Differences
This shows you the differences between two versions of the page.
|
scgc:laboratoare:08 [2020/04/13 16:47] maria.mihailescu |
scgc:laboratoare:08 [2021/10/13 17:25] (current) maria.mihailescu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Laboratory 08. Security: PKI, X.509, SSL, TLS ====== | + | ====== Security: PKI, X.509, SSL, TLS ====== |
| TLS (Transport Layer Security) is a cryptographic protocol that provides communication security between a client and a server. Usually, the identity of the server is verified through a certificate. This certificate contains a public key, the identity of the server and a signature which verifies that the key belongs to the entity in the certificate. | TLS (Transport Layer Security) is a cryptographic protocol that provides communication security between a client and a server. Usually, the identity of the server is verified through a certificate. This certificate contains a public key, the identity of the server and a signature which verifies that the key belongs to the entity in the certificate. | ||
| Line 6: | Line 6: | ||
| ===== Lab Setup ===== | ===== Lab Setup ===== | ||
| - | * We will be using a virtual machine in the [[http://cloud.curs.pub.ro/|faculty's cloud]]. | + | * We will be using a virtual machine in the [[http://cloud.grid.pub.ro/|faculty's cloud]]. |
| - | * When creating a virtual machine follow the steps in this [[https://cloud.curs.pub.ro/about/tutorial-for-students/|tutorial]]. | + | |
| * When creating a virtual machine in the Launch Instance window: | * When creating a virtual machine in the Launch Instance window: | ||
| * Select **Boot from image** in **Instance Boot Source** section | * Select **Boot from image** in **Instance Boot Source** section | ||
| Line 21: | Line 20: | ||
| ===== Tasks ====== | ===== Tasks ====== | ||
| - | ==== 1. [20p] Inspecting and Verifying a Certificate ==== | + | ==== 1. Inspecting and Verifying a Certificate ==== |
| Begin by inspecting the certificate found in the ''houdini.cs.pub.ro.crt-roedunet'' file. | Begin by inspecting the certificate found in the ''houdini.cs.pub.ro.crt-roedunet'' file. | ||
| Line 92: | Line 91: | ||
| Find the ''issuer'' for each of the certificates and use the appropriate certificate chain. | Find the ''issuer'' for each of the certificates and use the appropriate certificate chain. | ||
| </note> | </note> | ||
| - | ==== 2. [20p] Remotely Inspecting a Certificate ==== | + | ==== 2. Remotely Inspecting a Certificate ==== |
| Connect to ''aero.curs.pub.ro'' using a secure connection to obtain its certificate. | Connect to ''aero.curs.pub.ro'' using a secure connection to obtain its certificate. | ||
| <code> | <code> | ||
| $ echo | openssl s_client -connect aero.curs.pub.ro:443 | $ echo | openssl s_client -connect aero.curs.pub.ro:443 | ||
| - | CONNECTED(00000005) | + | CONNECTED(00000003) |
| - | depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA | + | depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority |
| verify return:1 | verify return:1 | ||
| - | depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL High Assurance CA 3 | + | depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 |
| verify return:1 | verify return:1 | ||
| - | depth=0 businessCategory = Government Entity, jurisdictionC = RO, serialNumber = Government Entity, C = RO, L = Bucure\C8\99ti, O = Universitatea POLITEHNICA din Bucuresti, OU = NCIT Cluster, CN = acs.curs.pub.ro | + | depth=0 C = RO, postalCode = 060042, L = Bucure\C8\99ti, street = Sectorul 6, street = "Independentei Street, No.313", O = Universitatea Politehnica din Bucure\C8\99ti, OU = NCIT Cluster, CN = *.curs.pub.ro |
| verify return:1 | verify return:1 | ||
| --- | --- | ||
| Certificate chain | Certificate chain | ||
| - | 0 s:businessCategory = Government Entity, jurisdictionC = RO, serialNumber = Government Entity, C = RO, L = Bucure\C8\99ti, O = Universitatea POLITEHNICA din Bucuresti, OU = NCIT Cluster, CN = acs.curs.pub.ro | + | 0 s:C = RO, postalCode = 060042, L = Bucure\C8\99ti, street = Sectorul 6, street = "Independentei Street, No.313", O = Universitatea Politehnica din Bucure\C8\99ti, OU = NCIT Cluster, CN = *.curs.pub.ro |
| - | i:C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL High Assurance CA 3 | + | i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 |
| - | 1 s:C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL High Assurance CA 3 | + | 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services |
| - | i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA | + | i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services |
| + | 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority | ||
| + | i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services | ||
| + | 3 s:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 | ||
| + | i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority | ||
| ... | ... | ||
| </code> | </code> | ||
| - | The received certificate appears to be for ''acs.curs.pub.ro''. This is because both servers have same certificate (issued to acs.curs.pub.ro) and ''aero.cs.pub.ro'' is a subject alternative name (SAN) for the domain. Let's inspect the certificate: | + | The received certificate appears to be for ''*.curs.pub.ro''. This is a wildcard certificate that is available for all subdomains of ''curs.pub.ro''. Such certificates can be used when all subdomains are secured by the same server (web server or load balancer). Let's inspect the certificate: |
| <code> | <code> | ||
| Line 121: | Line 124: | ||
| Version: 3 (0x2) | Version: 3 (0x2) | ||
| Serial Number: | Serial Number: | ||
| - | 0d:34:0a:2f:41:fa:35:0e:5b:29:85:4c:1e:c1:51:23 | + | 3c:e8:ca:7b:24:34:0e:23:33:d2:ec:4d:3e:de:d0:03 |
| - | Signature Algorithm: sha256WithRSAEncryption | + | Signature Algorithm: sha384WithRSAEncryption |
| - | Issuer: C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL High Assurance CA 3 | + | Issuer: C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 |
| Validity | Validity | ||
| - | Not Before: Sep 17 00:00:00 2019 GMT | + | Not Before: Jul 8 00:00:00 2020 GMT |
