TLS / HTTPS
Theory and practice
1
La 1ère école 100 % dédiée à l'open source
Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique.
Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement.
Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
2
Les formations du plein emploi !
Formation Continue
Open Source School "Executive Education" est un organisme de formation agréé qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.
Pour vos demandes : [email protected]
Formation Initiale
100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI.Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
3
Nos domaines de formations
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Introduction to cryptography
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Context
Context
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Context
Context
The context : the Web is intrinsically an insecure medium
relatively easy to listen to a communication: eavesdroppingno certification of identity of both ends of the communication:spoofingno validation that the content has not been tampered: MitMinjection
Not so good for banking, eCommerce, medical applications...
A combination of technologies is used to answer these questions,based on TLS and X509.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Shared secret cryptography
Shared secret cryptography
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Shared secret cryptography
Shared secret cryptography
Bob and Alice use the same secret to encrypt and decrypt thedata
Problem : the secret has to be communicated with bothparties
meeting in person to avoid compromise of secrethigher risk of leaking as two parties know the secreteven higher risk when communicating with more people
Insecure and unpractical in a web context
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Public key cryptography
Public key cryptography
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Public key cryptography
A Postal AnalogyAlice wants to send a message to Bob
Bob sends his lock to Alice
The lock can be send via a normal postal service, as it cannotbe easily used to create the matching key
Alice send a message in a box locked with Bob’s key
Not one else than Bob can open the box, as he is the only onewith the key
The box can be send over the normal postal service, as themailman cannot open the box
Public key cryptography
The lock is the public key, as everyone can use it to lock thebox.The lock’s key is the private key, as only the message receiver(Bob) can open the box
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Public key cryptography
Asymmetric keys
Principle
What is encrypted by the public key can only be decrypted bythe private keyWhat is encrypted by the private key can only be decrypted bythe public key
Public key are shared between the two ends of thecommunication. Bob knows Alice’s public key and Aliceknows Bob public key.
Everybody can have and use the public key withoutcompromising the communication confidentiality
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Public key cryptography
Proving origin and integrity
Confidentiality DOES NOT guaranty origin or integrity
But public key cryptography can
Using Alice’s private key to encrypt a (possibly encrypted)message proves that she wrote it
Hash functions can help with integrity
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Public key cryptography
Message signing
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Public key cryptography
Message verification
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Public key cryptography
Remember
Hash ensures integrity
Encryption with the emitter’s private key ensures origin
Encryption with the recipient’s public key ensuresconfidentiality
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Public key cryptography
Drawbacks
very computationally intensive
too costly to use for real time communication
Solution: hybrid crypto-systems
a symmetric key is generated before each exchangethis key is exchanged with public key cryptographyonce the symmetric key has been exchanged, both system useit to encrypt and decrypt data
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Trust and the internet
Trust and the internet
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Trust and the internet
Trust and the internet
The previously described system made a big asumption
Alice’s public key belongs to AliceBut what if Mallory sent you her public key, telling you it wasAlice’s ?
How to trust the identity of somebody you don’t know, ormeet in person ?
How to trust a website ?
How to be sure a DNS requested has not been spoofed, oreven the domain name stolen ?maybe mybank.com is really fakebank.hacker.ru. . .
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Trust and the internet
Trusted third party
EVERY. SINGLE. secure identification system in the world isbased at some level on a trusted third party
It can be very strict and hierarchical (X509)It can be loose and unstructured (Web of trust, PGP. . . )
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Trust and the internet
Conclusion
Securing a communication channel through the internet means :
Validating the origin through a third party (X.509)
Exchange a secure session key (TLS)
Communicate through symmetric encryption (TLS)
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Transport Layer Security
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
History
History
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
History
History
SSL : Secure Socket Layer
created by Netscape in 1995last version : 3.0, 1999insecure as of 2014 (POODLE)
TLS : Transport Layer Security
based on SSL 3.0standardized by the RFC 2246last version : 1.2, 2008
Since 2016, SSL and early versions of TLS are considereddeprecated. TLS 1.2 is the only protocol that should be used.
