SlideShare une entreprise Scribd logo

Ssl in a nutshell

Télécharger en tant que PPTX, PDF
Frank Kelly
Frank Kelly

A gentle guide to SSL, how it works, how it works with Java and how to debug SSL connections

TechnologieFormation
1  sur  26
SSL in a Nutshell Just enough to be dangerous . . . . .
In the kingdom of the blind, the one eyed man is king (In other words I am not an expert – I just play one on TV!) This is all relatively introductory information Expectation setting
What is SSL? Certificates How does SSL work? How we use SSL? SSL & Java Configuration Debugging Resources Agenda
SSL = Secure Socket Layer TLS = Transport Layer Security is the new name A cryptographic protocol to provide secure communication over networks (such as Internet) Protocol provides two of the three key aspects for Security Confidentiality (Encryption) Authentication (you are who you say you are) Authorization (What you can do – controlled by your app – not the protocol) What is SSL?
What is a Certificate? A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. Verisign But first this . . . .
Creation date: Jul 28, 2010 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 7c391cdfaf10822ce338c3eb925f77bc Valid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011 Certificate fingerprints: MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5 Signature algorithm name: SHA1withRSA Version: 3 And more stuff . . . . What does a cert look like? Ours.
One-Way SSL How does SSL work? ,[object Object],[object Object]
Client picks a random number, encrypts that (with server’s public key) and sends it to server. Only server can decrypt it (using it’s private key) Now they both have a shared secret (the random number) From the random number, both parties generate key material for encryption and decryption. This concludes the handshake Secured connection, which is encrypted and decrypted with the key material until the connection closes How does SSL work? (cont.)
In the One-way example the client just verified the server is who they say they are? Example: Login to your bank? But how does your bank know YOU are who you say you are? Typically a login/password 2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs 2-Way SSL
2-Way SSL
It is a Widespread Standard and is rock solid – no major hacking stories / events. But nothing is impervious Why SSL?
We use SSL to talk with aggregators Outbound: TO the aggregator Inbound: FROM the aggregator (the callback) We also use SSL in communication with folks upstream but dedicated fiber With Dev certs (we trust them right!) And we add Digital Signing . . . . Just in case? How do we use SSL?
JSSE = Java Secure Socket Extension is the default Java package Was optional package before JDK 1.4. Now it’s bundled in the JDK. Either way it’s not easy to use We use Apache HTTP Client - it’s still REALLY hard (not!) HttpClient httpclient = new HttpClient(); GetMethod httpget = new GetMethod("https://www.verisign.com/"); try { httpclient.executeMethod(httpget); System.out.println(httpget.getStatusLine()); } finally { httpget.releaseConnection(); } SSL using Java
The hard part is acquiring and managing the keys and certs Procuring a cert is described elsewhere Keystore Contains our private key and private certificate Created from scratch Truststore Used to contain Self-Signed Certs from Aggregators Copied from Java’s own cacerts (to handle the case where certs are signed by the CA) The hard part . . . . .
Keytool ships with Java Show Keys & Certs in Keystore keytool -list -v -keystore keystore -storepass changeit Show Certs in the Truststore keytool -list -v -keystore cacerts -storepass changeit Keystore / truststore: how to . . .
SSL does not have to be handled (“offloaded”) by Jboss/Tomcat It can be offloaded by Apache Web Server It can be offloaded by Load Balancer Architecture
IMPORTANT NOTE: Not addressed here – this is up to your application Authorization
Typical Exceptions if . . . Can’t find keystore / truststore Our private key is missing from keystore Whitelisting error (not really SSL) Debugging: What to look for
-Djavax.net.debug=all Debugging Tools #1
Use “wget” to unit test your key/certs (one-way!) e.g. to test wget -d -v --certificate=/somecrt --post-data ‘SOAP STUFF GOES HERE' --private-key=/somekey https://someurl.com Debugging tools #2: wget
Resolving somestage.com... XXX.242.50.144 Caching somestage.com => XXX.242.50.144 Connecting to somestage.com|XXX.242.50.144|:443... connected. Created socket 3. Releasing 0x000000001b0a5e70 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40 certificate: subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg SC398/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services X509 certificate successfully verified and matches host somestage.com ---request begin--- POST /thepath HTTP/1.0 . . . . . ---response begin--- HTTP/1.1 200 OK Date: Fri, 13 Aug 2010 16:27:31 GMT Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7e wget Output
On most linux boxes Tcpdump Monitors traffic e.g. Monitor port 443 tcpdump -i eth0 -v dst port 443 Wireshark Also monitors traffic (but a bit nicer UI) http://www.wireshark.org/ Debugging tools #3: tcpdump etc.
You shouldn’t need to go here . . . But if you do Bryan, Derrick, Pete and Frank can assist Basically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g. SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /etc/httpd/conf/ssl.crt/somecert SSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekey Apache HTTP Server and SSL
At a high-level SSL is pretty straight-forward But the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . . Plus add in server white listing . . .. When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate). We are here to help . . . Summary
JSSE Reference Guide (for JDK 6) http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html Java Resources
Ssl in a nutshell

Recommandé

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 

Recommandé

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
SSL
SSLSSL
SSLtheekuchi
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.pptImXaib
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3 Vedant Jain
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityJyothishmathi Institute of Technology and Science Karimnagar
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 
Digital certificates
Digital certificatesDigital certificates
Digital certificatesBuddhika Karunanayaka
 
Https
HttpsHttps
HttpsBala Bhaskar Karakavalasa
 
ssl
sslssl
sslsjyuva
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 

Contenu connexe

Tendances

SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.pptImXaib
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3 Vedant Jain
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 

Tendances (20)

SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
SSL
SSLSSL
SSL
 
SSL
SSLSSL
SSL
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
 
Ssl https
Ssl httpsSsl https
Ssl https
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Https
HttpsHttps
Https
 

Similaire à Ssl in a nutshell

SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
How to validate server certificate
How to validate server certificateHow to validate server certificate
How to validate server certificatecodeandyou forums
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet worldjamesbarns729
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationSimon Haslam
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 

Similaire à Ssl in a nutshell (20)

ssl
sslssl
ssl
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
SSL-image
SSL-imageSSL-image
SSL-image
 
Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https Server
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
ssl's guide
ssl's guidessl's guide
ssl's guide
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Ssl
SslSsl
Ssl
 
The last picks
The last picksThe last picks
The last picks
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
How to validate server certificate
How to validate server certificateHow to validate server certificate
How to validate server certificate
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet world
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 

Dernier

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Dernier (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Ssl in a nutshell

  • 1. SSL in a Nutshell Just enough to be dangerous . . . . .
  • 2. In the kingdom of the blind, the one eyed man is king (In other words I am not an expert – I just play one on TV!) This is all relatively introductory information Expectation setting
  • 3. What is SSL? Certificates How does SSL work? How we use SSL? SSL & Java Configuration Debugging Resources Agenda
  • 4. SSL = Secure Socket Layer TLS = Transport Layer Security is the new name A cryptographic protocol to provide secure communication over networks (such as Internet) Protocol provides two of the three key aspects for Security Confidentiality (Encryption) Authentication (you are who you say you are) Authorization (What you can do – controlled by your app – not the protocol) What is SSL?
  • 5. What is a Certificate? A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. Verisign But first this . . . .
  • 6. Creation date: Jul 28, 2010 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 7c391cdfaf10822ce338c3eb925f77bc Valid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011 Certificate fingerprints: MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5 Signature algorithm name: SHA1withRSA Version: 3 And more stuff . . . . What does a cert look like? Ours.
  • 7.
  • 8. Client picks a random number, encrypts that (with server’s public key) and sends it to server. Only server can decrypt it (using it’s private key) Now they both have a shared secret (the random number) From the random number, both parties generate key material for encryption and decryption. This concludes the handshake Secured connection, which is encrypted and decrypted with the key material until the connection closes How does SSL work? (cont.)
  • 9. In the One-way example the client just verified the server is who they say they are? Example: Login to your bank? But how does your bank know YOU are who you say you are? Typically a login/password 2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs 2-Way SSL
  • 11. It is a Widespread Standard and is rock solid – no major hacking stories / events. But nothing is impervious Why SSL?
  • 12. We use SSL to talk with aggregators Outbound: TO the aggregator Inbound: FROM the aggregator (the callback) We also use SSL in communication with folks upstream but dedicated fiber With Dev certs (we trust them right!) And we add Digital Signing . . . . Just in case? How do we use SSL?
  • 13. JSSE = Java Secure Socket Extension is the default Java package Was optional package before JDK 1.4. Now it’s bundled in the JDK. Either way it’s not easy to use We use Apache HTTP Client - it’s still REALLY hard (not!) HttpClient httpclient = new HttpClient(); GetMethod httpget = new GetMethod("https://www.verisign.com/"); try { httpclient.executeMethod(httpget); System.out.println(httpget.getStatusLine()); } finally { httpget.releaseConnection(); } SSL using Java
  • 14. The hard part is acquiring and managing the keys and certs Procuring a cert is described elsewhere Keystore Contains our private key and private certificate Created from scratch Truststore Used to contain Self-Signed Certs from Aggregators Copied from Java’s own cacerts (to handle the case where certs are signed by the CA) The hard part . . . . .
  • 15. Keytool ships with Java Show Keys & Certs in Keystore keytool -list -v -keystore keystore -storepass changeit Show Certs in the Truststore keytool -list -v -keystore cacerts -storepass changeit Keystore / truststore: how to . . .
  • 16. SSL does not have to be handled (“offloaded”) by Jboss/Tomcat It can be offloaded by Apache Web Server It can be offloaded by Load Balancer Architecture
  • 17. IMPORTANT NOTE: Not addressed here – this is up to your application Authorization
  • 18. Typical Exceptions if . . . Can’t find keystore / truststore Our private key is missing from keystore Whitelisting error (not really SSL) Debugging: What to look for
  • 20. Use “wget” to unit test your key/certs (one-way!) e.g. to test wget -d -v --certificate=/somecrt --post-data ‘SOAP STUFF GOES HERE' --private-key=/somekey https://someurl.com Debugging tools #2: wget
  • 21. Resolving somestage.com... XXX.242.50.144 Caching somestage.com => XXX.242.50.144 Connecting to somestage.com|XXX.242.50.144|:443... connected. Created socket 3. Releasing 0x000000001b0a5e70 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40 certificate: subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg SC398/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services X509 certificate successfully verified and matches host somestage.com ---request begin--- POST /thepath HTTP/1.0 . . . . . ---response begin--- HTTP/1.1 200 OK Date: Fri, 13 Aug 2010 16:27:31 GMT Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7e wget Output
  • 22. On most linux boxes Tcpdump Monitors traffic e.g. Monitor port 443 tcpdump -i eth0 -v dst port 443 Wireshark Also monitors traffic (but a bit nicer UI) http://www.wireshark.org/ Debugging tools #3: tcpdump etc.
  • 23. You shouldn’t need to go here . . . But if you do Bryan, Derrick, Pete and Frank can assist Basically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g. SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /etc/httpd/conf/ssl.crt/somecert SSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekey Apache HTTP Server and SSL
  • 24. At a high-level SSL is pretty straight-forward But the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . . Plus add in server white listing . . .. When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate). We are here to help . . . Summary
  • 25. JSSE Reference Guide (for JDK 6) http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html Java Resources