Differences
This shows you the differences between two versions of the page.
|
scgc:laboratoare:08 [2018/05/05 22:03] nicolae.ivan [3. [20p] Remotely Inspecting a Certificate] |
scgc:laboratoare:08 [2021/10/13 17:25] (current) maria.mihailescu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Laboratory 08. Security: PKI, X.509, SSL, TLS ====== | + | ====== Security: PKI, X.509, SSL, TLS ====== |
| TLS (Transport Layer Security) is a cryptographic protocol that provides communication security between a client and a server. Usually, the identity of the server is verified through a certificate. This certificate contains a public key, the identity of the server and a signature which verifies that the key belongs to the entity in the certificate. | TLS (Transport Layer Security) is a cryptographic protocol that provides communication security between a client and a server. Usually, the identity of the server is verified through a certificate. This certificate contains a public key, the identity of the server and a signature which verifies that the key belongs to the entity in the certificate. | ||
| Line 5: | Line 5: | ||
| A certificate is valid if it is signed by a Certificate Authority (CA). The CA is considered trustworthy by the communication client. The client has access to the certificate of the CA, with which the signature in the certificate belonging to the server can be verified and, consequently, the identity of the server can be verified. | A certificate is valid if it is signed by a Certificate Authority (CA). The CA is considered trustworthy by the communication client. The client has access to the certificate of the CA, with which the signature in the certificate belonging to the server can be verified and, consequently, the identity of the server can be verified. | ||
| - | For the following exercises, the resources can be found in the laboratory archive: | + | ===== Lab Setup ===== |
| - | <code> | + | * We will be using a virtual machine in the [[http://cloud.grid.pub.ro/|faculty's cloud]]. |
| - | $ wget --user=user-curs --ask-password http://repository.grid.pub.ro/cs/scgc/laboratoare/lab-08.zip | + | * When creating a virtual machine in the Launch Instance window: |
| - | $ unzip lab-08.zip | + | * Select **Boot from image** in **Instance Boot Source** section |
| + | * Select **SCGC Template** in **Image Name** section | ||
| + | * Select a flavor that is at least **m1.medium**. | ||
| + | * The username for connecting to the VM is ''student'' | ||
| + | * For the following exercises, the resources can be found in the laboratory archive: <code bash> | ||
| + | [student@scgc ~] $ cd | ||
| + | [student@scgc ~] $ wget --user=<username> --ask-password https://repository.grid.pub.ro/cs/scgc/laboratoare/lab-08.zip | ||
| + | [student@scgc ~] $ unzip lab-08.zip | ||
| </code> | </code> | ||
| + | |||
| ===== Tasks ====== | ===== Tasks ====== | ||
| - | ==== 1. [10p] Inspecting and Verifying a Certificate ==== | + | ==== 1. Inspecting and Verifying a Certificate ==== |
| Begin by inspecting the certificate found in the ''houdini.cs.pub.ro.crt-roedunet'' file. | Begin by inspecting the certificate found in the ''houdini.cs.pub.ro.crt-roedunet'' file. | ||
| Line 83: | Line 91: | ||
| Find the ''issuer'' for each of the certificates and use the appropriate certificate chain. | Find the ''issuer'' for each of the certificates and use the appropriate certificate chain. | ||
| </note> | </note> | ||
| - | ==== 2. [10p] Secure Connection to a Server ==== | + | ==== 2. Remotely Inspecting a Certificate ==== |
| - | In a separate terminal, setup ''tcpdump'' to listen for connections to ''google.com'' on ports 80 and 443. | + | Connect to ''aero.curs.pub.ro'' using a secure connection to obtain its certificate. |
