What's on this Page
When it’s comes to the SSL/TLS certificates, my mind get tensed and confuse. because it’s very complex topic to debug and understand.
So in this post, I’ll try to simplify this thing using following break down:
- What is and Why SSL/TLS ?
- Different between SSL and TLS
- How deos SSL/TLS works ?
- Basics and terminologies of Certificates.
- Setting up own CA
- Simple HTTPS server
What is and Why SSL/TLS ?
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a server and a client. In typical example client can be browser and web server. This link ensures that all data passed between the web server and browsers remain private and integral.
Different between SSL and TLS
They are basically the same protocols, just different versions, SSL is an older and TLS is newer one.
- SSL 1.0 newer released
- SSL 2.0 1995 - security flaws
- SSL 3.0 1996 - obsolete
- 1.0 in 1999 - slight upgrades of SSL v3.0
- 1.1 in 2005
- 1.2 in 2008
- 1.3 latest one
How deos SSL/TLS works ?
When Client and Server try to establish connection in TLS, it’s called TLS handshake method.
Basic TLS handshake
A typical connection example follows:
Step 1# Client Hello
- Client says to server
- Hello!, Can I communicate securely through AES(Cipher)
- Clients send list of Cipher Suites which they supports in newer to older order
Step 2# Server Hello
- Server gets all the option from client and respond
- Oh hey! I also communicate securely through AES! Let’s do that.
- So server decide which Cipher use for encryption from list of option provided by client
Step 3# Server Key Exchange
- Then server send Digital certificates
- Digital certificate associate with domain name and Public key and other details.
- The porpose of this, is a proof to the client, the server say is actually who they are, using certificates.
- If you look at actual certificate, you will see root CA like Thawte/GeoTrust etc.
- Root CA are Trusted Third Party. A CA is responsible for the validation of certificate requests, issuing certificates, revocation of invalid certificates and publishing information about certificates which have been revoked.
- Trusted Root CA are preinstalled in Browser certs
Step 4# Server Hello Done
- The final message of server if everyting is OK.
- Server says to client, everything is OK, I’m waiting for response
- a marker message (of length zero) which says that the server is finished, and the client should now talk.
Everything upto now all in clear text, this all information till now is ok because it’s public key. now they need to movie in secure connection. client/server will not use public/private key anymore. client will generate symetric key. so client and server will have same symetric key, so they both will encrypt/decrypt data.
Step 5# Client Key exchange
- client generate random number
- encrypt random number using server public key
- if it’s encrypt with server public key, then only the server can decrypt using server private key.
- finally client send master secret key in ecrypted to the server.
Step 6# Change Cipher Spec
- Both client/server now signal that they are going from insecure connection to secure connection that they both agreed on
Step 7# Encrypted handshake
- They both going to send each other encrypted messages
- and this kind of signals verify the key information they just created is correct.
- if anything goes wrong, that mean they won’t be able to communicate with one another. because one can’t decrypt the messages
What’s next ?
In next part, we will see how to setup own CA and will generate public/private key to demonstrate with simple HTTPS server.