1<html>
2<head>
3<title>mod_ssl: Introduction</title>
4
5<!--
6  Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
7
8  Redistribution and use in source and binary forms, with or without
9  modification, are permitted provided that the following conditions
10  are met:
11
12  1. Redistributions of source code must retain the above
13     copyright notice, this list of conditions and the following
14     disclaimer.
15
16  2. Redistributions in binary form must reproduce the above
17     copyright notice, this list of conditions and the following
18     disclaimer in the documentation and/or other materials
19     provided with the distribution.
20
21  3. All advertising materials mentioning features or use of this
22     software must display the following acknowledgment:
23     "This product includes software developed by
24      Ralf S. Engelschall <rse@engelschall.com> for use in the
25      mod_ssl project (http://www.modssl.org/)."
26
27  4. The name "mod_ssl" must not be used to endorse or promote
28     products derived from this software without prior written
29     permission.
30
31  5. Redistributions of any form whatsoever must retain the
32     following acknowledgment:
33     "This product includes software developed by
34      Ralf S. Engelschall <rse@engelschall.com> for use in the
35      mod_ssl project (http://www.modssl.org/)."
36
37  THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
38  EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
40  PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
41  HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
42  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
43  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
46  STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
47  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
48  OF THE POSSIBILITY OF SUCH DAMAGE.
49-->
50<style type="text/css"><!--
51A:link {
52    text-decoration: none;
53    color: #6666cc;
54}
55A:active {
56    text-decoration: none;
57    color: #6666cc;
58}
59A:visited {
60    text-decoration: none;
61    color: #6666cc;
62}
63#sf {
64    font-family: arial,helvetica;
65    font-variant: normal;
66    font-style: normal;
67}
68H1 {
69    font-weight: bold;
70    font-size: 24pt;
71    line-height: 24pt;
72    font-family: arial,helvetica;
73    font-variant: normal;
74    font-style: normal;
75}
76H2 {
77    font-weight: bold;
78    font-size: 18pt;
79    line-height: 18pt;
80    font-family: arial,helvetica;
81    font-variant: normal;
82    font-style: normal;
83}
84H3 {
85    font-weight: bold;
86    font-size: 14pt;
87    line-height: 14pt;
88    font-family: arial,helvetica;
89    font-variant: normal;
90    font-style: normal;
91}
92H4 {
93    font-weight: bold;
94    font-size: 12pt;
95    line-height: 12pt;
96    font-family: arial,helvetica;
97    font-variant: normal;
98    font-style: normal;
99}
100#H {
101}
102#D {
103    background-color: #f0f0f0;
104}
105#faq {
106    font-weight: bold;
107    font-size: 16pt;
108    line-height: 16pt;
109    font-family: arial,helvetica;
110    font-variant: normal;
111    font-style: normal;
112}
113#howto {
114    font-weight: bold;
115    font-size: 16pt;
116    line-height: 16pt;
117    font-family: arial,helvetica;
118    font-variant: normal;
119    font-style: normal;
120}
121#term {
122    font-weight: bold;
123    font-size: 16pt;
124    line-height: 16pt;
125    font-family: arial,helvetica;
126    font-variant: normal;
127    font-style: normal;
128}
129--></style>
130<script type="text/javascript" language="JavaScript">
131<!-- Hiding the code
132function ro_imgNormal(imgName) {
133    if (document.images) {
134        document[imgName].src = eval(imgName + '_n.src');
135        self.status = '';
136    }
137}
138function ro_imgOver(imgName, descript) {
139    if (document.images) {
140        document[imgName].src = eval(imgName + '_o.src');
141        self.status = descript;
142    }
143}
144// done hiding -->
145</script>
146<script type="text/javascript" language="JavaScript">
147<!-- Hiding the code
148if (document.images) {
149    ro_img_prev_top_n = new Image();
150    ro_img_prev_top_n.src = 'ssl_template.navbut-prev-n.gif';
151    ro_img_prev_top_o = new Image();
152    ro_img_prev_top_o.src = 'ssl_template.navbut-prev-s.gif';
153}
154// done hiding -->
155</script>
156<script type="text/javascript" language="JavaScript">