| <code> | <code> | ||
| - | sudo tcpdump -i eth0 -n -A host google.com and tcp port 80 or tcp port 443 | + | $ echo | openssl s_client -connect aero.curs.pub.ro:443 |
| + | CONNECTED(00000003) | ||
| + | depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority | ||
| + | verify return:1 | ||
| + | depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 | ||
| + | verify return:1 | ||
| + | depth=0 C = RO, postalCode = 060042, L = Bucure\C8\99ti, street = Sectorul 6, street = "Independentei Street, No.313", O = Universitatea Politehnica din Bucure\C8\99ti, OU = NCIT Cluster, CN = *.curs.pub.ro | ||
| + | verify return:1 | ||
| + | --- | ||
| + | Certificate chain | ||
| + | 0 s:C = RO, postalCode = 060042, L = Bucure\C8\99ti, street = Sectorul 6, street = "Independentei Street, No.313", O = Universitatea Politehnica din Bucure\C8\99ti, OU = NCIT Cluster, CN = *.curs.pub.ro | ||
| + | i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 | ||
| + | 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services | ||
| + | i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services | ||
| + | 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority | ||
| + | i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services | ||
| + | 3 s:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 | ||
| + | i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority | ||
| + | ... | ||
| </code> | </code> | ||
| - | <note important> | ||
| - | Replace ''eth0'' with the appropriate network interface for your machine. | ||
| - | </note> | ||
| - | First, connect to ''google.com'' non-securely: | + | The received certificate appears to be for ''*.curs.pub.ro''. This is a wildcard certificate that is available for all subdomains of ''curs.pub.ro''. Such certificates can be used when all subdomains are secured by the same server (web server or load balancer). Let's inspect the certificate: |
| <code> | <code> | ||
| - | $ nc google.com 80 | + | $ echo | openssl s_client -connect aero.curs.pub.ro:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text |
| - | GET / HTTP/1.0 | + | Certificate: |
| + | Data: | ||
| + | Version: 3 (0x2) | ||
| + | Serial Number: | ||
| + | 3c:e8:ca:7b:24:34:0e:23:33:d2:ec:4d:3e:de:d0:03 | ||
| + | Signature Algorithm: sha384WithRSAEncryption | ||
| + | Issuer: C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 | ||
| + | Validity | ||
| + | Not Before: Jul 8 00:00:00 2020 GMT | ||
| + | Not After : Jul 8 23:59:59 2021 GMT | ||
| + | Subject: C = RO, postalCode = 060042, L = Bucure\C8\99ti, street = Sectorul 6, street = "Independentei Street, No.313", O = Universitatea Politehnica din Bucure\C8\99ti, OU = NCIT Cluster, CN = *.curs.pub.ro | ||
| + | Subject Public Key Info: | ||
| + | Public Key Algorithm: rsaEncryption | ||
| + | RSA Public-Key: (4096 bit) | ||
| + | Modulus: | ||
| + | 00:ce:7b:17:7b:8f:c3:be:00:b5:a4:7f:28:db:53: | ||
| + | db:a2:27:c2:62:6d:a4:75:7b:10:b7:81:3e:1d:5c: | ||
| + | 6d:48:18:77:3f:f8:d6:5e:93:e8:50:fd:16:fb:a2: | ||
| + | 79:ae:4b:12:39:22:df:28:9c:b7:82:b2:89:9c:7e: | ||
| + | 09:7a:43:b5:51:10:77:a3:c2:ec:bd:03:f6:b1:40: | ||
| + | f2:c1:82:ca:3b:53:fa:3a:5a:61:20:25:10:03:d6: | ||
| + | cc:eb:67:da:0a:3a:5b:f5:95:5e:15:5d:7e:b8:9d: | ||
| + | e5:9e:d5:0e:5b:4d:77:7b:eb:4f:e7:e6:ad:d4:7c: | ||
| + | 20:dc:82:cc:d0:cf:63:5d:b3:8b:41:e4:3a:4e:70: | ||
| + | f6:18:75:a4:90:1a:b3:18:ad:b2:51:53:92:9f:bf: | ||
| + | ed:c1:c3:8e:ea:e0:8e:ef:68:fa:36:d2:c9:ed:8d: | ||
| + | 34:24:4b:d5:9d:18:ab:42:c3:0d:38:71:1b:ea:a9: | ||
| + | ca:28:ff:cf:f5:9d:e1:cd:53:69:7a:c8:f2:82:af: | ||
