SSL Implementation Guide Onno W Purbo Onnoindo net

SSL Implementation Guide Onno W. Purbo Onno@indo. net. id

Reference n n http: //www. verisign. com http: //www. openssl. org

Implementation Steps n n n Obtain and install a server Digital ID from Veri. Sign. Defines your Access Control List (ACL). Set server options to restrict access to clients presenting certificates. Set options to enable SSL on your server for secure, authenticated transactions. Read certificate information to provide customized services (optional).

Port n n HTTP = 80 HTTP + SSL = 443

Cryptography Algorithm n SYMMETRIC CIPHERS n n Public Key Cryptography & Key Agreement n n x 509, x 509 v 3 Authentication Codes, Hash Functions n n dsa, dh, rsa Certificates n n blowfish, cast, des, idea, rc 2, rc 4, rc 5 hmac, md 2, md 4, md 5, mdc 2, ripemd, sha Input/Output, Data Encoding n asn 1, bio, evp, pem, pkcs 7, pkcs 12

SSL Process n n establish private communications perform client authentication

If insecure. .

If secure. .

Client Hello

Server Hello

Client Master Key

Client Finish

Server Verify

Request Client Certificate

Client Certificate n n If client does not have certificate Error Message If not ….

Client Certificate

Server verifies Client Authenticity n n Check it to root CA Check by rehashing the certificate. .

Server verifies Client

Server Finish

Enabling SSL at Server n n Generate your server's key pair (public and private keys) using your server's built-in software Request a certificate from Veri. Sign Install the certificate Veri. Sign sends you Activate SSL for your server

Request Secure Server Cert n n n Create a Certificate Signing Request (CSR) from the server. This process is detailed in the server documentation. Complete the online enrollment form at Veri. Sign's Digital ID center at http: //digitalid. verisign. com. If your organization is new, mail or fax your company's articles of incorporation or other proof-of-right documents to Veri. Sign at 650. 961. 8870. These documents are used to verify your company's authenticity if you are not listed with Dun and Bradstreet.