| - | Not After : Sep 21 12:00:00 2020 GMT | + | Not After : Jul 8 23:59:59 2021 GMT |
| - | Subject: businessCategory = Government Entity, jurisdictionC = RO, serialNumber = Government Entity, C = RO, L = Bucure\C8\99ti, O = Universitatea POLITEHNICA din Bucuresti, OU = NCIT Cluster, CN = acs.curs.pub.ro | + | Subject: C = RO, postalCode = 060042, L = Bucure\C8\99ti, street = Sectorul 6, street = "Independentei Street, No.313", O = Universitatea Politehnica din Bucure\C8\99ti, OU = NCIT Cluster, CN = *.curs.pub.ro |
| Subject Public Key Info: | Subject Public Key Info: | ||
| Public Key Algorithm: rsaEncryption | Public Key Algorithm: rsaEncryption | ||
| - | RSA Public-Key: (2048 bit) | + | RSA Public-Key: (4096 bit) |
| Modulus: | Modulus: | ||
| - | 00:bd:8f:eb:51:6d:52:af:25:30:c7:d2:92:34:a7: | + | 00:ce:7b:17:7b:8f:c3:be:00:b5:a4:7f:28:db:53: |
| - | 7e:8f:b5:44:9c:4f:2c:0c:71:33:72:83:e9:53:cc: | + | db:a2:27:c2:62:6d:a4:75:7b:10:b7:81:3e:1d:5c: |
| - | 7e:e3:9b:e2:81:95:48:a2:bd:9e:0c:de:d1:e0:56: | + | 6d:48:18:77:3f:f8:d6:5e:93:e8:50:fd:16:fb:a2: |
| - | 9f:f5:54:ea:70:9e:be:32:13:8e:6f:59:0b:57:45: | + | 79:ae:4b:12:39:22:df:28:9c:b7:82:b2:89:9c:7e: |
| - | c5:ca:f8:4b:5a:66:da:89:48:f2:fb:32:2c:0d:75: | + | 09:7a:43:b5:51:10:77:a3:c2:ec:bd:03:f6:b1:40: |
| - | 76:e1:e7:8b:57:2b:01:61:1c:a8:71:42:a5:6b:35: | + | f2:c1:82:ca:3b:53:fa:3a:5a:61:20:25:10:03:d6: |
| - | 7f:3e:a5:5b:dd:8d:85:8a:bf:ba:f2:0a:db:ed:eb: | + | cc:eb:67:da:0a:3a:5b:f5:95:5e:15:5d:7e:b8:9d: |
| - | c8:2a:9c:af:4b:2b:c2:28:80:3b:38:47:f3:64:80: | + | e5:9e:d5:0e:5b:4d:77:7b:eb:4f:e7:e6:ad:d4:7c: |
| - | 7f:7d:75:8c:9c:34:d2:63:ef:cd:d9:37:88:57:e0: | + | 20:dc:82:cc:d0:cf:63:5d:b3:8b:41:e4:3a:4e:70: |
| - | 49:54:df:fc:11:e1:e7:80:3b:74:95:f2:71:05:0d: | + | f6:18:75:a4:90:1a:b3:18:ad:b2:51:53:92:9f:bf: |
| - | 13:6a:fa:ba:eb:43:62:f9:dd:80:b7:f1:ee:36:5d: | + | ed:c1:c3:8e:ea:e0:8e:ef:68:fa:36:d2:c9:ed:8d: |
| - | 8e:9e:f6:7e:5a:cb:da:a0:ad:2b:17:ce:36:70:a1: | + | 34:24:4b:d5:9d:18:ab:42:c3:0d:38:71:1b:ea:a9: |
| - | 24:92:e3:60:f4:c5:a4:8d:da:53:e7:42:0a:e0:9d: | + | ca:28:ff:cf:f5:9d:e1:cd:53:69:7a:c8:f2:82:af: |
| - | 4b:64:8e:86:37:31:fe:53:b8:23:4b:71:75:48:c6: | + | 48:72:e9:96:db:16:00:7a:c0:fc:7a:7b:01:eb:d4: |
| - | af:97:fe:e5:26:05:54:5c:6b:b6:40:f2:98:8c:13: | + | 66:9a:6c:4c:66:7d:de:f7:bc:9d:43:90:c0:03:4a: |
| - | 05:b4:43:b7:aa:c6:76:06:85:fb:71:73:29:37:2d: | + | a6:42:98:e0:cc:44:58:85:00:6b:f2:76:cd:59:dc: |
| - | 00:12:b3:63:5d:13:f1:4a:06:06:c0:6b:e6:d1:01: | + | df:d0:83:88:eb:28:5c:c9:3a:1b:b2:0d:61:27:1f: |
| - | 8d:f5 | + | ed:a9:63:0e:4a:f7:3e:25:b3:ab:30:92:15:b6:b2: |
| + | 89:53:50:48:b2:77:39:6a:43:42:47:0d:d2:b6:c7: | ||
| + | 27:40:f9:77:1b:55:44:7e:67:81:5e:cf:7e:8e:65: | ||
| + | 1c:a4:0b:05:b6:ff:0a:91:70:79:40:f9:be:e8:17: | ||
| + | 74:81:3a:c1:f2:be:51:2e:3a:0b:d2:a9:55:1c:37: | ||
| + | 3b:2b:76:eb:2c:7b:64:fc:e7:0f:6c:c4:28:f7:7c: | ||
| + | 2c:d0:61:31:a8:f6:db:fd:89:08:c6:9d:c5:98:ec: | ||
| + | cd:55:4b:e9:7b:3c:95:45:68:ca:fe:f0:45:75:2f: | ||
| + | 6b:65:53:c2:44:b0:44:16:af:e8:d2:5b:d5:e0:1d: | ||
