This is an old revision of the document!
Laboratory 08. Security: PKI, X.509, SSL, TLS
TLS (Transport Layer Security) is a cryptographic protocol that provides communication security between a client and a server. Usually, the identity of the server is verified through a certificate. This certificate contains a public key, the identity of the server and a signature which verifies that the key belongs to the entity in the certificate.
A certificate is valid if it is signed by a Certificate Authority (CA). The CA is considered trustworthy by the communication client. The client has access to the certificate of the CA, with which the signature in the certificate belonging to the server can be verified and, consequently, the identity of the server can be verified.
For the following exercises, the resources can be found in the laboratory archive:
$ wget --user=user-curs --ask-password http://repository.grid.pub.ro/cs/scgc/laboratoare/lab-10.zip $ unzip lab-10.zip
Tasks
1. [10p] Inspecting and Verifying a Certificate
Begin by inspecting the certificate found in the houdini.cs.pub.ro.crt-roedunet file.
$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -text
In the output you can find information about:
- the issuer
- the validity
- start date
- end date
- the public key
- algorithm
- modulus
- exponent
- certificate extensions
- signature
Specific information regarding the certificate can be printed by replacing the -text argument with the one or more of the following:
$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -pubkey $ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -startdate $ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -enddate $ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -dates $ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -issuer $ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -subject $ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -modulus
To verify the certificate using a certificate chain, use the following command:
$ openssl verify -CAfile terena-ca-chain.pem houdini.cs.pub.ro.crt-roedunet houdini.cs.pub.ro.crt-roedunet: OU = Domain Control Validated, CN = houdini.cs.pub.ro error 10 at 0 depth lookup:certificate has expired OK
The certificate is expired, but has otherwise been verified.
Check the information in certificate chain:
$ cat terena-ca-chain.pem -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Notice there are multiple certificates in the file.
Although openssl does not provide direct support for printing information about each certificate in the chain, the following workaround can be used:
$ openssl crl2pkcs7 -nocrl -certfile terena-ca-chain.pem | openssl pkcs7 -print_certs -noout subject=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 issuer=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority subject=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Verify open-source.cs.pub.ro.crt-roedunet and security.cs.pub.ro.crt-roedunet using the two certificate chains present in the resources archive.
issuer for each of the certificates and use the appropriate certificate chain.
2. [10p] Secure Connection to a Server
In a separate terminal, setup tcpdump to listen for connections to google.com on ports 80 and 443.
sudo tcpdump -i eth0 -n -A host google.com and tcp port 80 or tcp port 443
eth0 with the appropriate network interface for your machine.
First, connect to google.com non-securely:
$ nc google.com 80 GET / HTTP/1.0 HTTP/1.0 200 OK ...
GET / HTTP/1.0 press Enter twice.
tcpdump capture.
To connect securely to google.com, use the following command:
$ openssl s_client -connect google.com:443 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- ... --- GET / HTTP/1.0 HTTP/1.0 200 OK ...
tcpdump capture.
3. [20p] Remotely Inspecting a Certificate
4. [20p] Generating and Inspecting a Certificate
5. [20p] Unencrypted Client/Server Communication
6. [20p] Client/Server Communication over SSL/TLS
7. [BONUS 20p] Configuring HTTPS for a Web Server