| + | 48:72:e9:96:db:16:00:7a:c0:fc:7a:7b:01:eb:d4: | ||
| + | 66:9a:6c:4c:66:7d:de:f7:bc:9d:43:90:c0:03:4a: | ||
| + | a6:42:98:e0:cc:44:58:85:00:6b:f2:76:cd:59:dc: | ||
| + | df:d0:83:88:eb:28:5c:c9:3a:1b:b2:0d:61:27:1f: | ||
| + | ed:a9:63:0e:4a:f7:3e:25:b3:ab:30:92:15:b6:b2: | ||
| + | 89:53:50:48:b2:77:39:6a:43:42:47:0d:d2:b6:c7: | ||
| + | 27:40:f9:77:1b:55:44:7e:67:81:5e:cf:7e:8e:65: | ||
| + | 1c:a4:0b:05:b6:ff:0a:91:70:79:40:f9:be:e8:17: | ||
| + | 74:81:3a:c1:f2:be:51:2e:3a:0b:d2:a9:55:1c:37: | ||
| + | 3b:2b:76:eb:2c:7b:64:fc:e7:0f:6c:c4:28:f7:7c: | ||
| + | 2c:d0:61:31:a8:f6:db:fd:89:08:c6:9d:c5:98:ec: | ||
| + | cd:55:4b:e9:7b:3c:95:45:68:ca:fe:f0:45:75:2f: | ||
| + | 6b:65:53:c2:44:b0:44:16:af:e8:d2:5b:d5:e0:1d: | ||
| + | 57:45:6f:43:02:80:62:0d:d8:5a:75:ac:fd:ae:a0: | ||
| + | 6b:b0:52:7c:00:cf:65:57:2e:ce:0a:8d:ec:24:68: | ||
| + | 75:ce:62:92:0b:bf:b1:02:65:b9:6f:fe:a9:fa:77: | ||
| + | 24:7f:5a:2b:7d:aa:bb:42:50:8e:d4:91:f0:94:3d: | ||
| + | 3c:42:47:64:c7:92:c7:4f:ce:0b:43:01:f6:92:c2: | ||
| + | 4e:d0:2c:9b:ee:9f:b0:6b:d2:14:84:54:0c:ad:53: | ||
| + | 74:01:0e:b4:2b:63:95:cc:51:1e:44:ce:ef:9c:c0: | ||
| + | 9d:a7:98:41:1a:c4:3b:97:75:f5:eb:84:00:22:8e: | ||
| + | b9:66:37 | ||
| + | Exponent: 65537 (0x10001) | ||
| + | X509v3 extensions: | ||
| + | X509v3 Authority Key Identifier: | ||
| + | keyid:6F:1D:35:49:10:6C:32:FA:59:A0:9E:BC:8A:E8:1F:95:BE:71:7A:0C | ||
| + | |||
| + | X509v3 Subject Key Identifier: | ||
| + | F9:09:37:51:7C:1D:EC:62:7A:9E:F9:4C:23:98:9E:FB:14:3F:52:D9 | ||
| + | X509v3 Key Usage: critical | ||
| + | Digital Signature, Key Encipherment | ||
| + | X509v3 Basic Constraints: critical | ||
| + | CA:FALSE | ||
| + | X509v3 Extended Key Usage: | ||
| + | TLS Web Server Authentication, TLS Web Client Authentication | ||
| + | X509v3 Certificate Policies: | ||
| + | Policy: 1.3.6.1.4.1.6449.1.2.2.79 | ||
| + | CPS: https://sectigo.com/CPS | ||
| + | Policy: 2.23.140.1.2.2 | ||
| + | |||
| + | X509v3 CRL Distribution Points: | ||
| + | |||
| + | Full Name: | ||
| + | URI:http://GEANT.crl.sectigo.com/GEANTOVRSACA4.crl | ||
| + | |||
| + | Authority Information Access: | ||
| + | CA Issuers - URI:http://GEANT.crt.sectigo.com/GEANTOVRSACA4.crt | ||
| + | OCSP - URI:http://GEANT.ocsp.sectigo.com | ||
| - | HTTP/1.0 200 OK | + | X509v3 Subject Alternative Name: |
| + | DNS:*.curs.pub.ro, DNS:curs.pub.ro | ||
| ... | ... | ||
| </code> | </code> | ||
| + | |||
| + | As we can see, all the Subject Alternative Names (SAN) can be found under in the certificate, under ''DNS'' entries. | ||
| + | |||
| <note tip> | <note tip> | ||
| - | After typing ''GET / HTTP/1.0'' press ''Enter'' twice. | + | Within a browser, inspect the certificate for ''aero.curs.pub.ro'' and find the field that specifies the Subject Alternative Names for the certificate. To avoid automatic redirecting to ''curs.upb.ro'', go to ''aero.curs.pub.ro/2019''. |
| </note> | </note> | ||
| + | ==== 3. Generating and Inspecting a Certificate ==== | ||
| - | <note important> | + | The steps required when generating a certificate are as follows: |
| - | Notice that the HTTP request and response are visible in plaintext in the ''tcpdump'' capture. | + | * generate a private key |
| - | </note> | + | * generate a certificate signing request (CSR) with the key and identification data |
| + | * send the CSR to a CA in order to have it signed | ||
| - | To connect securely to ''google.com'', use the following command: | + | We will generate a CSR for ''server.scgc''. |
| + | First, generate a private key: | ||
| <code> | <code> | ||
| - | $ openssl s_client -connect google.com:443 | + | $ openssl genrsa -out server.scgc.key 2048 |
