Recent changes

This is an old revision of the document!

Laboratory 08. Security: PKI, X.509, SSL, TLS

TLS (Transport Layer Security) is a cryptographic protocol that provides communication security between a client and a server. Usually, the identity of the server is verified through a certificate. This certificate contains a public key, the identity of the server and a signature which verifies that the key belongs to the entity in the certificate.

A certificate is valid if it is signed by a Certificate Authority (CA). The CA is considered trustworthy by the communication client. The client has access to the certificate of the CA, with which the signature in the certificate belonging to the server can be verified and, consequently, the identity of the server can be verified.

For the following exercises, the resources can be found in the laboratory archive: 

$ wget --user=user-curs --ask-password http://repository.grid.pub.ro/cs/scgc/laboratoare/lab-08.zip
$ unzip lab-08.zip

Tasks

1. [20p] Inspecting and Verifying a Certificate

Begin by inspecting the certificate found in the houdini.cs.pub.ro.crt-roedunet file. 

$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -text

In the output you can find information about:

  • the issuer
  • the validity
    • start date
    • end date
  • the public key
    • algorithm
    • modulus
    • exponent
  • certificate extensions
  • signature

Specific information regarding the certificate can be printed by replacing the -text argument with the one or more of the following: 

$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -pubkey
$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -startdate
$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -enddate
$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -dates
$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -issuer
$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -subject
$ openssl x509 -in houdini.cs.pub.ro.crt-roedunet -noout -modulus

To verify the certificate using a certificate chain, use the following command: 

$ openssl verify -CAfile terena-ca-chain.pem houdini.cs.pub.ro.crt-roedunet
houdini.cs.pub.ro.crt-roedunet: OU = Domain Control Validated, CN = houdini.cs.pub.ro
error 10 at 0 depth lookup:certificate has expired
OK

The certificate is expired, but has otherwise been verified.

Check the information in certificate chain: 

$ cat terena-ca-chain.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Notice there are multiple certificates in the file. Although openssl does not provide direct support for printing information about each certificate in the chain, the following workaround can be used: 

$ openssl crl2pkcs7 -nocrl -certfile terena-ca-chain.pem | openssl pkcs7 -print_certs -noout
subject=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
issuer=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

subject=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

Verify open-source.cs.pub.ro.crt-roedunet and security.cs.pub.ro.crt-roedunet using the two certificate chains present in the resources archive.

Find the issuer for each of the certificates and use the appropriate certificate chain.

2. [20p] Remotely Inspecting a Certificate

Connect to open-source.cs.pub.ro using a secure connection to obtain its certificate. 

$ echo | openssl s_client -connect open-source.cs.pub.ro:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA
verify return:1
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3
verify return:1
depth=0 C = RO, L = Bucharest, O = Universitatea POLITEHNICA din Bucuresti, OU = Computer Science and Engineering Department, CN = koala.cs.pub.ro
verify return:1
---
Certificate chain
 0 s:/C=RO/L=Bucharest/O=Universitatea POLITEHNICA din Bucuresti/OU=Computer Science and Engineering Department/CN=koala.cs.pub.ro
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
...

The received certificate appears to be for koala.cs.pub.ro. This is because the server is using virtual hosting. We can specify which server we are trying to connect to in the following way: 

$ echo | openssl s_client -connect open-source.cs.pub.ro:443 -servername open-source.cs.pub.ro
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL High Assurance CA 3
verify return:1
depth=0 businessCategory = Government Entity, jurisdictionC = RO, serialNumber = Government Entity, street = Splaiul Independentei 313, postalCode = 060042, C = RO, L = Bucharest, O = Universitatea POLITEHNICA din Bucuresti, OU = Automatic Control and Computers Faculty, CN = open-source.cs.pub.ro
verify return:1
---
Certificate chain
 0 s:/businessCategory=Government Entity/jurisdictionC=RO/serialNumber=Government Entity/street=Splaiul Independentei 313/postalCode=060042/C=RO/L=Bucharest/O=Universitatea POLITEHNICA din Bucuresti/OU=Automatic Control and Computers Faculty/CN=open-source.cs.pub.ro
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
...
---
DONE

Now, we can redirect the actual certificate information to the openssl utility to inspect the certificate: 

$ echo | openssl s_client -connect open-source.cs.pub.ro:443 -servername open-source.cs.pub.ro 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            07:a6:ee:d5:f5:2d:f2:f9:63:35:24:0f:39:e3:25:17
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL High Assurance CA 3
        Validity
            Not Before: Jun  3 00:00:00 2017 GMT
            Not After : Aug  7 12:00:00 2018 GMT
        Subject: businessCategory=Government Entity/jurisdictionC=RO/serialNumber=Government Entity/street=Splaiul Independentei 313/postalCode=060042, C=RO, L=Bucharest, O=Universitatea POLITEHNICA din Bucuresti, OU=Automatic Control and Computers Faculty, CN=open-source.cs.pub.ro
...

Repeat the process for systems.cs.pub.ro

3. [20p] Generating and Inspecting a Certificate

4. [20p] Unencrypted Client/Server Communication

5. [20p] Client/Server Communication over SSL/TLS

6. [BONUS 20p] Configuring HTTPS for a Web Server

Resources

Laboratories

Table of Contents

scgc/laboratoare/08.1525547205.txt.gz ยท Last modified: 2018/05/05 22:06 by nicolae.ivan
Old revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0