157<!-- Hiding the code
158if (document.images) {
159    ro_img_prev_bot_n = new Image();
160    ro_img_prev_bot_n.src = 'ssl_template.navbut-prev-n.gif';
161    ro_img_prev_bot_o = new Image();
162    ro_img_prev_bot_o.src = 'ssl_template.navbut-prev-s.gif';
163}
164// done hiding -->
165</script>
166<script type="text/javascript" language="JavaScript">
167<!-- Hiding the code
168if (document.images) {
169    ro_img_next_top_n = new Image();
170    ro_img_next_top_n.src = 'ssl_template.navbut-next-n.gif';
171    ro_img_next_top_o = new Image();
172    ro_img_next_top_o.src = 'ssl_template.navbut-next-s.gif';
173}
174// done hiding -->
175</script>
176<script type="text/javascript" language="JavaScript">
177<!-- Hiding the code
178if (document.images) {
179    ro_img_next_bot_n = new Image();
180    ro_img_next_bot_n.src = 'ssl_template.navbut-next-n.gif';
181    ro_img_next_bot_o = new Image();
182    ro_img_next_bot_o.src = 'ssl_template.navbut-next-s.gif';
183}
184// done hiding -->
185</script>
186</head>
187<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
188<div align="center">
189<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
190<tr>
191  <td>
192      <img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="600" height="1" align="bottom" border="0"><br>
193      <table width="600" cellspacing="0" cellpadding="0" summary="">
194      <tr>
195        <td>
196        <table width="600" summary="">
197        <tr>
198            <td align="left" valign="bottom">
199            <font face="Arial,Helvetica" size="+2"><b>mod_ssl</b></font>
200            </td>
201            <td align="right">
202              <img src="ssl_template.head-chapter.gif" alt="Chapter" width="175" height="94"> <img src="ssl_template.head-num-2.gif" alt="2" width="74" height="89">
203            </td>
204        </tr>
205        </table>
206        </td>
207      </tr>
208      <tr>
209        <td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
210      </tr>
211      <tr>
212        <td>
213           <table width="600" border="0" summary="">
214           <tr>
215            <td valign="top" align="left" width="250">
216<a href="ssl_overview.html" onmouseover="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_top'); return true" onfocus="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_top'); return true"><img name="ro_img_prev_top" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Overview</font>
217            </td>
218            <td valign="top" align="right" width="250">
219<a href="ssl_reference.html" onmouseover="ro_imgOver('ro_img_next_top', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_top'); return true" onfocus="ro_imgOver('ro_img_next_top', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_top'); return true"><img name="ro_img_next_top" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">Reference</font>
220            </td>
221           </tr>
222           </table>
223         </td>
224      </tr>
225      <tr>
226        <td>
227          <br>
228          <img src="ssl_template.title-intro.gif" alt="Introduction" width="456" height="60">
229        </td>
230      </tr>
231      </table>
232<div align="right">
233<table cellspacing="0" cellpadding="0" width="400" summary="">
234<tr>
235<td>
236<em>
237``The nice thing about standards is that there are so many to choose from.
238And if you really don't like all the standards you just have to wait another
239year until the one arises you are looking for.''
240</em>
241</td>
242</tr>
243<tr>
244<td align="right">
245<font size="-1">
246A. Tanenbaum, ``Introduction to Computer Networks''
247</font>
248</td>
249</tr>
250</table>
251</div>
252<p>
253<table cellspacing="0" cellpadding="0" border="0" summary="">
254<tr valign="bottom">
255<td>
256<img src="ssl_intro.gfont000.gif" alt="A" width="37" height="35" border="0" align="left">
257s an introduction this chapter is aimed at readers who are familiar
258with the Web, HTTP, and Apache, but are not security experts. It is not
259intended to be a definitive guide to the SSL protocol, nor does it discuss
260specific techniques for managing certificates in an organization, or the
261important legal issues of patents and import and export restrictions. Rather,
262it is intended to provide a common background to mod_ssl users by pulling
263together various concepts, definitions, and examples as a starting point for
264further exploration.
