SSL in a Nutshell<br />Just enough to be dangerous . . . . . <br />
In the kingdom of the blind, the one eyed man is king<br />(In other words I am not an expert – I just play one on TV!)<br...
What is SSL?<br />Certificates<br />How does SSL work?<br />How we use SSL?<br />SSL & Java<br />Configuration<br />Debugg...
SSL = Secure Socket Layer<br />TLS = Transport Layer Security is the new name<br />A cryptographic protocol to provide sec...
What is a Certificate?<br />A signed digital certificate is an industry-standard means of verifying the authenticity of an...
Creation date: Jul 28, 2010<br />Entry type: PrivateKeyEntry<br />Certificate chain length: 1<br />Certificate[1]:<br />Ow...
One-Way SSL<br />How does SSL work?<br /><ul><li>NOTE: If a Cert is signed by a CA – it does NOT need to be in Keystore A<...
Client picks a random number, encrypts that (with server’s public key) and sends it to server. <br />Only server can decry...
In the One-way example the client just verified the server is who they say they are?<br />Example: Login to your bank?<br ...
2-Way SSL<br />
It is a Widespread Standard and is rock solid – no major hacking stories / events.<br />But nothing is impervious<br />Why...
We use SSL to talk with aggregators<br />Outbound: TO the aggregator<br />Inbound: FROM the aggregator (the callback)<br /...
JSSE = Java Secure Socket Extension is the default Java package <br />Was optional package before JDK 1.4. Now it’s bundle...
The hard part is acquiring and managing the keys and certs<br />Procuring a cert is described elsewhere<br />Keystore <br ...
Keytool ships with Java <br />Show Keys & Certs in Keystore<br />keytool -list -v -keystore keystore -storepass changeit<b...
SSL does not have to be handled (“offloaded”) by Jboss/Tomcat<br />It can be offloaded by Apache Web Server<br />It can be...
IMPORTANT NOTE: Not addressed here – this is up to your application<br />Authorization<br />
Typical Exceptions if . . .<br />Can’t find keystore / truststore<br />Our private key is missing from keystore<br />White...
-Djavax.net.debug=all<br />Debugging Tools #1<br />
Use “wget” to unit test your key/certs (one-way!) e.g. to test<br />wget -d -v <br />--certificate=/somecrt <br />--post-d...
Resolving somestage.com... XXX.242.50.144<br />Caching somestage.com => XXX.242.50.144<br />Connecting to somestage.com|XX...
On most linux boxes<br />Tcpdump <br />Monitors traffic e.g. Monitor port 443<br />tcpdump -i eth0 -v dst port 443<br />Wi...
You shouldn’t need to go here . . . <br />But if you do Bryan, Derrick, Pete and Frank can assist<br />Basically there are...
At a high-level SSL is pretty straight-forward<br />But the devil is in the details – keystores / truststores, apache conf...
JSSE Reference Guide (for JDK 6)<br />http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide...
Ssl in a nutshell
Upcoming SlideShare
Loading in...5
×

Ssl in a nutshell

7,127

Published on

A gentle guide to SSL, how it works, how it works with Java and how to debug SSL connections

Published in: Technology, Education
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,127
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
148
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Ssl in a nutshell

