Security Basics mailing list archives
Re: SSL workings
From: Markus Müssig <mmuessig () multamedio de>
Date: 03 Dec 2003 13:43:27 +0100
I will try to explane it from a https/http-corner: HTTP-Servers are usually accessed on port 80. They do a three-way-handshake and transmit data unencrypted. You can sniff every object, requested form a through the browser specified url and see every packet as "plain" unencrypted data... A project definition from httpd.conf for a standard and minimal http-site <VirtualHost *:80> DocumentRoot /data/srv/www/projectfolder ServerName test.server.de ServerAdmin root@localhost ErrorLog /var/log/apache/error.log TransferLog /var/log/apache/access.log </VirtualHost> HTTPS-Servers are usually accessed on port 443. Apache configuration of such a webproject is a little more sophisticated <VirtualHost *:443> DocumentRoot /data/srv/www/projectfolder ServerName test.server.de ServerAdmin root@localhost ErrorLog /var/log/apache/error.log TransferLog /var/log/apache/access.log SSLEngine on <--- USE SSL SSLCipherSuite <--- POSSIBLE ENCRYPTION ALGORITHMS ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile <--- SERVERCERTIFICATE SENT WHILE CLIENTCONNECT AT PORT 443 /data/ssl/certPool/BitworxCA/certs/testserver.bitworx.de.crt SSLCertificateKeyFile <--- PRIVATE KEY FOR SERVERCERT /data/ssl/certPool/BitworxCA/private/testserver.bitworx.de.key SSLCACertificatePath /data/ssl/certPool/BitworxCA/ca/ SSLCACertificateFile <--- CA WHICH SIGNED THE SERVERCERT /data/ssl/certPool/BitworxCA/ca/ca.pem </VirtualHost> As you see above, a servercert is sent to a client connecting to that server:443 The following occures while initial connection-handling Server sents a servercert with public key Client has to accept cert (thats done automatically if the servercert is signed by a well-known cert-authority like thawte, verisign...= Now client and server negotiate a symmetric sessionkey using public-private-keys from cert for encrypting that phase After checking out a symmetric session key, traffic is encrypted by that session key 1. Three-Way-Handshake 2. Client HELO 3. Server HELO 4. Servercert to client 5. Exchange Keys 6. Exchange Cipherspecs 7. Negotiation of symmetric session key+ UNTIL NOW PUBLIC/PRIVATE KEY ENCRYPTION 8. Encrypted data by use of sessionkey Hope that helps a little bit! TO EVERYONE: Please correct/add things you know/know better than me... regards, Markus Muessig On Tue, 2003-12-02 at 18:18, trystano () aol com wrote:
Can some please highlight exactly how SSL works. I know it encrypts data sent between a client and a server and uses authentications through use of certificates etc. But does it secure the a socket/port out of which the data is being transffered. Does SSL send data through a different port that normal unprotected data transfers? Sorry if this sounds kind of beginner like :-s Cheers Tryst --------------------------------------------------------------------------- ----------------------------------------------------------------------------
-- ---------------------------------------------------------------------- Markus Müssig MULTA MEDIO Informationssysteme AG - Systemadministrator - Mergentheimer Str. 76a 97082 Wuerzburg mailto:mmuessig () multamedio de Tel: +49 (0)931 79717-18 http://www.multamedio.de Fax: +49 (0)931 79717-30 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- SSL workings trystano (Dec 02)
- RE: SSL workings Joey Peloquin (Dec 03)
- RE: SSL workings dave kleiman (Dec 03)
- Re: SSL workings Creed Erickson (Dec 03)
- Re: SSL workings Markus Müssig (Dec 03)
- <Possible follow-ups>
- Re: SSL workings Trystano (Dec 03)
- RE: SSL workings dave kleiman (Dec 03)
- RE: SSL workings Joey Peloquin (Dec 03)
- SSL workings Boyer, G. T. IT2 ISSM Office (Dec 03)
- RE: SSL workings Boyer, G. T. IT2 ISSM Office (Dec 03)
- CSI/FBI Survey Meritt James (Dec 04)