SlideShare a Scribd company logo

Ssl

A
Anandraj Kulkarni

This document provides an overview of SSL (Secure Sockets Layer) technology, including why it is used, how it works, and common troubleshooting tips. SSL addresses issues with communicating securely over the internet such as verifying identities, preventing eavesdropping, and modifying data. It uses public key cryptography where each party has a public and private key to encrypt data. The SSL handshake process negotiates encryption between client and server before transmitting encrypted data. Common SSL issues involve certificate validation errors, which can be debugged using stack traces and tools like Keytool and OpenSSL.

TechnologyEducation
1 of 17
SSL Technology Overview and Troubleshooting Tips
SSL  Secure Sockets Layer, or SSL (pronounced as separate letters), is a protocol which is used to communicate over the Internet in a secure fashion. The following is a brief but comprehensive introduction to SSL technology. To better understand the need for SSL, lets first examine the difficulties of using the Internet if no SSL encryption existed.
Why Use SSL? Transferring sensitive information over a network can be risky due to the following three issues:  You cannot always be sure that the entity with whom you are communicating is really who you think it is.  Network data can be intercepted, so it is possible that it can be read by an unauthorized third party, sometimes known as an attacker.  If an attacker can intercept the data, the attacker may be able to modify the data before sending it on to the receiver. SSL addresses all these issues.
SSL Details  SSL technology relies on the concept of ‘public key cryptography’ to accomplish its tasks. In normal encryption, two communicating parties each share a password or key, and this is used to both encrypt and decrypt messages. While this is a very simple and efficient method, it doesn’t solve the problem of giving the password to someone you have not yet met or trust.  In public key cryptography, each party has two keys, a public key and a private key. Information encrypted with a person’s public key can only be decrypted with the private key and vice versa. Each user publicly tells the world what his public key is but keeps his private key for himself.
How SSL Works
       Client hello - The client sends the server information including the highest version of SSL it supports and a list of the cipher suites it supports. (TLS 1.0 is indicated as SSL 3.1.) The cipher suite information includes cryptographic algorithms and key sizes. Server hello - The server chooses the highest version of SSL and the best cipher suite that both the client and server support and sends this information to the client. Certificate - The server sends the client a certificate or a certificate chain. A certificate chain typically begins with the server's public key certificate and ends with the certificate authority's root certificate. This message is optional, but is used whenever server authentication is required. Certificate request - If the server needs to authenticate the client, it sends the client a certificate request. In Internet applications, this message is rarely sent. Server key exchange - The server sends the client a server key exchange message when the public key information sent in 3) above is not sufficient for key exchange. Server hello done - The server tells the client that it is finished with its initial negotiation messages. Certificate - If the server requests a certificate from the client in Message 4, the client sends its certificate chain, just as the server did in Message 3.
        Client key exchange - The client generates information used to create a key to use for symmetric encryption. For RSA, the client then encrypts this key information with the server's public key and sends it to the server. Certificate verify - This message is sent when a client presents a certificate as above. Its purpose is to allow the server to complete the process of authenticating the client. When this message is used, the client sends information that it digitally signs using a cryptographic hash function. When the server decrypts this information with the client's public key, the server is able to authenticate the client. Change cipher spec - The client sends a message telling the server to change to encrypted mode. Finished - The client tells the server that it is ready for secure data communication to begin. Change cipher spec - The server sends a message telling the client to change to encrypted mode. Finished - The server tells the client that it is ready for secure data communication to begin. This is the end of the SSL handshake. Encrypted data - The client and the server communicate using the symmetric encryption algorithm and the cryptographic hash function negotiated in Messages 1 and 2, and using the secret key that the client sent to the server in Message 8. Close Messages - At the end of the connection, each side will send a close_notify message to inform the peer that the connection is closed.
To set up SSL  Weblogic http://weblogic-wonders.com/weblogic/2010/11/11/configuring-sslon-weblogic-server-custom-identity-and-custom-trust/  Jboss http://weblogic-wonders.com/weblogic/2010/04/07/sslconfiguration-with-jboss-server/  Websphere http://weblogic-wonders.com/weblogic/2011/07/06/certificatemanagement-in-websphere-application-server-2/
Formats .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “ -----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" A .pem format file supports multiple digital certificates (for example, a certificate chain can be included). The order is important (include the files in the order of trust). The server digital certificate should be the first digital certificate in the file. The issuer of that digital certificate should be the next file and so on until you get to the self-signed root certificate authority certificate.   .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)  .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)  .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)  .pfx – PFX, predecessor of PKCS#12  .jks – JAVA Keystore, used to store public/private key pairs, trusted certificates
TOOLS  Keytool  OpenSSL  Portecle ( my favourite)
Keytool  keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=myserver.beasys.com, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass  keytool -selfcert -v -alias mykey -keypass mykeypass -keystore identity.jks -storepass mystorepass -storetype jks  keytool -export -v -alias mykey -file rootCA.der -keystore identity.jks storepass mystorepass  keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystore trust.jks -storepass mystorepass
OpenSSL  openssl genrsa -des3 -out server.key 1024  openssl req -config ..confopenssl.cnf -new -key server.key -out localhost  openssl x509 -req -days 730 -in localhost -signkey server.key out server.crt  openssl pkcs12 -export -out faiz.pfx -in privatepublic.pem -name faiz
Portecle  Can be used to view certificates/certificate stores, change certificate formats.
Command line -Djavax.net.ssl.trustStrore=xxxx -Djavax.net.ssl.trustStrorePassword=xxxx -Djavax.net.ssl.keyStore=xxxx -Djavax.net.ssl.keyStorePasswor=xxxx  To debug add the following -Djavax.net.debug=ssl
Common Issues      Incomplete CA Chains Invalid keys Certificate expiration Required certificate not present in trust keystore Hostname Verification Failure
Stack Traces  PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target  java.security.InvalidKeyException: Illegal key size  java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty  Signature verification failed because RSA key public exponent [3] is too small  Solutions ?? http://weblogic-wonders.com/weblogic/2010/01/28/troubleshooting-ssl-issues/
Questions?

