SSL?

Karla

Can someone please tell me what this is all about and how it works? From a CGI programmers point of view that is. I can't get any straight answers on this anywhere on the web

Thanks

tHE vAGGABOND

thats a massive and very general question..

as a 1st point of refernce for you, and I presume your CGI is web based programming, have a look at the apache and related products..

www.apache.org
www.openssl.org
www.modssl.org

The above 3 sites combine the best SSL solution for an apache web server, so there must be something you look for there!


[This message has been edited by tHE vAGGABOND (edited 20-03-2000).]

deRanged

SSL - Secure Sockets Layer.
SSL is a transport protocol which sits between the TCP-IP layer and the
application layer.

The goal of SSL is to establish an encrypted channel between a client and a server. Asymmetric encryption is too slow to use for all the data so a session key is used. This is a symmetric key for an algorithm such as DES or RC5. It is produced at random and sent from one party to another encrypted
using the recipients Public key found in their certificate. It can then be
used to perform rapid encryption for the duration of the session.In the context
of a web-server and browser client the procedure is as follows:

Setup
The browser is obtained by the user containing the Digital Certificates of
all the well-known Root CAs. The owners of the web-sever obtain an SSL Server
Certificate from one of the well-known CAs. This is a normal certificate where
the usage information states that it should only be used/trusted when negotiating
an SSL connection.


1 The client makes a normal HTTP page request to the server.
2 The server determines that the page is marked as secure by the Sysadmin and so requires an SSL connection. The server denies the page request giving as a reason that the page is secure. It also delivers its CA-signed certificate to the browser.
3 The client interprets the refusal as an invitation to go to SSL. First it verifies the validity of the certificate so that a nefarious server is not trying to elicit sensitive information from it.
To do this it checks the CA signature using the CA Public key it has in its own list of CA Root certificates. It the CA signature is verified then the good enough for the CA good enough for me principle applies and the
browser trusts the Server Certificate.
4 The client now has the server's Public key from the certificate. It generates a random session key and encrypts it using the server's Public key.The client now makes a modified request for the page, this
time containing the encrypted session key.
5 The server recognises the modified request. It decrypts the session key as only it can. Both sides now have a secure session key and can both encrypt and decrypt data using a symmetric algorithm. The connection is now secure.


Client Authentication
1 To authenticate itself to a server a client sends signed data to the server along with its certificate.
2 The Server verifies the validity of the certificate against its copy of
the CA root certificate.
3 It can also check with the CA directly to ascertain if the Client Certificate is on the CRL of the CA.
4 After verifying the certificate the hash can be retrieved using the Public key from the certificate
5 The hash is recomputed from the data and is compared with that retrieved using the key. If the two match the data/user is authenticated.


You could also check out http://www.verisign.com
They are a CA (Certifiate Authority) and they
provide free trial certs so you can see how SSL works.
oh - and it's http://www.openssl.org http://www.modssl.org