发表新帖
发表新帖

How does SSL really work?

前端 未结
关注
4 965
无人共我
无人共我 2020-12-04 04:54

How does SSL work?

Where is the certificate installed on the client (or browser?) and the server (or web server?)?

How does the trust/encryption/authenticati

4条回答
  • -上瘾入骨i
    -上瘾入骨i (楼主)
    2020-12-04 05:26

    Mehaase has explained it in details already. I will add my 2 cents to this series. I have many blogposts revolving around SSL handshake and certificates. While most of this revolves around IIS web server, the post is still relevant to SSL/TLS handshake in general. Here are few for your reference:

    • SSL Handshake and IIS
    • Client certificate Authentication in SSL Handshake

    Do not treat CERTIFICATES & SSL as one topic. Treat them as 2 different topics and then try to see who they work in conjunction. This will help you answer the question.

    Establishing trust between communicating parties via Certificate Store

    SSL/TLS communication works solely on the basis of trust. Every computer (client/server) on the internet has a list of Root CA's and Intermediate CA's that it maintains. These are periodically updated. During SSL handshake this is used as a reference to establish trust. For exampe, during SSL handshake, when the client provides a certificate to the server. The server will try to cehck whether the CA who issued the cert is present in its list of CA's . When it cannot do this, it declares that it was unable to do the certificate chain verification. (This is a part of the answer. It also looks at AIA for this.) The client also does a similar verification for the server certificate which it receives in Server Hello. On Windows, you can see the certificate stores for client & Server via PowerShell. Execute the below from a PowerShell console.

    PS Cert:> ls Location : CurrentUser StoreNames : {TrustedPublisher, ClientAuthIssuer, Root, UserDS...}

    Location : LocalMachine StoreNames : {TrustedPublisher, ClientAuthIssuer, Remote Desktop, Root...}

    Browsers like Firefox and Opera don't rely on underlying OS for certificate management. They maintain their own separate certificate stores.

    The SSL handshake uses both Symmetric & Public Key Cryptography. Server Authentication happens by default. Client Authentication is optional and depends if the Server endpoint is configured to authenticate the client or not. Refer my blog post as I have explained this in detail.

    Finally for this question

    How does the HTTPS protocol recognize the certificate? Why can't HTTP work with certificates when it is the certificates which do all the trust/encryption/authentication work?

    Certificates is simply a file whose format is defined by X.509 standard. It is a electronic document which proves the identity of a communicating party. HTTPS = HTTP + SSL is a protocol which defines the guidelines as to how 2 parties should communicate with each other.

    MORE INFORMATION

    • In order to understand certificates you will have to understand what certificates are and also read about Certificate Management. These is important.
    • Once this is understood, then proceed with TLS/SSL handshake. You may refer the RFC's for this. But they are skeleton which define the guidelines. There are several blogposts including mine which explain this in detail.

    If the above activity is done, then you will have a fair understanding of Certificates and SSL.

    0 讨论(0)
 看不清?
提交回复
热议问题