TLS is often erroneously called SSL
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
STARTTLS
STARTTLS
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
STARTTLS
STARTTLS
Regular TLS connections use a dedicated port (80 vs 443)
the communication is encrypted from the beginning to the end.if you need unencrypted and encrypted communications, twoports are necessary
TLS allows security to be negociated mid-communication
only one port is needed and is capable to have bothunencrypted and encrypted communicationsbut this is optional
HTTP does not useIMAP, LDAP, do both (“old” SSL mode vs STARTTLS)
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Algorithms
Algorithms
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Algorithms
Algorithms
Auto-negociated
Main source of non-certificate problems, although they arerare
Troubleshooting = disable problematic algorithms
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Algorithms
Algorithms - state of the art in 2013
NSA Suite (best)
encryption AES256-GCM, AES256-CTRsignature ECDSAhash SHA256, SHA384key exchange ECDH
Previous generation
encryption AES-CBCsignature RSA, DSAhash SHA1key exchange DH
Alternativesencryption CAMELLIA, BLOWFISHhash WHIRLPOOL, RIPEMD160
Insecureencryption RC4 (ArcFour), 3DES, DEShash MD5, MD4
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 26/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
X509 certificates
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 27/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Chain of trust
Chain of trust
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 28/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Chain of trust
Content of a certificate
A trusted certification authority is used to asymmetrically signa website public key into a digital certificate
A Digital Certificate contains
entity public keyMetadata :
subject (what this certificate is for)certificate issuer (CA)certificate validity datesetc. (usually constraints)
A signature : crypt(hash(key+meta),issuer private key)
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 29/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Chain of trust
X509 Certification chain
A CA can be signed by an other CA
this is the certificate chain of trust
The chain is hierarchical
The CA at the top (or bottom of the tree) is the ”rootcertification authority
The trust is transmitted from the root certification authorityto the highest level certificate : the website one
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 30/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Chain of trust
X509 Root Certificates
Locally stored !
in opposition to non-root CA certificates and websitecertificate that are provided directly by the website
Can be provided
by the browserby the OSby the JVM
Root CA must
be well known and established (Verisign, GoDaddy, Thawte,etc. . . )
be secured: stealing the private key of a CA means end ofbusiness for a root CA (Diginotar)
undergo audit from entity like WebTrust
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 31/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Chain of trust
X509 Root certificate storage
In the browser
Preferences -> Advanced -> Encryption -> View certificates
The OpenSSL storage
/etc/ssl/certs (in Debian)
The JVM storage
<jre path>lib/security/cacerts
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 32/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
X509 and TLS
X509 and TLS
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 33/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
X509 and TLS
HTTPS Handshake
The client connects to a server and announces supportedciphers
The server chooses the strongest cipher and sends itscertificate
The clients now has the servers public key, and proof (via thesignature) that it is authentic
(simplified : ) the client generates the session key, encrypts itwith the server’s pubkey, and sends it to the server
From now on, every communication is secured using a sessionkey that has been accepted by the two parties
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 34/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
Practice
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 35/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
HTTPS Handshake
Handshakingopenssl s client -showcerts -host <myhost> -port
443
With locally stored certificate (Debian) openssl s client
-showcerts -h <myhost> -p 443 -CApath
/etc/ssl/certs/
The CN of the certificate must be equals to the domain nameused to access the website
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 36/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
Decoding a certificate
Copy and paste from the previous OpenSSL command,between BEGIN CERTIFICATE and END CERTIFICATE,included
openssl x509 -in <file.pem> -text
Certificate formats
by default : PEM formatDER (PEM is simply base64 encoded DER)can be used by OpenSSL and Java (keytool) indifferentlyPKCS#12, PKCS#7 (often used for client certificate)
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 37/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
How to create a certificate
What do we need ?
a public and private keys pair
an authority to sign our public key and generate our certificate
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 38/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
How to create a certificate - Public/private key pair
Create a public/private key pair
openssl genrsa -out <mykey> 2048
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 39/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
How to create a certificate - CSR
Create a certificate signing request (CSR)
by providing all the data of the certificateopenssl req -new -key <mykey> -out
<myserver.csr>be careful : CN = domain name used to access the server
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 40/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
How to create a certificate - Signature
Create the certificate
by signing the data provided by the certificate request
either send it to the CA
either signed it with your own key
self signed certificate
openssl x509 -req -days <validity> -in
<myserver.csr> -signkey <mykey> -out
<myserver.crt>
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 41/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
Apache configuration
In the 443 port-based VirtualHost
SSLEngine on
SSLCertificateFile <myserver.crt>SSLCertificateKeyFile <mykey.key>SSLCertificateChainFile <mychain.pem>
Note : usually, put the <myserver.crt> and <mykey> filesin the /etc/apache2/ssl/ directory, only accessible by root
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 42/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Practice
HTTPS and VirtualHost by Name
The name of the virtualhost is inside the HTTP Host header
The HTTP headers are inside the encrypted communication
The communication is encrypted using the public key thatcontains the hostname. . .