265<p>
266The presented content is mainly derived, with permission by the author, from
267the article <a
268href="http://www.ultranet.com/~fhirsch/Papers/wwwj/index.html"><em>Introducing SSL
269and Certificates using SSLeay</em></a> from <a
270href="http://www.ultranet.com/~fhirsch/">Frederick J. Hirsch</a>, of The Open
271Group Research Institute, which was published in <a
272href="http://www.ora.com/catalog/wjsum97/"><em>Web Security: A Matter of
273Trust</em></a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997.
274Please send any postive feedback to <a
275href="mailto:fjh@alum.mit.edu">Frederick Hirsch</a> (the original
276article author) and all negative feedback to <a
277href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (the mod_ssl
278author).
279</td>
280<td>
281&nbsp;&nbsp;
282</td>
283<td>
284<div align="right">
285<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" summary="">
286<tr>
287<td bgcolor="#333399">
288<font face="Arial,Helvetica" color="#ccccff">
289<b>Table Of Contents</b>
290</font>
291</td>
292</tr>
293<tr>
294<td>
295<font face="Arial,Helvetica" size="-1">
296&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC1"><strong>Cryptographic Techniques</strong></a><br>
297&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC2"><strong>Cryptographic Algorithms</strong></a><br>
298&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC3"><strong>Message Digests</strong></a><br>
299&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC4"><strong>Digital Signatures</strong></a><br>
300&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC5"><strong>Certificates</strong></a><br>
301&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC6"><strong>Certificate Contents</strong></a><br>
302&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC7"><strong>Certificate Authorities</strong></a><br>
303&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC8"><strong>Certificate Chains</strong></a><br>
304&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC9"><strong>Creating a Root-Level CA</strong></a><br>
305&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC10"><strong>Certificate Management</strong></a><br>
306&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC11"><strong>Secure Sockets Layer (SSL)</strong></a><br>
307&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC12"><strong>Session Establishment</strong></a><br>
308&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC13"><strong>Key Exchange Method</strong></a><br>
309&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC14"><strong>Cipher for Data Transfer</strong></a><br>
310&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC15"><strong>Digest Function</strong></a><br>
311&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC16"><strong>Handshake Sequence Protocol</strong></a><br>
312&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC17"><strong>Data Transfer</strong></a><br>
313&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC18"><strong>Securing HTTP Communication</strong></a><br>
314&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC19"><strong>References</strong></a><br>
315</font>
316</td>
317</tr>
318</table>
319</div>
320</td>
321</tr>
322</table>
323<h2><a name="ToC1">Cryptographic Techniques</a></h2>
324Understanding SSL requires an understanding of cryptographic algorithms,
325message digest functions (aka. one-way or hash functions), and digital
326signatures. These techniques are the subject of entire books (see for instance
327[<a href="#AC96">AC96</a>]) and provide the basis for privacy, integrity, and
328authentication.
329<h3><a name="ToC2">Cryptographic Algorithms</a></h3>
330Suppose Alice wants to send a message to her bank to transfer some money.
331Alice would like the message to be private, since it will include information
332such as her account number and transfer amount. One solution is to use a
333cryptographic algorithm, a technique that would transform her message into an
334encrypted form, unreadable except by those it is intended for. Once in this
335form, the message may only be interpreted through the use of a secret key.
336Without the key the message is useless: good cryptographic algorithms make it
337so difficult for intruders to decode the original text that it isn't worth
338their effort.
339<p>
340There are two categories of cryptographic algorithms:
341conventional and public key.