  1. 1. SSL in a Nutshell<br />Just enough to be dangerous . . . . . <br />
  2. 2. In the kingdom of the blind, the one eyed man is king<br />(In other words I am not an expert – I just play one on TV!)<br />This is all relatively introductory information<br />Expectation setting<br />
  3. 3. What is SSL?<br />Certificates<br />How does SSL work?<br />How we use SSL?<br />SSL & Java<br />Configuration<br />Debugging<br />Resources<br />Agenda<br />
  4. 4. SSL = Secure Socket Layer<br />TLS = Transport Layer Security is the new name<br />A cryptographic protocol to provide secure communication over networks (such as Internet)<br />Protocol provides two of the three key aspects for Security<br />Confidentiality (Encryption)<br />Authentication (you are who you say you are)<br />Authorization (What you can do – controlled by your app – not the protocol)<br />What is SSL?<br />
  5. 5. What is a Certificate?<br />A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. Verisign<br />But first this . . . . <br />
  6. 6. Creation date: Jul 28, 2010<br />Entry type: PrivateKeyEntry<br />Certificate chain length: 1<br />Certificate[1]:<br />Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=US<br />Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network<br />Serial number: 7c391cdfaf10822ce338c3eb925f77bc<br />Valid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011<br />Certificate fingerprints:<br /> MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C<br /> SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5<br /> Signature algorithm name: SHA1withRSA<br /> Version: 3<br />And more stuff . . . .<br />What does a cert look like? Ours. <br />
  7. 7. One-Way SSL<br />How does SSL work?<br /><ul><li>NOTE: If a Cert is signed by a CA – it does NOT need to be in Keystore A</li></li></ul><li>In Detail . . . .<br />Client and Server negotiate an SSL connection with a “handshake”<br />Client presents a list of supported supported ciphers & hash functions <br />Server picks the strongest and tells client<br />Server sends back a certificate (containing name of a Certificate Authority e.g. Verisign) and the server’s public encryption key<br />Client confirms cert with CA. Client autheniticates Server.<br />Cont.<br />How does SSL work?<br />
  8. 8. Client picks a random number, encrypts that (with server’s public key) and sends it to server. <br />Only server can decrypt it (using it’s private key)<br />Now they both have a shared secret (the random number)<br /> From the random number, both parties generate key material for encryption and decryption.<br />This concludes the handshake <br />Secured connection, which is encrypted and decrypted with the key material until the connection closes<br />How does SSL work? (cont.)<br />
  9. 9. In the One-way example the client just verified the server is who they say they are?<br />Example: Login to your bank?<br />But how does your bank know YOU are who you say you are? Typically a login/password<br />2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs<br />2-Way SSL<br />
  10. 10. 2-Way SSL<br />
  11. 11. It is a Widespread Standard and is rock solid – no major hacking stories / events.<br />But nothing is impervious<br />Why SSL?<br />
  12. 12. We use SSL to talk with aggregators<br />Outbound: TO the aggregator<br />Inbound: FROM the aggregator (the callback)<br />We also use SSL in communication with folks upstream but <br />dedicated fiber<br />With Dev certs (we trust them right!)<br />And we add Digital Signing . . . . Just in case? <br />How do we use SSL?<br />
  13. 13. JSSE = Java Secure Socket Extension is the default Java package <br />Was optional package before JDK 1.4. Now it’s bundled in the JDK.<br />Either way it’s not easy to use<br />We use Apache HTTP Client - it’s still REALLY hard (not!)<br /> HttpClient httpclient = new HttpClient();<br /> GetMethod httpget = new GetMethod("https://www.verisign.com/"); <br /> try { <br /> httpclient.executeMethod(httpget);<br /> System.out.println(httpget.getStatusLine());<br /> } finally {<br /> httpget.releaseConnection();<br />}<br />SSL using Java<br />
  14. 14. The hard part is acquiring and managing the keys and certs<br />Procuring a cert is described elsewhere<br />Keystore <br />Contains our private key and private certificate<br />Created from scratch<br />Truststore <br />Used to contain Self-Signed Certs from Aggregators<br />Copied from Java’s own cacerts (to handle the case where certs are signed by the CA)<br />The hard part . . . . .<br />
  15. 15. Keytool ships with Java <br />Show Keys & Certs in Keystore<br />keytool -list -v -keystore keystore -storepass changeit<br />Show Certs in the Truststore<br />keytool -list -v -keystore cacerts -storepass changeit <br />Keystore / truststore: how to . . .<br />
  16. 16. SSL does not have to be handled (“offloaded”) by Jboss/Tomcat<br />It can be offloaded by Apache Web Server<br />It can be offloaded by Load Balancer<br />Architecture<br />
  17. 17. IMPORTANT NOTE: Not addressed here – this is up to your application<br />Authorization<br />
  18. 18. Typical Exceptions if . . .<br />Can’t find keystore / truststore<br />Our private key is missing from keystore<br />Whitelisting error (not really SSL)<br />Debugging: What to look for<br />
  19. 19. -Djavax.net.debug=all<br />Debugging Tools #1<br />
  20. 20. Use “wget” to unit test your key/certs (one-way!) e.g. to test<br />wget -d -v <br />--certificate=/somecrt <br />--post-data ‘SOAP STUFF GOES HERE'<br />--private-key=/somekey<br />https://someurl.com<br />Debugging tools #2: wget<br />
  21. 21. Resolving somestage.com... XXX.242.50.144<br />Caching somestage.com => XXX.242.50.144<br />Connecting to somestage.com|XXX.242.50.144|:443... connected.<br />Created socket 3.<br />Releasing 0x000000001b0a5e70 (new refcount 1).<br />Initiating SSL handshake.<br />Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40<br />certificate:<br /> subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg SxC3x98/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com<br /> issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services<br />X509 certificate successfully verified and matches host somestage.com<br />---request begin---<br />POST /thepath HTTP/1.0<br />. . . . . <br />---response begin---<br />HTTP/1.1 200 OK<br />Date: Fri, 13 Aug 2010 16:27:31 GMT<br />Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7e<br />wget Output <br />
  22. 22. On most linux boxes<br />Tcpdump <br />Monitors traffic e.g. Monitor port 443<br />tcpdump -i eth0 -v dst port 443<br />Wireshark<br />Also monitors traffic (but a bit nicer UI)<br />http://www.wireshark.org/<br />Debugging tools #3: tcpdump etc.<br />
  23. 23. You shouldn’t need to go here . . . <br />But if you do Bryan, Derrick, Pete and Frank can assist<br />Basically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g.<br />SSLVerifyClient require<br />SSLVerifyDepth 10<br />SSLCertificateFile /etc/httpd/conf/ssl.crt/somecert<br />SSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekey<br />Apache HTTP Server and SSL<br />
  24. 24. At a high-level SSL is pretty straight-forward<br />But the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . .<br />Plus add in server white listing . . .. <br />When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate).<br />We are here to help . . . <br />Summary<br />
  25. 25. JSSE Reference Guide (for JDK 6)<br />http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html<br />http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html<br />Java Resources<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×