SSL

From BC$ MobileTV Wiki
Jump to: navigation, search

Secure Socket Layer (commonly abbreviated SSL) is a security mechanism for transmitting data electronically, and is most commonly coupled with the HTTP protocol, resulting in a more secure transport layer security known as HTTPS.


Specifications

[1]


Certificates

In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.

In a typical public-key infrastructure (PKI) scheme, the signer is a certificate authority (CA), usually a company that charges customers to issue certificates for them. In a web of trust scheme, the signer is either the key's owner (a self-signed certificate) or other users ("endorsements") whom the person examining the certificate might know and trust.

[23][24][25][26][27][28][29] [30]


CSR

In Public Key Infrastructure (PKI) systems, a Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate. Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant (such as a distinguished name in the case of an X.509 certificate) which must be signed using the applicant's private key. The CSR also contains the public key chosen by the applicant. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for further information.


CA

Certificate Authority (CA).


Tools

SNI

Additional part of SSL/TLS spec where you must indicate the Hostname intended to create a connection to prior to initiating the handshake process or sending/receiving any messages.

[33] [34] [35] [36] [37] [38] [39]


OpenSSL

[40]

MashSSL


Google Tinks

  • Google Tink: https://github.com/google/tink (multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse)

[41] [42] [43]




Resources


Tutorials


External Links

[46] [47] [48] [49] [50] [51] [52] [53] [54]