342<ul>
343<li><em>Conventional cryptography</em>, also known as symmetric
344cryptography, requires the sender and receiver to share a key: a secret
345piece of information that may be used to encrypt or decrypt a message.
346If this key is secret, then nobody other than the sender or receiver may
347read the message. If Alice and the bank know a secret key, then they
348may send each other private messages. The task of privately choosing a key
349before communicating, however, can be problematic.
350<p>
351<li><em>Public key cryptography</em>, also known as asymmetric cryptography,
352solves the key exchange problem by defining an algorithm which uses two keys,
353each of which may be used to encrypt a message. If one key is used to encrypt
354a message then the other must be used to decrypt it. This makes it possible
355to receive secure messages by simply publishing one key (the public key) and
356keeping the other secret (the private key).
357<p>
358Anyone may encrypt a message using the public key, but only the owner of the
359private key will be able to read it. In this way, Alice may send private
360messages to the owner of a key-pair (the bank), by encrypting it using their
361public key. Only the bank will be able to decrypt it.
362</ul>
363<h3><a name="ToC3">Message Digests</a></h3>
364Although Alice may encrypt her message to make it private, there is still a
365concern that someone might modify her original message or substitute
366it with a different one, in order to transfer the money to themselves, for
367instance. One way of guaranteeing the integrity of Alice's message is to
368create a concise summary of her message and send this to the bank as well.
369Upon receipt of the message, the bank creates its own summary and compares it
370with the one Alice sent. If they agree then the message was received intact.
371<p>
372A summary such as this is called a <em>message digest</em>, <em>one-way
373function</em> or <em>hash function</em>. Message digests are used to create
374short, fixed-length representations of longer, variable-length messages.
375Digest algorithms are designed to produce unique digests for different
376messages. Message digests are designed to make it too difficult to determine
377the message from the digest, and also impossible to find two different
378messages which create the same digest -- thus eliminating the possibility of
379substituting one message for another while maintaining the same digest.
380<p>
381Another challenge that Alice faces is finding a way to send the digest to the
382bank securely; when this is achieved, the integrity of the associated message
383is assured. One way to to this is to include the digest in a digital
384signature.
385<h3><a name="ToC4">Digital Signatures</a></h3>
386When Alice sends a message to the bank, the bank needs to ensure that the
387message is really from her, so an intruder does not request a transaction
388involving her account. A <em>digital signature</em>, created by Alice and
389included with the message, serves this purpose.
390<p>
391Digital signatures are created by encrypting a digest of the message,
392and other information (such as a sequence number) with the sender's
393private key. Though anyone may <em>decrypt</em> the signature using the public
394key, only the signer knows the private key. This means that only they may
395have signed it. Including the digest in the signature means the signature is
396only good for that message; it also ensures the integrity of the message since
397no one can change the digest and still sign it.
398<p>
399To guard against interception and reuse of the signature by an intruder at a
400later date, the signature contains a unique sequence number. This protects
401the bank from a fraudulent claim from Alice that she did not send the message
402-- only she could have signed it (non-repudiation).
403<h2><a name="ToC5">Certificates</a></h2>
404Although Alice could have sent a private message to the bank, signed it, and
405ensured the integrity of the message, she still needs to be sure that she is
406really communicating with the bank. This means that she needs to be sure that
407the public key she is using corresponds to the bank's private key. Similarly,
408the bank also needs to verify that the message signature really corresponds to
409Alice's signature.
410<p>
411If each party has a certificate which validates the other's identity, confirms
412the public key, and is signed by a trusted agency, then they both will be
413assured that they are communicating with whom they think they are. Such a
414trusted agency is called a <em>Certificate Authority</em>, and certificates are
415used for authentication.