| + | 57:45:6f:43:02:80:62:0d:d8:5a:75:ac:fd:ae:a0: | ||
| + | 6b:b0:52:7c:00:cf:65:57:2e:ce:0a:8d:ec:24:68: | ||
| + | 75:ce:62:92:0b:bf:b1:02:65:b9:6f:fe:a9:fa:77: | ||
| + | 24:7f:5a:2b:7d:aa:bb:42:50:8e:d4:91:f0:94:3d: | ||
| + | 3c:42:47:64:c7:92:c7:4f:ce:0b:43:01:f6:92:c2: | ||
| + | 4e:d0:2c:9b:ee:9f:b0:6b:d2:14:84:54:0c:ad:53: | ||
| + | 74:01:0e:b4:2b:63:95:cc:51:1e:44:ce:ef:9c:c0: | ||
| + | 9d:a7:98:41:1a:c4:3b:97:75:f5:eb:84:00:22:8e: | ||
| + | b9:66:37 | ||
| Exponent: 65537 (0x10001) | Exponent: 65537 (0x10001) | ||
| X509v3 extensions: | X509v3 extensions: | ||
| - | X509v3 Authority Key Identifier: | + | X509v3 Authority Key Identifier: |
| - | keyid:C2:B8:85:D7:E1:B9:13:BD:D1:48:BC:FD:5E:DC:7D:90:42:7A:8A:A9 | + | keyid:6F:1D:35:49:10:6C:32:FA:59:A0:9E:BC:8A:E8:1F:95:BE:71:7A:0C |
| - | X509v3 Subject Key Identifier: | + | X509v3 Subject Key Identifier: |
| - | 84:AD:71:69:54:FA:D1:44:BC:74:1A:9F:C8:93:25:D7:A3:62:80:9D | + | F9:09:37:51:7C:1D:EC:62:7A:9E:F9:4C:23:98:9E:FB:14:3F:52:D9 |
| - | X509v3 Subject Alternative Name: | + | X509v3 Key Usage: critical |
| - | DNS:acs.curs.pub.ro, DNS:aero.curs.pub.ro, DNS:aracis.curs.pub.ro, DNS:chim.curs.pub.ro, DNS:cs.curs.pub.ro, DNS:dmkm.curs.pub.ro, DNS:dppd.curs.pub.ro, DNS:electro.curs.pub.ro, DNS:electronica.curs.pub.ro, DNS:energ.curs.pub.ro, DNS:faima.curs.pub.ro, DNS:fils.curs.pub.ro, DNS:fim.curs.pub.ro, DNS:fsa.curs.pub.ro, DNS:hub.curs.pub.ro, DNS:imst.curs.pub.ro, DNS:isb.curs.pub.ro, DNS:mecanica.curs.pub.ro, DNS:nt.curs.pub.ro, DNS:posdru62485.curs.pub.ro, DNS:postdoc.curs.pub.ro, DNS:sas.curs.pub.ro, DNS:sim.curs.pub.ro, DNS:tet.curs.pub.ro, DNS:transporturi.curs.pub.ro, DNS:www.curs.pub.ro, DNS:fiir.curs.pub.ro | + | Digital Signature, Key Encipherment |
| - | ... | + | X509v3 Basic Constraints: critical |
| - | </code> | + | CA:FALSE |
| + | X509v3 Extended Key Usage: | ||
| + | TLS Web Server Authentication, TLS Web Client Authentication | ||
| + | X509v3 Certificate Policies: | ||
| + | Policy: 1.3.6.1.4.1.6449.1.2.2.79 | ||
| + | CPS: https://sectigo.com/CPS | ||
| + | Policy: 2.23.140.1.2.2 | ||
| - | As we can see, all the Subject Alternative Names (SAN) can be found under in the certificate, under ''DNS'' entries. | + | X509v3 CRL Distribution Points: |
| - | <note tip> | + | Full Name: |
| - | Within a browser, inspect the certificate for ''aero.curs.pub.ro'' and find the field that specifies the Subject Alternative Names for the certificate. | + | URI:http://GEANT.crl.sectigo.com/GEANTOVRSACA4.crl |
| - | </note> | + | |
| - | <hidden> | + | Authority Information Access: |
| - | Connect to ''open-source.cs.pub.ro'' using a secure connection to obtain its certificate. | + | CA Issuers - URI:http://GEANT.crt.sectigo.com/GEANTOVRSACA4.crt |
| - | <code> | + | OCSP - URI:http://GEANT.ocsp.sectigo.com |
| - | $ echo | openssl s_client -connect open-source.cs.pub.ro:443 | + | |
| - | CONNECTED(00000003) | + | |
| - | depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA | + | |
| - | verify return:1 | + | |
| - | depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3 | + | |
