SSL Primer - Day 2

First things first.  Why are we talking about the insecure SSL protocol and not TLS?  Simply put SSL  is TLS and TLS is SSL.  TLSv1.0 is like SSL 3.1.  The world has been asking about SSL for sometime now (even before recent SSL scares) when in fact they were really using TLS in most cases.

Today, we discuss certificate chains.  One critical aspect of SSL is that the client computer / browser be able to identify the server it is talking to as trusted.  To do this, Certificate Authorities (CA) earn the trust of the computing community such that vendors such as Microsoft, Google, Apple and Oracle place the public key of an SSL certificate into their trusted certification authority store.  When this happens, the client will trust any server that is using SSL so long as the CA public key that was used to sign its public server key exists in its trust store.

 

To complicate matters further, a CA may add an extra layer of security.  For instance, they may have a root CA that is used to issue certificates to immediate certification authorities that are responsible for issue certificates to the "public".  In this case, the intermediate and root public keys must exist in the client's trust store so that the client can trust the server's public key.

Here is an example of a trust chain.

In the chain above, the client receives myserver.serena.com from the server itself.  It then checks that Entrust Certificate Authority is in its intermediate or trusted CA store.  The client will see that it signed by another CA, so will search for next level in the same intermediate and trust store.  If does not find either the intermediate or Entrust.net Certificate Authority then the trust will be broken.  The typical behavior is to then ask whether the user wants to proceed to the web site anyway or leave it.  The newest browsers of course make it really hard to proceed. 

In the case of an automated process trying to get to the server, the trust chain typically remains broken and the connection fails.  Examples of this scenario would be the SBM JBoss / Tomcat server trying to talk to IIS with SSL or the Dimensions CM desktop client trying to talk to the SBM SSO server.

 

 

New in 14.2: PULSE: Create an file scanner example...
CM 14.2.0.1: Pulse Experts: Running the CM Build E...

Comments

 
No comments yet