416<h3><a name="ToC6">Certificate Contents</a></h3>
417A certificate associates a public key with the real identity of an individual,
418server, or other entity, known as the subject. As shown in <a
419href="#table1">Table 1</a>, information about the subject includes identifying
420information (the distinguished name), and the public key. It also includes
421the identification and signature of the Certificate Authority that issued the
422certificate, and the period of time during which the certificate is valid. It
423may have additional information (or extensions) as well as administrative
424information for the Certificate Authority's use, such as a serial number.
425<p>
426<div align="center">
427<a name="table1"></a>
428<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
429<caption align="bottom" id="sf">Table 1: Certificate Information</caption>
430<tr><td bgcolor="#cccccc">
431<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
432<tr><td valign="top" align="center" bgcolor="#ffffff">
433<table summary="">
434<tr valign="top"><td><b>Subject:</b></td>
435<td>Distinguished Name, Public Key</td></tr>
436<tr valign="top"><td><b>Issuer:</b></td>
437<td>Distinguished Name, Signature</td></tr>
438<tr><td><b>Period of Validity:</b></td>
439<td>Not Before Date, Not After Date</td></tr>
440<tr><td><b>Administrative Information:</b></td>
441<td>Version, Serial Number</td></TR>
442<tr><td><b>Extended Information:</b></td>
443<td>Basic Contraints, Netscape Flags, etc.</td></TR>
444</table>
445</td>
446</tr></table>
447</td></tr></table>
448</div>
449<p>
450A distinguished name is used to provide an identity in a specific context --
451for instance, an individual might have a personal certificate as well as one
452for their identity as an employee. Distinguished names are defined by the
453X.509 standard [<a href="#X509">X509</A>], which defines the fields, field
454names, and abbreviations used to refer to the fields
455(see <a href="#table2">Table 2</a>).
456<p>
457<div align="center">
458<a name="table2"></a>
459<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
460<caption align="bottom" id="sf">Table 2: Distinguished Name Information</caption>
461<tr><td bgcolor="#cccccc">
462<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
463<tr><td valign="top" align="center" bgcolor="#ffffff">
464<table summary="">
465<tr valign="top"><td><b>DN Field:</b></td><td><b>Abbrev.:</b></td><td><b>Description:</b></td>
466<td><b>Example:</b></td>
467</t>
468<tr valign="top"><td>Common Name</td><td>CN</td>
469<td>Name being certified</td><td>CN=Joe Average</td></tr>
470<tr valign="top"><td>Organization or Company</td><td>O</td>
471<td>Name is associated with this<br>organization</td><td>O=Snake Oil, Ltd.</td></tr>
472<tr valign="top"><td>Organizational Unit</td><td>OU</td>
473<td>Name is associated with this <br>organization unit, such as a department</td><td>OU=Research Institute</td></tr>
474<tr valign="top"><td>City/Locality</td><td>L</td>
475<td>Name is located in this City</td><td>L=Snake City</td></tr>
476<tr valign="top"><td>State/Province</td><td>ST</td>
477<td>Name is located in this State/Province</td><td>ST=Desert</td></tr>
478<tr valign="top"><td>Country</td><td>C</td>
479<td>Name is located in this Country (ISO code)</td><td>C=XZ</td></tr>
480</table>
481</td>
482</tr></table>
483</td></tr></table>
484</div>
485<p>
486A Certificate Authority may define a policy specifying which distinguished
487field names are optional, and which are required. It may also place
488requirements upon the field contents, as may users of certificates. As an
489example, a Netscape browser requires that the Common Name for a certificate
490representing a server has a name which matches a wildcard pattern for the
491domain name of that server, such as <code>*.snakeoil.com</code>.
492<p>
493The binary format of a certificate is defined using the ASN.1 notation [ <a
494href="#X208">X208</a>] [<a href="#PKCS">PKCS</a>]. This notation defines how to
495specify the contents, and encoding rules define how this information is
496translated into binary form. The binary encoding of the certificate is
497defined using Distinguished Encoding Rules (DER), which are based on the more
498general Basic Encoding Rules (BER). For those transmissions which cannot
499handle binary, the binary form may be translated into an ASCII form by using
500Base64 encoding [<a href="#MIME">MIME</a>]. This encoded version is called PEM
501encoded (the name comes from "Privacy Enhanced Mail"), when placed between
502begin and end delimiter lines as illustrated in <a href="#table3">Table 3</a>.
