SSL

SSL

June 21, 2023 | permanent

#

tags :

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers.

Although the SSL protocol was deprecated with the release of TLS 1.0 in 1999, it is still common to refer to these related technologies as “SSL” or “SSL/TLS.”

TLS #

Transport Layer Security(TLS), the successor of the now-deprecated Secure Sockets Layer(SSL) is a cryptography protocol.

  • TLS paired with is called as HTTPS.
  • TLS runs a separate layer that wraps connections.
  • It supplies only the security for the connection and does not involve itself in the HTTP transaction.
  • Because of the this hygienic architecture, TLS can secure not only HTTP but also other protocols such ass SMTP.

The latest, <2022-03-27 Sun>, of TLS is 1.2. Disable all versions of SSL, along with TLS version 1.0, because of known weaknesses. TLS 1.3 is under active development.

Client Certificate Authentication (CCA) #

How it works?

#

SSLVerifyClient require # this one
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/client.crt

The default value none of SSLVerifyClient does not require CCA; therefore the server will not include a CertificateRequest message in the TLS handshake.

The value require will require CCA, and thus the CertificateRequest message will be included in the handshake. If the client does not provide any certificate in the client’s Certificate message or mod_ssl fails to verify the certificate provided, the TLS handshake will be aborted and a fatal TLS alert message will be sent to the client.

stackoverflow

#

http {
       server {
           server_name nginx;
           listen 443 ssl;
           # make sure those exist!
           ssl_certificate /etc/nginx/fullchain.pem;
           ssl_certificate_key /etc/nginx/privkey.pem;

           # client certificate
           ssl_client_certificate /etc/nginx/client_certs/ca.crt;
           # make verification optional, so we can display a 403 message to those
           # who fail authentication
           ssl_verify_client optional; # or `on` if you require client key #######

           location / {
               # if the client-side certificate failed to authenticate, show a 403
               # message to the client
               if ($ssl_client_verify != SUCCESS) {
                   return 403;
               }
               root /usr/share/nginx/html;
               index index.html;
           }
       }

Links to this note

Calendar July 2, 2023

Go to random page

Previous Next