SlideShare a Scribd company logo

Ssl in a nutshell

Download as PPTX, PDF
Frank Kelly
Frank Kelly

A gentle guide to SSL, how it works, how it works with Java and how to debug SSL connections

TechnologyEducation
1 of 26
SSL in a Nutshell Just enough to be dangerous . . . . .
In the kingdom of the blind, the one eyed man is king (In other words I am not an expert – I just play one on TV!) This is all relatively introductory information Expectation setting
What is SSL? Certificates How does SSL work? How we use SSL? SSL & Java Configuration Debugging Resources Agenda
SSL = Secure Socket Layer TLS = Transport Layer Security is the new name A cryptographic protocol to provide secure communication over networks (such as Internet) Protocol provides two of the three key aspects for Security Confidentiality (Encryption) Authentication (you are who you say you are) Authorization (What you can do – controlled by your app – not the protocol) What is SSL?
What is a Certificate? A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. Verisign But first this . . . .
Creation date: Jul 28, 2010 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 7c391cdfaf10822ce338c3eb925f77bc Valid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011 Certificate fingerprints: MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5 Signature algorithm name: SHA1withRSA Version: 3 And more stuff . . . . What does a cert look like? Ours.
One-Way SSL How does SSL work? ,[object Object],[object Object]
Client picks a random number, encrypts that (with server’s public key) and sends it to server. Only server can decrypt it (using it’s private key) Now they both have a shared secret (the random number) From the random number, both parties generate key material for encryption and decryption. This concludes the handshake Secured connection, which is encrypted and decrypted with the key material until the connection closes How does SSL work? (cont.)
In the One-way example the client just verified the server is who they say they are? Example: Login to your bank? But how does your bank know YOU are who you say you are? Typically a login/password 2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs 2-Way SSL
2-Way SSL
It is a Widespread Standard and is rock solid – no major hacking stories / events. But nothing is impervious Why SSL?
We use SSL to talk with aggregators Outbound: TO the aggregator Inbound: FROM the aggregator (the callback) We also use SSL in communication with folks upstream but dedicated fiber With Dev certs (we trust them right!) And we add Digital Signing . . . . Just in case? How do we use SSL?
JSSE = Java Secure Socket Extension is the default Java package Was optional package before JDK 1.4. Now it’s bundled in the JDK. Either way it’s not easy to use We use Apache HTTP Client - it’s still REALLY hard (not!) HttpClient httpclient = new HttpClient(); GetMethod httpget = new GetMethod("https://www.verisign.com/"); try { httpclient.executeMethod(httpget); System.out.println(httpget.getStatusLine()); } finally { httpget.releaseConnection(); } SSL using Java
The hard part is acquiring and managing the keys and certs Procuring a cert is described elsewhere Keystore Contains our private key and private certificate Created from scratch Truststore Used to contain Self-Signed Certs from Aggregators Copied from Java’s own cacerts (to handle the case where certs are signed by the CA) The hard part . . . . .
Keytool ships with Java Show Keys & Certs in Keystore keytool -list -v -keystore keystore -storepass changeit Show Certs in the Truststore keytool -list -v -keystore cacerts -storepass changeit Keystore / truststore: how to . . .
SSL does not have to be handled (“offloaded”) by Jboss/Tomcat It can be offloaded by Apache Web Server It can be offloaded by Load Balancer Architecture
IMPORTANT NOTE: Not addressed here – this is up to your application Authorization
Typical Exceptions if . . . Can’t find keystore / truststore Our private key is missing from keystore Whitelisting error (not really SSL) Debugging: What to look for
-Djavax.net.debug=all Debugging Tools #1
Use “wget” to unit test your key/certs (one-way!) e.g. to test wget -d -v --certificate=/somecrt --post-data ‘SOAP STUFF GOES HERE' --private-key=/somekey https://someurl.com Debugging tools #2: wget
Resolving somestage.com... XXX.242.50.144 Caching somestage.com => XXX.242.50.144 Connecting to somestage.com|XXX.242.50.144|:443... connected. Created socket 3. Releasing 0x000000001b0a5e70 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40 certificate: subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg SC398/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services X509 certificate successfully verified and matches host somestage.com ---request begin--- POST /thepath HTTP/1.0 . . . . . ---response begin--- HTTP/1.1 200 OK Date: Fri, 13 Aug 2010 16:27:31 GMT Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7e wget Output
On most linux boxes Tcpdump Monitors traffic e.g. Monitor port 443 tcpdump -i eth0 -v dst port 443 Wireshark Also monitors traffic (but a bit nicer UI) http://www.wireshark.org/ Debugging tools #3: tcpdump etc.
You shouldn’t need to go here . . . But if you do Bryan, Derrick, Pete and Frank can assist Basically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g. SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /etc/httpd/conf/ssl.crt/somecert SSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekey Apache HTTP Server and SSL
At a high-level SSL is pretty straight-forward But the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . . Plus add in server white listing . . .. When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate). We are here to help . . . Summary
JSSE Reference Guide (for JDK 6) http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html Java Resources
Ssl in a nutshell