503<p>
504<div align="center">
505<a name="table3"></a>
506<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
507<caption align="bottom" id="sf">Table 3: Example of a PEM-encoded certificate (snakeoil.crt)</caption>
508<tr><td bgcolor="#cccccc">
509<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
510<tr><td valign="top" align="center" bgcolor="#ffffff">
511<table cellspacing="0" cellpadding="0" summary=""><tr><td>
512<div class="code"><pre>
513-----BEGIN CERTIFICATE-----
514MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
515FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG
516A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv
517cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz
518bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL
519MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h
520a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl
521cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN
522AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
523gQDH9Ge/s2zcH+da+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n+Dy7Np8b
524vKR+yy5DGQiijsH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa
525lWoANFlAzlSdbxeGVHoT0K+gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV
526HRMECDAGAQH/AgEAMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB
527gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR+KFjghCrtpqaztZqcDt
5282q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI+/8u9HT4LuKMJX15hxBam7
529dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ==
530-----END CERTIFICATE-----</pre></div>
531</td></tr></table>
532</td>
533</tr></table>
534</td></tr></table>
535</div>
536<h3><a name="ToC7">Certificate Authorities</a></h3>
537By first verifying the information in a certificate request before granting
538the certificate, the Certificate Authority assures the identity of the private
539key owner of a key-pair. For instance, if Alice requests a personal
540certificate, the Certificate Authority must first make sure that Alice really
541is the person the certificate request claims.
542<h4><a name="ToC8">Certificate Chains</a></h4>
543A Certificate Authority may also issue a certificate for another Certificate
544Authority. When examining a certificate, Alice may need to examine the
545certificate of the issuer, for each parent Certificate Authority, until
546reaching one which she has confidence in. She may decide to trust only
547certificates with a limited chain of issuers, to reduce her risk of a "bad"
548certificate in the chain.
549<h4><a name="ToC9">Creating a Root-Level CA</a></h4>
550As noted earlier, each certificate requires an issuer to assert the validity
551of the identity of the certificate subject, up to the top-level Certificate
552Authority (CA). This presents a problem: Since this is who vouches for the
553certificate of the top-level authority, which has no issuer?
554In this unique case, the certificate is "self-signed", so the issuer of the
555certificate is the same as the subject. As a result, one must exercise extra
556care in trusting a self-signed certificate. The wide publication of a public
557key by the root authority reduces the risk in trusting this key -- it would be
558obvious if someone else publicized a key claiming to be the authority.
559Browsers are preconfigured to trust well-known certificate authorities.
560<p>
561A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and
562<a href="http://www.verisign.com/">VeriSign</a> have established themselves as
563Certificate Authorities. These companies provide the following services:
564<ul>
565<li>Verifying certificate requests
566<li>Processing certificate requests
567<li>Issuing and managing certificates
568</ul>
569<p>
570It is also possible to create your own Certificate Authority. Although risky
571in the Internet environment, it may be useful within an Intranet where the
572organization can easily verify the identities of individuals and servers.
573<h4><a name="ToC10">Certificate Management</a></h4>
574Establishing a Certificate Authority is a responsibility which requires a
575solid administrative, technical, and management framework.
576Certificate Authorities not only issue certificates, they also manage them --
577that is, they determine how long certificates are valid, they renew them, and
578they keep lists of certificates that have already been issued but are no
579longer valid (Certificate Revocation Lists, or CRLs).
580Say Alice is entitled to a certificate as an employee of a company. Say too,
581that the certificate needs to be revoked when Alice leaves the company. Since
582certificates are objects that get passed around, it is impossible to tell from
583the certificate alone that it has been revoked.
