SSL provides encryption and authentication for secure communication over networks. It uses certificates signed by a certificate authority to authenticate servers and establish an encrypted connection. The SSL handshake process involves the client sending a pre-master secret encrypted with the server's public key, both sides then derive encryption keys to encrypt the connection. Debugging SSL issues may require using tools like tcpdump to monitor network traffic or adding debug flags to examine the SSL handshake.

1. SSL in a NutshellJust enough to be dangerous . . . . .

2. In the kingdom of the blind, the one eyed man is king(In other words I am not an expert – I just play one on TV!)This is all relatively introductory informationExpectation setting

3. What is SSL?CertificatesHow does SSL work?How we use SSL?SSL & JavaConfigurationDebuggingResourcesAgenda

4. SSL = Secure Socket LayerTLS = Transport Layer Security is the new nameA cryptographic protocol to provide secure communication over networks (such as Internet)Protocol provides two of the three key aspects for SecurityConfidentiality (Encryption)Authentication (you are who you say you are)Authorization (What you can do – controlled by your app – not the protocol)What is SSL?

5. What is a Certificate?A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. VerisignBut first this . . . .

6. Creation date: Jul 28, 2010Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=USIssuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust NetworkSerial number: 7c391cdfaf10822ce338c3eb925f77bcValid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011Certificate fingerprints: MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5 Signature algorithm name: SHA1withRSA Version: 3And more stuff . . . .What does a cert look like? Ours.

7. One-Way SSLHow does SSL work?NOTE: If a Cert is signed by a CA – it does NOT need to be in Keystore AIn Detail . . . .Client and Server negotiate an SSL connection with a “handshake”Client presents a list of supported supported ciphers & hash functions Server picks the strongest and tells clientServer sends back a certificate (containing name of a Certificate Authority e.g. Verisign) and the server’s public encryption keyClient confirms cert with CA. Client autheniticates Server.Cont.How does SSL work?

8. Client picks a random number, encrypts that (with server’s public key) and sends it to server. Only server can decrypt it (using it’s private key)Now they both have a shared secret (the random number) From the random number, both parties generate key material for encryption and decryption.This concludes the handshake Secured connection, which is encrypted and decrypted with the key material until the connection closesHow does SSL work? (cont.)

9. In the One-way example the client just verified the server is who they say they are?Example: Login to your bank?But how does your bank know YOU are who you say you are? Typically a login/password2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs2-Way SSL

10. 2-Way SSL

11. It is a Widespread Standard and is rock solid – no major hacking stories / events.But nothing is imperviousWhy SSL?

12. We use SSL to talk with aggregatorsOutbound: TO the aggregatorInbound: FROM the aggregator (the callback)We also use SSL in communication with folks upstream but dedicated fiberWith Dev certs (we trust them right!)And we add Digital Signing . . . . Just in case? How do we use SSL?

13. JSSE = Java Secure Socket Extension is the default Java package Was optional package before JDK 1.4. Now it’s bundled in the JDK.Either way it’s not easy to useWe use Apache HTTP Client - it’s still REALLY hard (not!) HttpClient httpclient = new HttpClient(); GetMethod httpget = new GetMethod("https://www.verisign.com/"); try { httpclient.executeMethod(httpget); System.out.println(httpget.getStatusLine()); } finally { httpget.releaseConnection();}SSL using Java

14. The hard part is acquiring and managing the keys and certsProcuring a cert is described elsewhereKeystore Contains our private key and private certificateCreated from scratchTruststore Used to contain Self-Signed Certs from AggregatorsCopied from Java’s own cacerts (to handle the case where certs are signed by the CA)The hard part . . . . .

15. Keytool ships with Java Show Keys & Certs in Keystorekeytool -list -v -keystore keystore -storepass changeitShow Certs in the Truststorekeytool -list -v -keystore cacerts -storepass changeit Keystore / truststore: how to . . .

16. SSL does not have to be handled (“offloaded”) by Jboss/TomcatIt can be offloaded by Apache Web ServerIt can be offloaded by Load BalancerArchitecture

17. IMPORTANT NOTE: Not addressed here – this is up to your applicationAuthorization

18. Typical Exceptions if . . .Can’t find keystore / truststoreOur private key is missing from keystoreWhitelisting error (not really SSL)Debugging: What to look for

19. -Djavax.net.debug=allDebugging Tools #1

20. Use “wget” to unit test your key/certs (one-way!) e.g. to testwget -d -v --certificate=/somecrt --post-data ‘SOAP STUFF GOES HERE'--private-key=/somekeyhttps://someurl.comDebugging tools #2: wget

21. Resolving somestage.com... XXX.242.50.144Caching somestage.com => XXX.242.50.144Connecting to somestage.com|XXX.242.50.144|:443... connected.Created socket 3.Releasing 0x000000001b0a5e70 (new refcount 1).Initiating SSL handshake.Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40certificate: subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg S\xC3\x98/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate ServicesX509 certificate successfully verified and matches host somestage.com---request begin---POST /thepath HTTP/1.0. . . . . ---response begin---HTTP/1.1 200 OKDate: Fri, 13 Aug 2010 16:27:31 GMTServer: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7ewget Output

22. On most linux boxesTcpdump Monitors traffic e.g. Monitor port 443tcpdump -i eth0 -v dst port 443WiresharkAlso monitors traffic (but a bit nicer UI)http://www.wireshark.org/Debugging tools #3: tcpdump etc.

23. You shouldn’t need to go here . . . But if you do Bryan, Derrick, Pete and Frank can assistBasically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g.SSLVerifyClient requireSSLVerifyDepth 10SSLCertificateFile /etc/httpd/conf/ssl.crt/somecertSSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekeyApache HTTP Server and SSL

24. At a high-level SSL is pretty straight-forwardBut the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . .Plus add in server white listing . . .. When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate).We are here to help . . . Summary

25. JSSE Reference Guide (for JDK 6)http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.htmlhttp://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.htmlJava Resources