Recommended

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
SSL intro
SSL introSSL intro
SSL intro
Three Lee
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
Ssl https
Ssl httpsSsl https
Ssl https
Andrada Boldis
 
SSL
SSLSSL
SSL
theekuchi
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Abhishek Gupta
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 

Recommended

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
SSL intro
SSL introSSL intro
SSL intro
Three Lee
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
Ssl https
Ssl httpsSsl https
Ssl https
Andrada Boldis
 
SSL
SSLSSL
SSL
theekuchi
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Abhishek Gupta
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Sirish Kumar
 
Cryptography in Blockchain
Cryptography in BlockchainCryptography in Blockchain
Cryptography in Blockchain
EC-Council
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
Vedant Jain
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
Ahmad El Tawil
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
amanchaurasia
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Chhatra Thapa
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Web security
Web securityWeb security
Web security
Subhash Basistha
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
drewz lin
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
Amar Shah
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges
Merlec Mpyana
 
Https presentation
Https presentationHttps presentation
Https presentation
patel jatin
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
Buddhika Karunanayaka
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
ssl
sslssl
ssl
sjyuva
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
nishchal29
 

More Related Content

What's hot

Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Chhatra Thapa
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
drewz lin
 

What's hot (20)

Ipsec
IpsecIpsec
Ipsec
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Cryptography in Blockchain
Cryptography in BlockchainCryptography in Blockchain
Cryptography in Blockchain
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Web security
Web securityWeb security
Web security
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges Blockchain Security Issues and Challenges
Blockchain Security Issues and Challenges
 
Https presentation
Https presentationHttps presentation
Https presentation
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 

Similar to Ssl in a nutshell

Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
tanujagrawal
 

Similar to Ssl in a nutshell (20)

ssl
sslssl
ssl
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
SSL-image
SSL-imageSSL-image
SSL-image
 
Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https Server
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
ssl's guide
ssl's guidessl's guide
ssl's guide
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Ssl
SslSsl
Ssl
 
The last picks
The last picksThe last picks
The last picks
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
How to validate server certificate
How to validate server certificateHow to validate server certificate
How to validate server certificate
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet world
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Ssl in a nutshell