584When examining certificates for validity, therefore, it is necessary to
585contact the issuing Certificate Authority to check CRLs -- this is not usually
586an automated part of the process.
587<p>
588<div align="center"><B>Note:</B></div>
589If you use a Certificate Authority that is not configured into browsers by
590default, it is necessary to load the Certificate Authority certificate into
591the browser, enabling the browser to validate server certificates signed by
592that Certificate Authority. Doing so may be dangerous, since once loaded, the
593browser will accept all certificates signed by that Certificate Authority.
594<h2><a name="ToC11">Secure Sockets Layer (SSL)</a></h2>
595The Secure Sockets Layer protocol is a protocol layer which may be placed
596between a reliable connection-oriented network layer protocol (e.g. TCP/IP)
597and the application protocol layer (e.g. HTTP). SSL provides for secure
598communication between client and server by allowing mutual authentication, the
599use of digital signatures for integrity, and encryption for privacy.
600<p>
601The protocol is designed to support a range of choices for specific algorithms
602used for cryptography, digests, and signatures. This allows algorithm
603selection for specific servers to be made based on legal, export or other
604concerns, and also enables the protocol to take advantage of new algorithms.
605Choices are negotiated between client and server at the start of establishing
606a protocol session.
607<p>
608<div align="center">
609<a name="table4"></a>
610<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
611<caption align="bottom" id="sf">Table 4: Versions of the SSL protocol</caption>
612<tr><td bgcolor="#cccccc">
613<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
614<tr><td valign="top" align="center" bgcolor="#ffffff">
615<table summary="">
616<tr valign="top">
617<td><b>Version:</b></td>
618<td><b>Source:</b></td>
619<td><b>Description:</b></td>
620<td><b>Browser Support:</b></td>
621</tr>
622<tr valign="top">
623<td>SSL v2.0</td>
624<td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2">SSL2</a>]</td>
625<td>First SSL protocol for which implementations exists</td>
626<td>- NS Navigator 1.x/2.x<br>
627    - MS IE 3.x<br>
628    - Lynx/2.8+OpenSSL
629</td>
630</tr>
631<tr valign="top">
632<td>SSL v3.0</td>
633<td>Expired Internet Draft (from Netscape Corp.) [<a href="#SSL3">SSL3</a>]</td>
634<td>Revisions to prevent specific security attacks, add non-RSA ciphers, and support for certificate chains</td>
635<td>- NS Navigator 2.x/3.x/4.x<br>
636    - MS IE 3.x/4.x<br>
637    - Lynx/2.8+OpenSSL
638</td>
639</tr>
640<tr valign="top">
641<td>TLS v1.0</td>
642<td>Proposed Internet Standard (from IETF) [<a href="#TLS1">TLS1</a>]</td>
643<td>Revision of SSL 3.0 to update the MAC layer to HMAC, add block padding for
644    block ciphers, message order standardization and more alert messages.
645</td>
646<td>- Lynx/2.8+OpenSSL</td>
647</table>
648</td>
649</tr></table>
650</td></tr></table>
651</div>
652<p>
653There are a number of versions of the SSL protocol, as shown in <a
654href="#table4">Table 4</a>. As noted there, one of the benefits in SSL 3.0 is
655that it adds support of certificate chain loading. This feature allows a
656server to pass a server certificate along with issuer certificates to the
657browser. Chain loading also permits the browser to validate the server
658certificate, even if Certificate Authority certificates are not installed for
659the intermediate issuers, since they are included in the certificate chain.
660SSL 3.0 is the basis for the Transport Layer Security [<A
661HREF="#TLS1">TLS</A>] protocol standard, currently in development by the
662Internet Engineering Task Force (IETF).