| - | CONNECTED(00000003) | + | Generating RSA private key, 2048 bit long modulus |
| - | depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA | + | ...............................................+++ |
| - | verify return:1 | + | .....................................................................................+++ |
| - | depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 | + | e is 65537 (0x10001) |
| - | verify return:1 | + | </code> |
| - | depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com | + | |
| - | verify return:1 | + | Then, generate the signing request: |
| - | --- | + | <code> |
| - | Certificate chain | + | $ openssl req -new -key server.scgc.key -out server.scgc.csr |
| - | 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com | + | |
| - | i:/C=US/O=Google Inc/CN=Google Internet Authority G2 | + | |
| - | 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 | + | |
| - | i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA | + | |
| - | 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA | + | |
| - | i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority | + | |
| - | --- | + | |
| - | Server certificate | + | |
| - | -----BEGIN CERTIFICATE----- | + | |
| ... | ... | ||
| - | -----END CERTIFICATE----- | + | </code> |
| - | subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com | + | |
| - | issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 | + | <note tip> |
| - | --- | + | Supply the following information in the request: |
| + | * ''Organization Name'': ''SCGC'' | ||
| + | * ''Organizational Unit'': ''Development'' | ||
| + | * ''Common Name'': ''server.scgc'' | ||
| + | The other fields can be completed as desired. | ||
| + | </note> | ||
| + | |||
| + | Usually, at this point, the request would be sent to a trusted CA in order to be signed. | ||
| + | Instead, we will sign the certificate using the ''scgc-ca.crt'' certificate from the resource archive. | ||
| + | |||
| + | <code> | ||
| + | $ openssl ca -config scgc-ca.cnf -policy signing_policy -extensions signing_req -in server.scgc.csr -out server.scgc.crt | ||
| + | Using configuration from scgc-ca.cnf | ||
| + | Check that the request matches the signature | ||
| + | Signature ok | ||
| ... | ... | ||
| - | --- | + | Sign the certificate? [y/n]:y |
| - | GET / HTTP/1.0 | + | |
| - | HTTP/1.0 200 OK | + | |
| - | ... | + | 1 out of 1 certificate requests certified, commit? [y/n]y |
| + | Write out database with 1 new entries | ||
| + | Data Base Updated | ||
| </code> | </code> | ||
| + | |||
| + | <note tip> | ||
| + | Inspect the ''scgc-ca.cnf'' file, in particular the ''signing_policy'' section. | ||
| + | |||
| + | A more complex openssl configuration file can be found at ''/etc/ssl/openssl.cnf''. | ||
| + | </note> | ||
| + | |||
| + | Verify that the signed certificate matches the generated key. | ||
| + | <code> | ||
| + | $ openssl x509 -in server.scgc.crt -noout -modulus | md5sum | ||
| + | d80db122c02c6ef6eabb3b4cbd8b8f40 - | ||
| + | $ openssl rsa -in server.scgc.key -noout -modulus | md5sum | ||
| + | d80db122c02c6ef6eabb3b4cbd8b8f40 - | ||
| + | </code> | ||
| + | |||
| + | Furthermore, verify the certificate using the ''scgc-ca.crt'' certificate. | ||
| + | <code> | ||
| + | $ openssl verify -CAfile scgc-ca/scgc-ca.crt server.scgc.crt | ||
| + | server.scgc.crt: OK | ||
| + | </code> | ||
| + | |||
| + | <note warning> | ||
| + | Currently, the ''scgc-ca.crt'' certificate is expired, so the last command will fail. If you want to solve this issue, you can regenerate the CA certificate by running the following commands (and resign the newly created CSR): | ||
| + | <code bash> | ||