  • 1. SSL in a Nutshell Just enough to be dangerous . . . . .
  • 2. In the kingdom of the blind, the one eyed man is king (In other words I am not an expert – I just play one on TV!) This is all relatively introductory information Expectation setting
  • 3. What is SSL? Certificates How does SSL work? How we use SSL? SSL & Java Configuration Debugging Resources Agenda
  • 4. SSL = Secure Socket Layer TLS = Transport Layer Security is the new name A cryptographic protocol to provide secure communication over networks (such as Internet) Protocol provides two of the three key aspects for Security Confidentiality (Encryption) Authentication (you are who you say you are) Authorization (What you can do – controlled by your app – not the protocol) What is SSL?
  • 5. What is a Certificate? A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. Verisign But first this . . . .
  • 6. Creation date: Jul 28, 2010 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 7c391cdfaf10822ce338c3eb925f77bc Valid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011 Certificate fingerprints: MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5 Signature algorithm name: SHA1withRSA Version: 3 And more stuff . . . . What does a cert look like? Ours.
  • 7.
  • 8. Client picks a random number, encrypts that (with server’s public key) and sends it to server. Only server can decrypt it (using it’s private key) Now they both have a shared secret (the random number) From the random number, both parties generate key material for encryption and decryption. This concludes the handshake Secured connection, which is encrypted and decrypted with the key material until the connection closes How does SSL work? (cont.)
  • 9. In the One-way example the client just verified the server is who they say they are? Example: Login to your bank? But how does your bank know YOU are who you say you are? Typically a login/password 2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs 2-Way SSL
  • 11. It is a Widespread Standard and is rock solid – no major hacking stories / events. But nothing is impervious Why SSL?
  • 12. We use SSL to talk with aggregators Outbound: TO the aggregator Inbound: FROM the aggregator (the callback) We also use SSL in communication with folks upstream but dedicated fiber With Dev certs (we trust them right!) And we add Digital Signing . . . . Just in case? How do we use SSL?
  • 13. JSSE = Java Secure Socket Extension is the default Java package Was optional package before JDK 1.4. Now it’s bundled in the JDK. Either way it’s not easy to use We use Apache HTTP Client - it’s still REALLY hard (not!) HttpClient httpclient = new HttpClient(); GetMethod httpget = new GetMethod("https://www.verisign.com/"); try { httpclient.executeMethod(httpget); System.out.println(httpget.getStatusLine()); } finally { httpget.releaseConnection(); } SSL using Java
  • 14. The hard part is acquiring and managing the keys and certs Procuring a cert is described elsewhere Keystore Contains our private key and private certificate Created from scratch Truststore Used to contain Self-Signed Certs from Aggregators Copied from Java’s own cacerts (to handle the case where certs are signed by the CA) The hard part . . . . .
  • 15. Keytool ships with Java Show Keys & Certs in Keystore keytool -list -v -keystore keystore -storepass changeit Show Certs in the Truststore keytool -list -v -keystore cacerts -storepass changeit Keystore / truststore: how to . . .
  • 16. SSL does not have to be handled (“offloaded”) by Jboss/Tomcat It can be offloaded by Apache Web Server It can be offloaded by Load Balancer Architecture
  • 17. IMPORTANT NOTE: Not addressed here – this is up to your application Authorization
  • 18. Typical Exceptions if . . . Can’t find keystore / truststore Our private key is missing from keystore Whitelisting error (not really SSL) Debugging: What to look for
  • 20. Use “wget” to unit test your key/certs (one-way!) e.g. to test wget -d -v --certificate=/somecrt --post-data ‘SOAP STUFF GOES HERE' --private-key=/somekey https://someurl.com Debugging tools #2: wget
  • 21. Resolving somestage.com... XXX.242.50.144 Caching somestage.com => XXX.242.50.144 Connecting to somestage.com|XXX.242.50.144|:443... connected. Created socket 3. Releasing 0x000000001b0a5e70 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40 certificate: subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg SC398/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services X509 certificate successfully verified and matches host somestage.com ---request begin--- POST /thepath HTTP/1.0 . . . . . ---response begin--- HTTP/1.1 200 OK Date: Fri, 13 Aug 2010 16:27:31 GMT Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7e wget Output
  • 22. On most linux boxes Tcpdump Monitors traffic e.g. Monitor port 443 tcpdump -i eth0 -v dst port 443 Wireshark Also monitors traffic (but a bit nicer UI) http://www.wireshark.org/ Debugging tools #3: tcpdump etc.
  • 23. You shouldn’t need to go here . . . But if you do Bryan, Derrick, Pete and Frank can assist Basically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g. SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /etc/httpd/conf/ssl.crt/somecert SSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekey Apache HTTP Server and SSL
  • 24. At a high-level SSL is pretty straight-forward But the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . . Plus add in server white listing . . .. When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate). We are here to help . . . Summary
  • 25. JSSE Reference Guide (for JDK 6) http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html Java Resources