1 / 18

TLS/SSL Review

TLS/SSL Review. Transport Layer Security A 30-second history. Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent and secure transactions. In 1997 an Open Source version of Netscape’s patented version

saxton
Download Presentation

TLS/SSL Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TLS/SSL Review

  2. Transport Layer SecurityA 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent and secure transactions. In 1997 an Open Source version of Netscape’s patented version was created, which is now OpenSSL. In 1999 the existing protocol was extended by a version now known as Transport Layer Security (TLS). By convention, the term "SSL" is used even when technically the TLS protocol is being used.

  3. TLS: Server Certificate • Authentication • Server and/or client identity is verified via certificate. • Privacy • Data is encrypted with block cipher • Cipher key is exchanged via public key

  4. TLS: Server Certificate Verification • The client browser recognizes the Certificate Authority and thus verifies the authenticity of the connection.

  5. Failed Verification If there is a conflict between the name on the certificate and the name of the server, the browser pops up a “Domain Name Mismatch” notice, allowing the user to decide whether to continue.

  6. Cert Request: CSR • CSR: Certificate Signing Request • It contains: • Information about the organization (organization name, country, etc...) • Web Server's public key • A unique mathematical match to server's private key .

  7. Cert Request: CSR (cont.) • Let’s Create one

  8. Cert Request • Go to http://security.sdsu.edu/services/ssl/ • Common Name: ricardoserver.sdsu.edu • Server software: • Certificate Term: 1,2, or 3 years • CSR: 2048-bit CSR • Pass-phrase: (Don’t use)

  9. Cert Request

  10. Cert Request: Type

  11. Cert Request: Type (cont.)

  12. Cert Request: Type (cont.)

  13. Cert Request: Email Hello,You have successfully enrolled for an InCommon SSL certificate.You now need to complete the following steps:    * Click the following link to download your SSL certificate (generally try to use a version that includes intermediates & root or your certificate may be rejected by some older clients)    Format(s) most suitable for your server software:       as X509 Certificate only, Base64 encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=xxxx&format=x509CO       as X509 Intermediates/root only, Base64 encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=xxxx&format=x509IO       as X509 Intermediates/root only Reverse, Base64 encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=xxxxx&format=x509IOR    Other available formats:       as PKCS#7 Base64 encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=xxxxxx&format=base64       as PKCS#7 Bin encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=xxxxx&format=bin       as X509, Base64 encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=xxxxxx&format=x509

  14. Cert Request: Email Which File to download? • X509 Certificate only, Base64 encodedThis file contains only your domain/entity certificate and is commonly used with Apache-based systems (Apache Directive: SSLCertificateFile), Tomcat and Oracle Wallet Manager. • X509 Intermediates/root only, Base64 encodedThis file includes only the Root and Intermediate CA certificates (in order) for your domain/entity certificate. • X509 Intermediates/root only (Reverse), Base64 encodedThis file contains only the Intermediate(s) and Root CA certificates (in reverse order) and is commonly used with Apache-based systems (Apache2 Directive: SSLCertificateChainfile). This file is also known as a 'CA Bundle' or 'Certificate Chain File'. Other available formats: • PKCS#7 Base64 encoded • PKCS#7 Bin encodedPKCS#7 is commonly used with IIS 5.x and later. This file contains the: Root, Intermediate(s) and your certificate; all rolled into a single file. • X509, Base64 encodedThis file typically includes (in order): Root, Intermediate(s) and your certificate.

  15. Cert Request: Email PKCS#7 vs. X509? • PKCS#7 is a cryptography standard published by RSA Security in 1993 that deals with data that has cryptography applied to it. Its a standard for how to package data securely. PKCS#7 references the X.509 standard, as the source for certificate formatting. • X.509 is a wide ranging security standards document published in 1998 which includes amongst other things, certificate file formats. • X.509 specifies that certificates should be encoded using the Distinguished Encoding Rules of the ASN.1 (documented in the X.208 and now X.608) standard, first published in 1984. • So, DER says how to encode some strings and numeric source data into a binary format, X.509 says which data needs to go into a digital certificate, and PKCS#7 says how that certificate should be used, to digitally sign a message.

  16. SSL Cert: Install • Add to httpd.conf • SSLEngine on • SSLCertificateKeyFile /etc/ssl/ssl.key/server.key • SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt • SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle • Restart apache

  17. SSL Cert Expr. Monitoring • Nagios • Bash Script : http://prefetch.net/code/ssl-cert-check

  18. SSL Cert Thank you Questions: Email me at rfitipal@mail.sdsu.edu

More Related