Recommended

SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
Arpit Agarwal
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
Frank Kelly
 
ssl
sslssl
ssl
sjyuva
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
Mohammed Adam
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
ByronKimani
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
How ssl works
How ssl worksHow ssl works
How ssl works
Saptarshi Basu
 

Recommended

SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
Arpit Agarwal
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
Frank Kelly
 
ssl
sslssl
ssl
sjyuva
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
Mohammed Adam
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
ByronKimani
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
How ssl works
How ssl worksHow ssl works
How ssl works
Saptarshi Basu
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Sirish Kumar
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
keithrozario
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
Sandeep Gupta
 
SSL
SSLSSL
SSL
theekuchi
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
amanchaurasia
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
Samip jain
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
Amar Shah
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
Hrudya Balachandran
 
SSL overview
SSL overviewSSL overview
SSL overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
Worteks
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)
Vishal Kumar
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
CheapSSLUSA
 
ssl's guide
ssl's guidessl's guide
ssl's guide
Shakil Malik
 

More Related Content

What's hot

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
keithrozario
 

What's hot (20)

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
SSL
SSLSSL
SSL
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
SSL
SSLSSL
SSL
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
SSL overview
SSL overviewSSL overview
SSL overview
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)
 

Similar to Ssl

Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
Mumbai Academisc
 
Explain how SSL protocol is used to ensure the confidentiality and int.docx
Explain how SSL protocol is used to ensure the confidentiality and int.docxExplain how SSL protocol is used to ensure the confidentiality and int.docx
Explain how SSL protocol is used to ensure the confidentiality and int.docx
todd401
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
Abdulaziz Mohd
 
Improving the Secure Socket Layer by Modifying the RSA Algorithm
Improving the Secure Socket Layer by Modifying the RSA AlgorithmImproving the Secure Socket Layer by Modifying the RSA Algorithm
Improving the Secure Socket Layer by Modifying the RSA Algorithm
IJCSEA Journal
 

Similar to Ssl (20)

Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
ssl's guide
ssl's guidessl's guide
ssl's guide
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
SSL.ppt
SSL.pptSSL.ppt
SSL.ppt
 
SSL-image
SSL-imageSSL-image
SSL-image
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
Secure sockets layer, ssl presentation
Secure sockets layer, ssl presentationSecure sockets layer, ssl presentation
Secure sockets layer, ssl presentation
 
Explain how SSL protocol is used to ensure the confidentiality and int.docx
Explain how SSL protocol is used to ensure the confidentiality and int.docxExplain how SSL protocol is used to ensure the confidentiality and int.docx
Explain how SSL protocol is used to ensure the confidentiality and int.docx
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL Certificate
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
 
The last picks
The last picksThe last picks
The last picks
 
Improving the Secure Socket Layer by Modifying the RSA Algorithm
Improving the Secure Socket Layer by Modifying the RSA AlgorithmImproving the Secure Socket Layer by Modifying the RSA Algorithm
Improving the Secure Socket Layer by Modifying the RSA Algorithm
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 

Recently uploaded

A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
UXDXConf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 

