  java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty  Signature verification failed because RSA key public exponent [3] is too small  Solutions ?? http://weblogic-wonders.com/weblogic/2010/01/28/troubleshooting-ssl-issues/

Editor's Notes

  1. http://sourceforge.net/projects/portecle/
  2. http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html