| + | $ openssl req -new -key scgc-ca/scgc-ca.key -out scgc-ca/scgc-ca.csr | ||
| + | $ openssl x509 -req -in scgc-ca/scgc-ca.csr -signkey scgc-ca/scgc-ca.key -out scgc-ca/scgc-ca.crt | ||
| + | </code> | ||
| + | |||
| + | </note> | ||
| + | ==== 4. Unencrypted Client/Server Communication ==== | ||
| <note important> | <note important> | ||
| - | The two things to notice are that the server has sent its certificate upon connecting and the HTTP request and response are no longer visible in the ''tcpdump'' capture. | + | First, in a separate terminal, start a ''tcpdump'' session to dump traffic on the loopback interface. |
| + | We will also use this for the next exercise. | ||
| </note> | </note> | ||
| - | ==== 3. [20p] Remotely Inspecting a Certificate ==== | ||
| - | Connect to ''open-source.cs.pub.ro'' using a secure connection to obtain its certificate. | ||
| <code> | <code> | ||
| - | $ echo | openssl s_client -connect open-source.cs.pub.ro:443 | + | $ sudo tcpdump -A -i lo port 12345 |
| + | </code> | ||
| + | |||
| + | Now, start a simple server listening on the port ''tcpdump'' is monitoring. | ||
| + | <code> | ||
| + | $ nc -l 12345 | ||
| + | </code> | ||
| + | |||
| + | To connect to the server, run the following in another terminal. | ||
| + | <code> | ||
| + | $ nc localhost 12345 | ||
| + | </code> | ||
| + | |||
| + | <note tip> | ||
| + | Notice that any text typed into the client shows in the server and vice-versa. | ||
| + | Also, the messages can be seen in plaintext in the ''tcpdump'' log. | ||
| + | </note> | ||
| + | ==== 5. Client/Server Communication over SSL/TLS ==== | ||
| + | |||
| + | Use ''openssl s_server'' to start a server listening on the same port as the previous exercise. Use the ''server.scgc'' certificate previously generated. | ||
| + | |||
| + | <code> | ||
| + | $ openssl s_server -key server.scgc.key -cert server.scgc.crt -accept 12345 | ||
| + | Using default temp DH parameters | ||
| + | ACCEPT | ||
| + | </code> | ||
| + | |||
| + | Connect to the server using ''openssl s_client''. | ||
| + | <code> | ||
| + | $ openssl s_client -connect localhost:12345 | ||
| CONNECTED(00000003) | CONNECTED(00000003) | ||
| - | depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA | + | depth=0 C = RO, ST = Bucharest, L = Bucharest, O = SCGC, OU = Development, CN = server.scgc |
| + | verify error:num=20:unable to get local issuer certificate | ||
| verify return:1 | verify return:1 | ||
| - | depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3 | + | depth=0 C = RO, ST = Bucharest, L = Bucharest, O = SCGC, OU = Development, CN = server.scgc |
| - | verify return:1 | + | verify error:num=21:unable to verify the first certificate |
| - | depth=0 C = RO, L = Bucharest, O = Universitatea POLITEHNICA din Bucuresti, OU = Computer Science and Engineering Department, CN = koala.cs.pub.ro | + | |
| verify return:1 | verify return:1 | ||
| --- | --- | ||
| Certificate chain | Certificate chain | ||
| - | 0 s:/C=RO/L=Bucharest/O=Universitatea POLITEHNICA din Bucuresti/OU=Computer Science and Engineering Department/CN=koala.cs.pub.ro | + | 0 s:/C=RO/ST=Bucharest/L=Bucharest/O=SCGC/OU=Development/CN=server.scgc |
| - | i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 | + | i:/C=RO/O=SCGC/OU=Development/CN=SCGC CA |
| - | 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 | + | --- |
| - | i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA | + | |
| ... | ... | ||
| + | Verify return code: 21 (unable to verify the first certificate) | ||
| </code> | </code> | ||
| - | The received certificate appears to be for ''koala.cs.pub.ro''. This is because the server is using virtual hosting. We can specify which server we are trying to connect to in the following way: | + | The validation of the server certificate has failed. |
