Your SlideShare is downloading. ×
Ssl in a nutshell
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ssl in a nutshell

6,639

Published on

A gentle guide to SSL, how it works, how it works with Java and how to debug SSL connections

A gentle guide to SSL, how it works, how it works with Java and how to debug SSL connections

Published in: Technology, Education
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,639
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
131
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SSL in a Nutshell
    Just enough to be dangerous . . . . .
  • 2. In the kingdom of the blind, the one eyed man is king
    (In other words I am not an expert – I just play one on TV!)
    This is all relatively introductory information
    Expectation setting
  • 3. What is SSL?
    Certificates
    How does SSL work?
    How we use SSL?
    SSL & Java
    Configuration
    Debugging
    Resources
    Agenda
  • 4. SSL = Secure Socket Layer
    TLS = Transport Layer Security is the new name
    A cryptographic protocol to provide secure communication over networks (such as Internet)
    Protocol provides two of the three key aspects for Security
    Confidentiality (Encryption)
    Authentication (you are who you say you are)
    Authorization (What you can do – controlled by your app – not the protocol)
    What is SSL?
  • 5. What is a Certificate?
    A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. Verisign
    But first this . . . .
  • 6. Creation date: Jul 28, 2010
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=US
    Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
    Serial number: 7c391cdfaf10822ce338c3eb925f77bc
    Valid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011
    Certificate fingerprints:
    MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C
    SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5
    Signature algorithm name: SHA1withRSA
    Version: 3
    And more stuff . . . .
    What does a cert look like? Ours.
  • 7. One-Way SSL
    How does SSL work?
    • NOTE: If a Cert is signed by a CA – it does NOT need to be in Keystore A
  • In Detail . . . .
    Client and Server negotiate an SSL connection with a “handshake”
    Client presents a list of supported supported ciphers & hash functions
    Server picks the strongest and tells client
    Server sends back a certificate (containing name of a Certificate Authority e.g. Verisign) and the server’s public encryption key
    Client confirms cert with CA. Client autheniticates Server.
    Cont.
    How does SSL work?
  • 8. Client picks a random number, encrypts that (with server’s public key) and sends it to server.
    Only server can decrypt it (using it’s private key)
    Now they both have a shared secret (the random number)
    From the random number, both parties generate key material for encryption and decryption.
    This concludes the handshake
    Secured connection, which is encrypted and decrypted with the key material until the connection closes
    How does SSL work? (cont.)
  • 9. In the One-way example the client just verified the server is who they say they are?
    Example: Login to your bank?
    But how does your bank know YOU are who you say you are? Typically a login/password
    2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs
    2-Way SSL
  • 10. 2-Way SSL
  • 11. It is a Widespread Standard and is rock solid – no major hacking stories / events.
    But nothing is impervious
    Why SSL?
  • 12. We use SSL to talk with aggregators
    Outbound: TO the aggregator
    Inbound: FROM the aggregator (the callback)
    We also use SSL in communication with folks upstream but
    dedicated fiber
    With Dev certs (we trust them right!)
    And we add Digital Signing . . . . Just in case?
    How do we use SSL?
  • 13. JSSE = Java Secure Socket Extension is the default Java package
    Was optional package before JDK 1.4. Now it’s bundled in the JDK.
    Either way it’s not easy to use
    We use Apache HTTP Client - it’s still REALLY hard (not!)
    HttpClient httpclient = new HttpClient();
    GetMethod httpget = new GetMethod("https://www.verisign.com/");
    try {
    httpclient.executeMethod(httpget);
    System.out.println(httpget.getStatusLine());
    } finally {
    httpget.releaseConnection();
    }
    SSL using Java
  • 14. The hard part is acquiring and managing the keys and certs
    Procuring a cert is described elsewhere
    Keystore
    Contains our private key and private certificate
    Created from scratch
    Truststore
    Used to contain Self-Signed Certs from Aggregators
    Copied from Java’s own cacerts (to handle the case where certs are signed by the CA)
    The hard part . . . . .
  • 15. Keytool ships with Java
    Show Keys & Certs in Keystore
    keytool -list -v -keystore keystore -storepass changeit
    Show Certs in the Truststore
    keytool -list -v -keystore cacerts -storepass changeit
    Keystore / truststore: how to . . .
  • 16. SSL does not have to be handled (“offloaded”) by Jboss/Tomcat
    It can be offloaded by Apache Web Server
    It can be offloaded by Load Balancer
    Architecture
  • 17. IMPORTANT NOTE: Not addressed here – this is up to your application
    Authorization
  • 18. Typical Exceptions if . . .
    Can’t find keystore / truststore
    Our private key is missing from keystore
    Whitelisting error (not really SSL)
    Debugging: What to look for
  • 19. -Djavax.net.debug=all
    Debugging Tools #1
  • 20. Use “wget” to unit test your key/certs (one-way!) e.g. to test
    wget -d -v
    --certificate=/somecrt
    --post-data ‘SOAP STUFF GOES HERE'
    --private-key=/somekey
    https://someurl.com
    Debugging tools #2: wget
  • 21. Resolving somestage.com... XXX.242.50.144
    Caching somestage.com => XXX.242.50.144
    Connecting to somestage.com|XXX.242.50.144|:443... connected.
    Created socket 3.
    Releasing 0x000000001b0a5e70 (new refcount 1).
    Initiating SSL handshake.
    Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40
    certificate:
    subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg SxC3x98/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com
    issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
    X509 certificate successfully verified and matches host somestage.com
    ---request begin---
    POST /thepath HTTP/1.0
    . . . . .
    ---response begin---
    HTTP/1.1 200 OK
    Date: Fri, 13 Aug 2010 16:27:31 GMT
    Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7e
    wget Output
  • 22. On most linux boxes
    Tcpdump
    Monitors traffic e.g. Monitor port 443
    tcpdump -i eth0 -v dst port 443
    Wireshark
    Also monitors traffic (but a bit nicer UI)
    http://www.wireshark.org/
    Debugging tools #3: tcpdump etc.
  • 23. You shouldn’t need to go here . . .
    But if you do Bryan, Derrick, Pete and Frank can assist
    Basically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g.
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLCertificateFile /etc/httpd/conf/ssl.crt/somecert
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekey
    Apache HTTP Server and SSL
  • 24. At a high-level SSL is pretty straight-forward
    But the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . .
    Plus add in server white listing . . ..
    When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate).
    We are here to help . . .
    Summary
  • 25. JSSE Reference Guide (for JDK 6)
    http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
    http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html
    Java Resources

×