This file contains short notes about the SSL assignment worked out by Pavel Strachota. -------- GENERAL: -------- The information about establishing a new CA has been taken from the book: Network Security with OpenSSL, chapter 3.3. Additional information taken from the OpenSSL documentation and the associated HOWTOs. See the supplied scripts for more detail about their purpose and function. ------------------------------------------------------------------------ THE Digithell Test Certification Authority - the Digithell_CA directory: ------------------------------------------------------------------------ Generating a root CA certificate: --------------------------------- 1) genkeyp 2) genreqp 3) ssignreqp (all with appropriate parameters - this all has already been done so that it it conforms to the settings in the configuration file SSL_config) 4) place the certificate and the private key to the folders specified in SSL_config Generating a user certificate: ------------------------------ 1) genkeyp (possibly with no args - see the script for more info) 2) genreqp ( -- " -- ) 3) signreq 4) take the resulting certificate from CA_storage/newcerts (the highest serial number) NOTE: When generating a certificate request, the server address (in text format), that is, the server name, is often used as a COMMON NAME (CN). For x509v3, it is recommended to use the dNSName field of the subjectAltName extension. -------------------------------- sslclient and sslserver features -------------------------------- - protocol selection - port selection - cipher suite selection - exclusion of SSL version 2 - host name verification - alternate host name specification - brief help -------------------------------- Handling sslclient and sslserver -------------------------------- 1) run sslserver on host 1 2) run sslclient on host 2, specify address of host 1 3) type anything on the client console, it will appear on the server console. The server will change the text case and will send it back. 4) type .[ENTER] to make the server shut down connection type ..[ENTER] to make the server shut down itself sslclient: To turn on host name verification, use the -h option. ------------------------ The applications' issues ------------------------ - SSLv2 does not work with certificates that include x509 version 3 extensions - how to reasonably incorporate CRL without diving into x509 suite stuff ? - sslclient: currently the certificates don't contain the x509v3 dNSName extension, and thus the host name can be compared to the CN (commonName) only. Since the server CN is EchoServer, you have to use an alternate host name to successfully test this function: sslclient localhost -h -n echoserver - to successfully connect, sslclient and sslserver must use a compatible set of ciphers (the --use-ciphers option). Moreover, the ciphers have to be compatible with the certificates and with the applications themselves, e.g the DH (Diffie-Hellman) ciphers are not supported (sslclient/sslserver don't use ephemeral keying and thus only support RSA private keys)