References

  1. Certification Authority Authorization (CAA) now mandated by CA/Browser Forum: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
  2. What is an SSL Certificate?: http://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate/
  3. What are certificates?: http://www.youtube.com/watch?v=LRMBZhdFjDI
  4. What Are Certificates?: http://technet.microsoft.com/en-us/library/cc758348(v=ws.10).aspx
  5. What is SSL and what are Certificates?: http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
  6. Public key pinning update to Chrome and all Google web properties (04 May 2011): https://www.imperialviolet.org/2011/05/04/pinning.html
  7. Where can I find all SSL CA certificates?: http://security.stackexchange.com/questions/42946/where-can-i-find-all-ssl-ca-certificates
  8. Firefox certs: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
  9. Chrome certs: https://support.google.com/chrome/a/answer/6080885?hl=en (NOTE: it uses the default certificates included with the OS)
  10. Opera certs: https://certs.opera.com/ (installs the most used CAs while installing the application, you can find the rest in the Opera online root repository as linked)
  11. iOS & Mac Safari certs: https://support.apple.com/kb/ht5012
  12. Creating Self-Signed SSL Certificates for Apache on Linux: http://www.linux.com/learn/creating-self-signed-ssl-certificates-apache-linux
  13. Apache Tomcat 9 -- SSL/TLS Configuration HOW-TO: http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
  14. Tomcat Server/Client Self-Signed SSL Certificate: http://stackoverflow.com/questions/1180397/tomcat-server-client-self-signed-ssl-certificate
  15. Self-Signed Cert configuration for Tomcat: http://www.trialdatasolutions.com/tds/howto/selfsignedcertificate.jsp
  16. Create a Self-Signed Server Certificate in IIS 7: https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx
  17. How to -- Create Temporary Certificates for Use During Development: https://msdn.microsoft.com/en-us/library/ms733813(v=vs.110).aspx
  18. How to -- Create Your Own Test Certificate: https://msdn.microsoft.com/en-us/library/ff699202.aspx
  19. Create and export a self-signed certificate: https://technet.microsoft.com/en-us/library/ff710475(v=ws.10).aspx
  20. When to Use a "Java Keytool" Self-Signed Certificate: http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-using-java-keytool.html
  21. The most common Java "keytool" Keystore commands: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
  22. Creating a Keystore File and Keystore Password for HTTPS Connections: https://docs.oracle.com/cd/E19636-01/819-1655/fapsf/index.html
  23. Converting a Java Keystore (.jks) into PEM Format: https://www.baeldung.com/java-keystore-convert-to-pem-format
  24. How to self-sign certificates: http://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Howtoself-signcertificates
  25. Signed vs. Self-signed Certificates: http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htm
  26. 'keytool' is not recognized as an internal or external command: https://stackoverflow.com/questions/43720147/keytool-is-not-recognized-as-an-internal-or-external-command
  27. Keytool is not recognized as an internal or external command: https://stackoverflow.com/questions/19431788/keytool-is-not-recognized-as-an-internal-or-external-command
  28. Oracle/Sun guide to generating a Keystore, Certificate Signing Request & Certificate: https://docs.oracle.com/cd/E19636-01/819-1655/fapsf/index.html
  29. keytool - Key and Certificate Management Tool: https://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html
  30. Let’s Encrypt SSL Security Errors starting Sep 30, 2021 - your connection is not private: https://medium.com/@BraunDoug/lets-encrypt-ssl-security-errors-starting-on-sep-30-2021-your-connection-is-not-private-417ca007fe07 (fix could be as simple as removing expired “initial root cert” of LetsEncrypt then restart servers)
  31. CSR creation using OpenSSL in Apache: https://www.digicert.com/csr-creation-apache.htm
  32. When to use Let's Encrypt's webroot and standalone authorization: https://advancedweb.hu/2018/06/05/letsencrypt_webroot_vs_standalone/
  33. Java SSL handshake with Server Name Identification (SNI): https://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html
  34. Use cURL with SNI (Server Name Indication): https://stackoverflow.com/questions/12941703/use-curl-with-sni-server-name-indication
  35. PHP server-side SNI support: https://stackoverflow.com/questions/20865301/php-server-side-sni-support | DOCS
  36. If You Can Read This, You're SNIing: https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing
  37. F5 LoadBalancers -- SNI Routing with BIG-IP: https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348
  38. C# (CSharp) System.Data.SqlClient.SNI SNIHandle Examples: https://csharp.hotexamples.com/examples/System.Data.SqlClient.SNI/SNIHandle/-/php-snihandle-class-examples.html
  39. How to implement Server Name Indication (SNI): https://stackoverflow.com/questions/5113333/how-to-implement-server-name-indication-sni
  40. How to determine if OpenSSL and mod_ssl are installed on Apache2: https://stackoverflow.com/questions/1367545/how-to-determine-if-openssl-and-mod-ssl-are-installed-on-apache2
  41. Cryptography With Google Tink: https://medium.com/coinmonks/cryptography-with-google-tink-33a70d71918d
  42. Google Tink Example – Google Cryptography: https://www.javainterviewpoint.com/google-tink-example/
  43. Guide to Google Tink: https://www.baeldung.com/google-tink
  44. Invoking the Secure Protocol RestService from OSGI Client (AEM is in http protocol) not working: https://forums.adobe.com/thread/2328160
  45. How to fix javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException -- No subject alternative names present: http://www.littlebigextra.com/how-to-fix-javax-net-ssl-sslhandshakeexception-java-security-cert-certificateexception-no-subject-alternative-names-present/
  46. Everything (basic thing) You Need To Know About SSL Certificates: https://get-mobdro.com/everything-you-need-to-know-about-ssl-certificates/
  47. Everything You Need to Know about SSL Certificates: https://brilliantinfo.net/ssl-certificates/
  48. Everything You Need to Know About SSL/TSL Certificates: https://business.blogthinkbig.com/everything-you-need-know-about-ssl-tsl-certificates/
  49. SSL certificate limitations: https://www.hostpapa.com/knowledgebase/ssl-certificate-limitations/
  50. Google I/O 2014 - HTTPS Everywhere: https://www.youtube.com/watch?v=cBhZ6S0PFCY
  51. Everything You Wanted to Know about SSL Certificates: https://luxsci.com/blog/everything-you-wanted-to-know-about-ssl-certificates.html
  52. Everything you should know about certificates and PKI but are too afraid to ask: https://smallstep.com/blog/everything-pki/
  53. Important Things to Know before Installing an SSL Certificate: https://www.hostgator.com/help/article/important-things-you-should-know-before-installing-an-ssl-certificate
  54. SSL Certificate Explained -- EV, OV & DV explained - Everything You Need To Know About SSL: https://truehost.com.ng/ssl-certificate-explained/

See Also

HTTPS | TLS | Security | DNS