| - | verify return:1 | + | |
| - | depth=0 C = RO, L = Bucharest, O = Universitatea POLITEHNICA din Bucuresti, OU = Computer Science and Engineering Department, CN = koala.cs.pub.ro | + | |
| - | verify return:1 | + | |
| - | --- | + | |
| - | Certificate chain | + | |
| - | 0 s:/C=RO/L=Bucharest/O=Universitatea POLITEHNICA din Bucuresti/OU=Computer Science and Engineering Department/CN=koala.cs.pub.ro | + | |
| - | i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 | + | |
| - | 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 | + | |
| - | i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA | + | |
| - | ... | + | |
| - | </code> | + | |
| - | The received certificate appears to be for ''koala.cs.pub.ro''. This is because the server is using virtual hosting. We can specify which server we are trying to connect to in the following way: | + | X509v3 Subject Alternative Name: |
| - | <code> | + | DNS:*.curs.pub.ro, DNS:curs.pub.ro |
| - | $ echo | openssl s_client -connect open-source.cs.pub.ro:443 -servername open-source.cs.pub.ro | + | |
| - | CONNECTED(00000003) | + | |
| - | depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA | + | |
| - | verify return:1 | + | |
| - | depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL High Assurance CA 3 | + | |
| - | verify return:1 | + | |
| - | depth=0 businessCategory = Government Entity, jurisdictionC = RO, serialNumber = Government Entity, street = Splaiul Independentei 313, postalCode = 060042, C = RO, L = Bucharest, O = Universitatea POLITEHNICA din Bucuresti, OU = Automatic Control and Computers Faculty, CN = open-source.cs.pub.ro | + | |
| - | verify return:1 | + | |
| - | --- | + | |
| - | Certificate chain | + | |
| - | 0 s:/businessCategory=Government Entity/jurisdictionC=RO/serialNumber=Government Entity/street=Splaiul Independentei 313/postalCode=060042/C=RO/L=Bucharest/O=Universitatea POLITEHNICA din Bucuresti/OU=Automatic Control and Computers Faculty/CN=open-source.cs.pub.ro | + | |
| - | i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3 | + | |
| - | 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3 | + | |
| - | i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA | + | |
| - | --- | + | |
| - | Server certificate | + | |
| - | -----BEGIN CERTIFICATE----- | + | |
| ... | ... | ||
| - | -----END CERTIFICATE----- | ||
| - | ... | ||
| - | --- | ||
| - | DONE | ||
| </code> | </code> | ||
| - | Now, we can redirect the actual certificate information to the ''openssl'' utility to inspect the certificate: | + | As we can see, all the Subject Alternative Names (SAN) can be found under in the certificate, under ''DNS'' entries. |
| - | <code> | + | |
| - | $ echo | openssl s_client -connect open-source.cs.pub.ro:443 -servername open-source.cs.pub.ro 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text | + | |
| - | Certificate: | + | |
| - | Data: | + | |
| - | Version: 3 (0x2) | + | |
| - | Serial Number: | + | |
| - | 07:a6:ee:d5:f5:2d:f2:f9:63:35:24:0f:39:e3:25:17 | + | |
| - | Signature Algorithm: sha512WithRSAEncryption | + | |