| + | |||
| + | Attempt the connection again, this time specifying the CA certificate. | ||
| <code> | <code> | ||
| - | $ echo | openssl s_client -connect open-source.cs.pub.ro:443 -servername open-source.cs.pub.ro | + | $ openssl s_client -CAfile scgc-ca/scgc-ca.crt -connect localhost:12345 |
| CONNECTED(00000003) | CONNECTED(00000003) | ||
| - | depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA | + | depth=1 C = RO, O = SCGC, OU = Development, CN = SCGC CA |
| verify return:1 | verify return:1 | ||
| - | depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL High Assurance CA 3 | + | depth=0 C = RO, ST = Bucharest, L = Bucharest, O = SCGC, OU = Development, CN = server.scgc |
| - | verify return:1 | + | |
| - | depth=0 businessCategory = Government Entity, jurisdictionC = RO, serialNumber = Government Entity, street = Splaiul Independentei 313, postalCode = 060042, C = RO, L = Bucharest, O = Universitatea POLITEHNICA din Bucuresti, OU = Automatic Control and Computers Faculty, CN = open-source.cs.pub.ro | + | |
| verify return:1 | verify return:1 | ||
| --- | --- | ||
| Certificate chain | Certificate chain | ||
| - | 0 s:/businessCategory=Government Entity/jurisdictionC=RO/serialNumber=Government Entity/street=Splaiul Independentei 313/postalCode=060042/C=RO/L=Bucharest/O=Universitatea POLITEHNICA din Bucuresti/OU=Automatic Control and Computers Faculty/CN=open-source.cs.pub.ro | + | 0 s:/C=RO/ST=Bucharest/L=Bucharest/O=SCGC/OU=Development/CN=server.scgc |
| - | i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3 | + | i:/C=RO/O=SCGC/OU=Development/CN=SCGC CA |
| - | 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3 | + | |
| - | i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA | + | |
| --- | --- | ||
| - | Server certificate | ||
| - | -----BEGIN CERTIFICATE----- | ||
| - | ... | ||
| - | -----END CERTIFICATE----- | ||
| - | ... | ||
| - | --- | ||
| - | DONE | ||
| - | </code> | ||
| - | |||
| - | Now, we can redirect the actual certificate information to the ''openssl'' utility to inspect the certificate: | ||
| - | <code> | ||
| - | $ echo | openssl s_client -connect open-source.cs.pub.ro:443 -servername open-source.cs.pub.ro 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text | ||
| - | Certificate: | ||
| - | Data: | ||
| - | Version: 3 (0x2) | ||
| - | Serial Number: | ||
| - | 07:a6:ee:d5:f5:2d:f2:f9:63:35:24:0f:39:e3:25:17 | ||
| - | Signature Algorithm: sha512WithRSAEncryption | ||
| - | Issuer: C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL High Assurance CA 3 | ||
| - | Validity | ||
| - | Not Before: Jun 3 00:00:00 2017 GMT | ||
| - | Not After : Aug 7 12:00:00 2018 GMT | ||
| - | Subject: businessCategory=Government Entity/jurisdictionC=RO/serialNumber=Government Entity/street=Splaiul Independentei 313/postalCode=060042, C=RO, L=Bucharest, O=Universitatea POLITEHNICA din Bucuresti, OU=Automatic Control and Computers Faculty, CN=open-source.cs.pub.ro | ||
| ... | ... | ||
| + | Verify return code: 0 (ok) | ||
| </code> | </code> | ||
| <note tip> | <note tip> | ||
| - | Repeat the process for ''systems.cs.pub.ro'' | + | The connection has been successfully established. Verify that messages exchanged between server and client are no longer displayed in the ''tcpdump'' log. |
| </note> | </note> | ||
| - | ==== 4. [20p] Generating and Inspecting a Certificate ==== | ||
| - | ==== 5. [20p] Unencrypted Client/Server Communication ==== | ||
| - | ==== 6. [20p] Client/Server Communication over SSL/TLS ==== | ||
| - | ==== 7. [BONUS 20p] Configuring HTTPS for a Web Server ==== | ||
