All the vital knowledge on the importance of SSL certificate for App security, how chain building works during SSL handshake and pro tips to build a Certificate chain.
Handwritten Text Recognition for manuscripts and early printed texts
Understanding SSL Certificate for Apps by Symantec
1. SSL for Apps – Brook R. Chelmo 1
Understanding SSL for Apps
Brook R. Chelmo
Principal Product Marketing Manager
2. Introduction
• SSL/TLS is a core technology; critical to secure communications
• The greatest challenge is not technology but implementation
• Researchers found widespread errors in non-browser apps
• Take the necessary steps to create a stronger & more
trustworthy SSL implementation
SSL for Apps – Brook R. Chelmo 2
3. Chain Building
• During the SSL handshake the server will return one or more
certificates
SSL for Apps – Brook R. Chelmo 3
4. Chain Building
• During the SSL handshake the server will return one or more
certificates.
• Misconfigured web servers may return more or fewer
certificates than what is necessary.
SSL for Apps – Brook R. Chelmo 4
5. Chain Building
• During the SSL handshake the server will return one or more
certificates.
• Misconfigured web servers may return more certificates than
what is necessary.
• You may find a pointer to the certificate’s issuing certificate in
the caIssuers entry in its authorityInfoAccess extension.
• NOTE: Ignore self-signed certificates.
SSL for Apps – Brook R. Chelmo 5
6. Build a Certificate Chain
• Determine the end-entity SSL certificate by building a certificate
chain.
• The AuthorityKeyIdentifier or Issuer Distinguished Name must
match the SubjectKeyIdentifier or Subject Distinguished Name.
SSL for Apps – Brook R. Chelmo 6
Root CA
Intermediate CA
End Entity Certs
SKI
AKI SKI
AKI
Chain of Trust
Chained
Hierarchy
7. Build a Certificate Chain
• Verify that the chain from end-entity to intermediate to root is
valid.
SSL for Apps – Brook R. Chelmo 7
8. 3 Scenarios
Consider which certificates you will trust. Three Options:
1. Trust one certificate.
2. Allow any End-Entity SSL certificate signed by a particular trusted
intermediate. Pick only one trusted root and avoid trusting all end-entity
certificates that chain up to that root.
3. Require the end-entity to chain up to a certain trusted root and be signed
by an intermediate certificate with a specific common name.
SSL for Apps – Brook R. Chelmo 8
9. The 5 End-Entity & Intermediate Checks
1. Note that strings in certificates are stored as a byte length
followed by that number of bytes. Don’t assume they’re null-
terminated. There may also be different types of encoding
such as UTF-8.
2. Check the validity against an accurate time source.
3. Check for either a crlDistributionPoints or authorityInfoAccess
extension.
4. The app must be able to recognize & understand “critical”
extensions.
5. Check the certificatePolicies extension.
SSL for Apps – Brook R. Chelmo 9
10. The 4 Additional End-Entity Checks
1. Verify the FQDN or IP address appears in the Common Name
or the SAN extension (newer certificates).
1. Take into account proper wildcards
2. Reject the certificate if it has more than one common name.
3. IDN certificates should contain a punycode Unicode domain name in
the Common Name or SAN
2. If it has a basicConstraints extension, check that the cA flag is
set to “false” and the pathLenContraints is set to “zero”
3. If the certificate has a keyUsage extension, check that the
digitalSignature and keyEncipherments bits are set.
SSL for Apps – Brook R. Chelmo 10
11. The 4 Additional End-Entity Checks
4. If the certificate contains an extKeyUsage extension, the
extension value must be either the special
anyExtendedKeyUsage value, or if it contains special purpose
OIDs, then id-kp-serverAuth must be included.
SSL for Apps – Brook R. Chelmo 11
12. The 3 Additional Intermediate Checks
1. Must contain a basicConstraints extension with a cA flag of
“true.”
2. Must contain a keyUsage extension with a keyCertSign set.
3. Check that any name or policy constraints are consistent with
those in the certificates beneath it in the chain.
SSL for Apps – Brook R. Chelmo 12
13. Conclusion
SSL for Apps – Brook R. Chelmo 13
Proper SSL provides confidentiality, authentication,
and integrity without interception or modification.
Symantec is leading the way in security and authentication
practices by working with browser developers, customers,
bloggers, & other stakeholders to build a better security
ecosystem.