| - | Issuer: C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL High Assurance CA 3 | + | |
| - | Validity | + | |
| - | Not Before: Jun 3 00:00:00 2017 GMT | + | |
| - | Not After : Aug 7 12:00:00 2018 GMT | + | |
| - | Subject: businessCategory=Government Entity/jurisdictionC=RO/serialNumber=Government Entity/street=Splaiul Independentei 313/postalCode=060042, C=RO, L=Bucharest, O=Universitatea POLITEHNICA din Bucuresti, OU=Automatic Control and Computers Faculty, CN=open-source.cs.pub.ro | + | |
| - | ... | + | |
| - | </code> | + | |
| - | </hidden> | + | <note tip> |
| - | + | Within a browser, inspect the certificate for ''aero.curs.pub.ro'' and find the field that specifies the Subject Alternative Names for the certificate. To avoid automatic redirecting to ''curs.upb.ro'', go to ''aero.curs.pub.ro/2019''. | |
| - | + | </note> | |
| - | ==== 3. [20p] Generating and Inspecting a Certificate ==== | + | ==== 3. Generating and Inspecting a Certificate ==== |
| The steps required when generating a certificate are as follows: | The steps required when generating a certificate are as follows: | ||
| Line 292: | Line 265: | ||
| $ openssl x509 -in server.scgc.crt -noout -modulus | md5sum | $ openssl x509 -in server.scgc.crt -noout -modulus | md5sum | ||
| d80db122c02c6ef6eabb3b4cbd8b8f40 - | d80db122c02c6ef6eabb3b4cbd8b8f40 - | ||
| - | osboxes@osboxes:~/lab08/lab-10$ openssl rsa -in server.scgc.key -noout -modulus | md5sum | + | $ openssl rsa -in server.scgc.key -noout -modulus | md5sum |
| d80db122c02c6ef6eabb3b4cbd8b8f40 - | d80db122c02c6ef6eabb3b4cbd8b8f40 - | ||
| </code> | </code> | ||
| Line 301: | Line 274: | ||
| server.scgc.crt: OK | server.scgc.crt: OK | ||
| </code> | </code> | ||
| - | ==== 4. [15p] Unencrypted Client/Server Communication ==== | + | |
| + | <note warning> | ||
| + | Currently, the ''scgc-ca.crt'' certificate is expired, so the last command will fail. If you want to solve this issue, you can regenerate the CA certificate by running the following commands (and resign the newly created CSR): | ||
| + | <code bash> | ||
| + | $ openssl req -new -key scgc-ca/scgc-ca.key -out scgc-ca/scgc-ca.csr | ||
| + | $ openssl x509 -req -in scgc-ca/scgc-ca.csr -signkey scgc-ca/scgc-ca.key -out scgc-ca/scgc-ca.crt | ||
| + | </code> | ||
| + | |||
| + | </note> | ||
| + | ==== 4. Unencrypted Client/Server Communication ==== | ||
| <note important> | <note important> | ||
| Line 326: | Line 308: | ||
| Also, the messages can be seen in plaintext in the ''tcpdump'' log. | Also, the messages can be seen in plaintext in the ''tcpdump'' log. | ||
| </note> | </note> | ||
| - | ==== 5. [25p] Client/Server Communication over SSL/TLS ==== | + | ==== 5. Client/Server Communication over SSL/TLS ==== |
| Use ''openssl s_server'' to start a server listening on the same port as the previous exercise. Use the ''server.scgc'' certificate previously generated. | Use ''openssl s_server'' to start a server listening on the same port as the previous exercise. Use the ''server.scgc'' certificate previously generated. | ||
