Previous: RoutingUp: Networking

TLS

Table of Contents

TLS superseeds SSL, it's used to encrypt communication between two parties, often over the transport layer (e.g. TCP). OpenSSL is a common implementation of both SSL and TLS used on linux platforms.

1 Certificate Authorities

The OpenSSL configuration files live in /etc/ssl, notably /etc/ssl/certs which holds a list of trusted certificates for the platform.

PEM is a method in which x.509 (see below) are encoded.

When establishing an SSL/TLS connection, OpenSSL and other software may first look in the /etc/ssl/certs directory for individual certificate files that match the server's certificate. If a matching certificate is found, it can be used to verify the server's identity. If no matching certificate is found, the software may then fall back to using the /etc/ssl/certs/ca-certificates.crt bundle to establish trust.

See also: https://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html.

2 Digital Certificates

Communication starts with the client and server agreeing to use a certain cipher suite. The server will then provide its Digital Certificate: 

import ssl
# https://github.com/mcepl/M2Crypto
import M2Crypto

certificate = ssl.get_server_certificate(('www.gnu.org', 443))
x509 = M2Crypto.X509.load_cert_string(certificate)
x509.get_issuer.as_text()
# "C=US, O=Let's Encrypt, CN=R3"
x509.get_subject().as_text()
# "CN=wildebeest1p.gnu.org"

Note x.509 is the format used in TLS/SSL certificates. In the above snippet we obtain information about the certificate of 'www.gnu.org'. There are two principals associated with a certificate: the issuer and the subject.

First of all we obtain information about the issuer:

  • C=US tells us that the issuer is located in the US
  • O=Let's Encrypt is the organisation distributing the certificate (Let's Encrypt)

  • CN=R3 R3 is an intermediate certificate (CN stands for "Common Name"), we will need to follow the certificate chain to fully verify this certificate: 

    $ openssl s_client -showcerts -servername www.gnu.org -connect www.gnu.org:443 </dev/null          
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = wildebeest1p.gnu.org
verify return:1
# More output omitted

Next we obtain information about the subject:

  • CN=wildebeest1p.gnu.org this is the entity to whom the certificate is assigned

Author: root

Created: 2024-03-23 Sat 11:44

Validate