Ssl

  • 2. SSL  Secure Sockets Layer, or SSL (pronounced as separate letters), is a protocol which is used to communicate over the Internet in a secure fashion. The following is a brief but comprehensive introduction to SSL technology. To better understand the need for SSL, lets first examine the difficulties of using the Internet if no SSL encryption existed.
  • 3. Why Use SSL? Transferring sensitive information over a network can be risky due to the following three issues:  You cannot always be sure that the entity with whom you are communicating is really who you think it is.  Network data can be intercepted, so it is possible that it can be read by an unauthorized third party, sometimes known as an attacker.  If an attacker can intercept the data, the attacker may be able to modify the data before sending it on to the receiver. SSL addresses all these issues.
  • 4. SSL Details  SSL technology relies on the concept of ‘public key cryptography’ to accomplish its tasks. In normal encryption, two communicating parties each share a password or key, and this is used to both encrypt and decrypt messages. While this is a very simple and efficient method, it doesn’t solve the problem of giving the password to someone you have not yet met or trust.  In public key cryptography, each party has two keys, a public key and a private key. Information encrypted with a person’s public key can only be decrypted with the private key and vice versa. Each user publicly tells the world what his public key is but keeps his private key for himself.
  • 6.        Client hello - The client sends the server information including the highest version of SSL it supports and a list of the cipher suites it supports. (TLS 1.0 is indicated as SSL 3.1.) The cipher suite information includes cryptographic algorithms and key sizes. Server hello - The server chooses the highest version of SSL and the best cipher suite that both the client and server support and sends this information to the client. Certificate - The server sends the client a certificate or a certificate chain. A certificate chain typically begins with the server's public key certificate and ends with the certificate authority's root certificate. This message is optional, but is used whenever server authentication is required. Certificate request - If the server needs to authenticate the client, it sends the client a certificate request. In Internet applications, this message is rarely sent. Server key exchange - The server sends the client a server key exchange message when the public key information sent in 3) above is not sufficient for key exchange. Server hello done - The server tells the client that it is finished with its initial negotiation messages. Certificate - If the server requests a certificate from the client in Message 4, the client sends its certificate chain, just as the server did in Message 3.
  • 7.         Client key exchange - The client generates information used to create a key to use for symmetric encryption. For RSA, the client then encrypts this key information with the server's public key and sends it to the server. Certificate verify - This message is sent when a client presents a certificate as above. Its purpose is to allow the server to complete the process of authenticating the client. When this message is used, the client sends information that it digitally signs using a cryptographic hash function. When the server decrypts this information with the client's public key, the server is able to authenticate the client. Change cipher spec - The client sends a message telling the server to change to encrypted mode. Finished - The client tells the server that it is ready for secure data communication to begin. Change cipher spec - The server sends a message telling the client to change to encrypted mode. Finished - The server tells the client that it is ready for secure data communication to begin. This is the end of the SSL handshake. Encrypted data - The client and the server communicate using the symmetric encryption algorithm and the cryptographic hash function negotiated in Messages 1 and 2, and using the secret key that the client sent to the server in Message 8. Close Messages - At the end of the connection, each side will send a close_notify message to inform the peer that the connection is closed.
  • 8. To set up SSL  Weblogic http://weblogic-wonders.com/weblogic/2010/11/11/configuring-sslon-weblogic-server-custom-identity-and-custom-trust/  Jboss http://weblogic-wonders.com/weblogic/2010/04/07/sslconfiguration-with-jboss-server/  Websphere http://weblogic-wonders.com/weblogic/2011/07/06/certificatemanagement-in-websphere-application-server-2/
  • 9. Formats .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “ -----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" A .pem format file supports multiple digital certificates (for example, a certificate chain can be included). The order is important (include the files in the order of trust). The server digital certificate should be the first digital certificate in the file. The issuer of that digital certificate should be the next file and so on until you get to the self-signed root certificate authority certificate.   .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)  .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)  .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)  .pfx – PFX, predecessor of PKCS#12  .jks – JAVA Keystore, used to store public/private key pairs, trusted certificates
  • 10. TOOLS  Keytool  OpenSSL  Portecle ( my favourite)
  • 11. Keytool  keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=myserver.beasys.com, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass  keytool -selfcert -v -alias mykey -keypass mykeypass -keystore identity.jks -storepass mystorepass -storetype jks  keytool -export -v -alias mykey -file rootCA.der -keystore identity.jks storepass mystorepass  keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystore trust.jks -storepass mystorepass
  • 12. OpenSSL  openssl genrsa -des3 -out server.key 1024  openssl req -config ..confopenssl.cnf -new -key server.key -out localhost  openssl x509 -req -days 730 -in localhost -signkey server.key out server.crt  openssl pkcs12 -export -out faiz.pfx -in privatepublic.pem -name faiz
  • 13. Portecle  Can be used to view certificates/certificate stores, change certificate formats.
  • 15. Common Issues      Incomplete CA Chains Invalid keys Certificate expiration Required certificate not present in trust keystore Hostname Verification Failure
  • 16. Stack Traces  PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target  java.security.InvalidKeyException: Illegal key size  java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty  Signature verification failed because RSA key public exponent [3] is too small  Solutions ?? http://weblogic-wonders.com/weblogic/2010/01/28/troubleshooting-ssl-issues/

Editor's Notes

  1. http://sourceforge.net/projects/portecle/
  2. http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html