Apache cannot select a certificate if several VirtualHost byname with different certificate are configured
Solutions
wildcard certificate : *.smile.fruse the X509 alternative name extensions : several CN can beused inside one certificateServer Name Indication (SNI) : a TLS extension that sends theVirtualHost name as part of the TLS handshake. Only workson recent clients and server : Debian Squeeze, WindowsVista+IE7
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 43/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Java and TLS
Java and TLS
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 44/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Java and TLS
Keytool
Much more basic than openssl tools
Should not be used to generate production certificate
no support for X509v3 extensions
Certificates are stored inside keystore
Listing a keystore content
keytool -list -v -keystore <mykeystore>
Export them to use them outside the Java world
keytool -exportcert -keystore <mykeystore> -alias
-file <mycert>
Displaying certificate content
keytool -printcert -file <cert>
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 45/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Java and TLS
Keystore
<jre root>/lib/security/cacerts
standard Java Keystore password: changeit
Importing certificate into cacerts
keytool -importcert -alias <myCertAlias> -file
<myCaFile> -keystore cacerts
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 46/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Java and TLS
Debugging
Use the SSLTest program (in formation/https/programs) toaccess intranet.smile.fr
java -cp . SSLTest intranet.smile.fr 443
Use “ssl” for the javax.net.debug property
java -Djavax.net.debug=ssl
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 47/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Certificate Authorities with OpenSSL
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 48/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Configuring the CA
Configuring the CA
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 49/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Configuring the CA
Configuring the CA
Create a section at the end of /etc/ssl/openssl.cnf
[ my ca ]d i r = /home/ f o r m a t i o n / my cad a t a b a s e = $ d i r / i n d e x . t x tn e w c e r t s d i r = $ d i r / n e w c e r t sc e r t i f i c a t e = $ d i r / c a c e r t . pems e r i a l = $ d i r / s e r i a lp r i v a t e k e y = $ d i r / p r i v a t e / cakey . pemRANDFILE = $ d i r / p r i v a t e / . randd e f a u l t d a y s = 365d e f a u l t c r l d a y s= 30d e f a u l t m d = md5p o l i c y = p o l i c y a n y t h i n ge m a i l i n d n = noname opt = c a d e f a u l tc e r t o p t = c a d e f a u l tc o p y e x t e n s i o n s = none
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 50/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Creating the CA key
Creating the CA key
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 51/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Creating the CA key
Creating the CA key
Create the requires folders :
mkdir /home/formation/my ca
mkdir /home/formation/my ca/private
mkdir /home/formation/my ca/newcerts
touch /home/formation/my ca/index.txt
echo 01 > /home/formation/my ca/serial
openssl req -new -x509 -days 3650 -extensions v3 ca
-keyout /home/formation/my ca/private/cakey.pem -out
/home/formation/my ca/cacert.pem
the -extensions switch specify which section in/etc/ssl/openssl.cnf must be applied
A root CA is self-signed
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 52/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Creating a server certificate
Creating a server certificate
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 53/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Creating a server certificate
Creating a server certificate
Signing the CSR with the CA
openssl ca -in myserver.csr -name my ca -out
myserver.cert
Importing the CA in the browser
In Firefox:
Preferences -> Advanced -> View certificates -> Authorities-> Import. . .
In Internet Explorer
Windows : Manage Root Certificate
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 54/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Client authentication
Client authentication
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 55/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Client authentication
Creating a client certificateAlmost the same thing as a server certificate
When generating the key
Add a password to the key (-des3) to avoid unauthorized use
When generating the CSR
Add the -extensions usr cert switch to the command line
Then sign it with the CA key
To be used in a browser, must be exported to p12 format
openssl pkcs12 -export -in client.crt -inkey
client.key -out client.p12
Specify an export password to avoid people extracting yourcertificate from your browser
Now import it in “Your Certificates”
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 56/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Client authentication
Client authentication with Apache
SSLOptions +StdEnvVars
SSLVerifyClient require
SSLCACertificateFile /etc/apache2/myCA.cert
Authentication and identification are done by Apache via thecertificate
SSO with client certificate
each application can read data provided by the certificatethe user does not need to enter password
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 57/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Revocation
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 58/59
Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation
Certificate Revocation List
specify with certificate should be revocated
use openssl ca to manage them
Online Certificate Status Protocol
tell the browser where it can find the revocation status of acertificate
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 59/59