I will try to explane it from a https/http-corner:
HTTP-Servers are usually accessed on port 80. They do a
three-way-handshake and transmit data unencrypted. You can sniff every
object, requested form a through the browser specified url and see every
packet as "plain" unencrypted data...
A project definition from httpd.conf for a standard and minimal
http-site
<VirtualHost *:80>
DocumentRoot /data/srv/www/projectfolder
ServerName test.server.de
ServerAdmin root@localhost
ErrorLog /var/log/apache/error.log
TransferLog /var/log/apache/access.log
</VirtualHost>
HTTPS-Servers are usually accessed on port 443. Apache configuration of
such a webproject is a little more sophisticated
SSLEngine on <--- USE SSL
SSLCipherSuite <--- POSSIBLE ENCRYPTION ALGORITHMS
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile <--- SERVERCERTIFICATE SENT WHILE
CLIENTCONNECT AT PORT 443
/data/ssl/certPool/BitworxCA/certs/testserver.bitworx.de.crt
SSLCertificateKeyFile <--- PRIVATE KEY FOR SERVERCERT
/data/ssl/certPool/BitworxCA/private/testserver.bitworx.de.key
SSLCACertificatePath
/data/ssl/certPool/BitworxCA/ca/
SSLCACertificateFile <--- CA WHICH SIGNED THE SERVERCERT
/data/ssl/certPool/BitworxCA/ca/ca.pem
</VirtualHost>
As you see above, a servercert is sent to a client connecting to that
server:443
The following occures while initial connection-handling
Server sents a servercert with public key
Client has to accept cert (thats done automatically if the servercert is
signed by a well-known cert-authority like thawte, verisign...=
Now client and server negotiate a symmetric sessionkey using
public-private-keys from cert for encrypting that phase
After checking out a symmetric session key, traffic is encrypted by that
session key
1. Three-Way-Handshake
2. Client HELO
3. Server HELO
4. Servercert to client
5. Exchange Keys
6. Exchange Cipherspecs
7. Negotiation of symmetric session key+
UNTIL NOW PUBLIC/PRIVATE KEY ENCRYPTION
8. Encrypted data by use of sessionkey
Hope that helps a little bit!
TO EVERYONE:
Please correct/add things you know/know better than me...
regards, Markus Muessig
On Tue, 2003-12-02 at 18:18, trystano (at) aol (dot) com [email concealed] wrote:
> Can some please highlight exactly how SSL works. I know it encrypts data sent between a client and a server and uses authentications through use of certificates etc.
>
> But does it secure the a socket/port out of which the data is being transffered. Does SSL send data through a different port that normal unprotected data transfers?
>
> Sorry if this sounds kind of beginner like :-s
>
> Cheers
>
> Tryst
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
----
>
--
----------------------------------------------------------------------
Markus Müssig MULTA MEDIO Informationssysteme AG
- Systemadministrator - Mergentheimer Str. 76a
97082 Wuerzburg
mailto:mmuessig (at) multamedio (dot) de [email concealed] Tel: +49 (0)931 79717-18
http://www.multamedio.de Fax: +49 (0)931 79717-30
HTTP-Servers are usually accessed on port 80. They do a
three-way-handshake and transmit data unencrypted. You can sniff every
object, requested form a through the browser specified url and see every
packet as "plain" unencrypted data...
A project definition from httpd.conf for a standard and minimal
http-site
<VirtualHost *:80>
DocumentRoot /data/srv/www/projectfolder
ServerName test.server.de
ServerAdmin root@localhost
ErrorLog /var/log/apache/error.log
TransferLog /var/log/apache/access.log
</VirtualHost>
HTTPS-Servers are usually accessed on port 443. Apache configuration of
such a webproject is a little more sophisticated
<VirtualHost *:443>
DocumentRoot /data/srv/www/projectfolder
ServerName test.server.de
ServerAdmin root@localhost
ErrorLog /var/log/apache/error.log
TransferLog /var/log/apache/access.log
SSLEngine on <--- USE SSL
SSLCipherSuite <--- POSSIBLE ENCRYPTION ALGORITHMS
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile <--- SERVERCERTIFICATE SENT WHILE
CLIENTCONNECT AT PORT 443
/data/ssl/certPool/BitworxCA/certs/testserver.bitworx.de.crt
SSLCertificateKeyFile <--- PRIVATE KEY FOR SERVERCERT
/data/ssl/certPool/BitworxCA/private/testserver.bitworx.de.key
SSLCACertificatePath
/data/ssl/certPool/BitworxCA/ca/
SSLCACertificateFile <--- CA WHICH SIGNED THE SERVERCERT
/data/ssl/certPool/BitworxCA/ca/ca.pem
</VirtualHost>
As you see above, a servercert is sent to a client connecting to that
server:443
The following occures while initial connection-handling
Server sents a servercert with public key
Client has to accept cert (thats done automatically if the servercert is
signed by a well-known cert-authority like thawte, verisign...=
Now client and server negotiate a symmetric sessionkey using
public-private-keys from cert for encrypting that phase
After checking out a symmetric session key, traffic is encrypted by that
session key
1. Three-Way-Handshake
2. Client HELO
3. Server HELO
4. Servercert to client
5. Exchange Keys
6. Exchange Cipherspecs
7. Negotiation of symmetric session key+
UNTIL NOW PUBLIC/PRIVATE KEY ENCRYPTION
8. Encrypted data by use of sessionkey
Hope that helps a little bit!
TO EVERYONE:
Please correct/add things you know/know better than me...
regards, Markus Muessig
On Tue, 2003-12-02 at 18:18, trystano (at) aol (dot) com [email concealed] wrote:
> Can some please highlight exactly how SSL works. I know it encrypts data sent between a client and a server and uses authentications through use of certificates etc.
>
> But does it secure the a socket/port out of which the data is being transffered. Does SSL send data through a different port that normal unprotected data transfers?
>
> Sorry if this sounds kind of beginner like :-s
>
> Cheers
>
> Tryst
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
----
>
--
----------------------------------------------------------------------
Markus Müssig MULTA MEDIO Informationssysteme AG
- Systemadministrator - Mergentheimer Str. 76a
97082 Wuerzburg
mailto:mmuessig (at) multamedio (dot) de [email concealed] Tel: +49 (0)931 79717-18
http://www.multamedio.de Fax: +49 (0)931 79717-30
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
[ reply ]