663<h3><a name="ToC12">Session Establishment</a></h3>
664The SSL session is established by following a <I>handshake sequence</I>
665between client and server, as shown in <a href="#figure1">Figure 1</a>. This
666sequence may vary, depending on whether the server is configured to provide a
667server certificate or request a client certificate. Though cases exist where
668additional handshake steps are required for management of cipher information,
669this article summarizes one common scenario: see the SSL specification for the
670full range of possibilities.
671<p>
672<div align="center"><b>Note</b></div>
673Once an SSL session has been established it may be reused, thus avoiding the
674performance penalty of repeating the many steps needed to start a session.
675For this the server assigns each SSL session a unique session identifier which
676is cached in the server and which the client can use on forthcoming
677connections to reduce the handshake (until the session identifer expires in
678the cache of the server).
679<p>
680<div align="center">
681<a name="figure1"></a>
682<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
683<caption align="bottom" id="sf">Figure 1: Simplified SSL Handshake Sequence</caption>
684<tr><td bgcolor="#cccccc">
685<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
686<tr><td valign="top" align="center" bgcolor="#ffffff">
687<img src="ssl_intro_fig1.gif" alt="" width="423" height="327">
688</td>
689</tr></table>
690</td></tr></table>
691</div>
692<p>
693The elements of the handshake sequence, as used by the client and server, are
694listed below:
695<ol>
696<li>Negotiate the Cipher Suite to be used during data transfer
697<li>Establish and share a session key between client and server
698<li>Optionally authenticate the server to the client
699<li>Optionally authenticate the client to the server
700</ol>
701<p>
702The first step, Cipher Suite Negotiation, allows the client and server to
703choose a Cipher Suite supportable by both of them. The SSL3.0 protocol
704specification defines 31 Cipher Suites. A Cipher Suite is defined by the
705following components:
706<ul>
707<li>Key Exchange Method
708<li>Cipher for Data Transfer
709<li>Message Digest for creating the Message Authentication Code (MAC)
710</ul>
711These three elements are described in the sections that follow.
712<h3><a name="ToC13">Key Exchange Method</a></h3>
713The key exchange method defines how the shared secret symmetric cryptography
714key used for application data transfer will be agreed upon by client and
715server. SSL 2.0 uses RSA key exchange only, while SSL 3.0 supports a choice of
716key exchange algorithms including the RSA key exchange when certificates are
717used, and Diffie-Hellman key exchange for exchanging keys without certificates
718and without prior communication between client and server.
719<p>
720One variable in the choice of key exchange methods is digital signatures --
721whether or not to use them, and if so, what kind of signatures to use.
722Signing with a private key provides assurance against a
723man-in-the-middle-attack during the information exchange used in generating
724the shared key [<a href="#AC96">AC96</a>, p516].
725<h3><a name="ToC14">Cipher for Data Transfer</a></h3>
726SSL uses the conventional cryptography algorithm (symmetric cryptography)
727described earlier for encrypting messages in a session. There are nine
728choices, including the choice to perform no encryption:
729<ul>
730<li>No encryption
731<li>Stream Ciphers
732    <ul>
733    <li>RC4 with 40-bit keys
734    <li>RC4 with 128-bit keys
735    </ul>
736<li>CBC Block Ciphers
737    <ul>
738    <li>RC2 with 40 bit key
739    <li>DES with 40 bit key
740    <li>DES with 56 bit key
741    <li>Triple-DES with 168 bit key
742    <li>Idea (128 bit key)
743    <li>Fortezza (96 bit key)
744    </ul>
745</ul>
746Here "CBC" refers to Cipher Block Chaining, which means that a portion of the
747previously encrypted cipher text is used in the encryption of the current
748block. "DES" refers to the Data Encryption Standard [<a href="#AC96">AC96</a>,
749ch12], which has a number of variants (including DES40 and 3DES_EDE). "Idea"
750is one of the best and cryptographically strongest available algorithms, and
751"RC2" is a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>,
752ch13].
753<h3><a name="ToC15">Digest Function</a></h3>
754The choice of digest function determines how a digest is created from a record
755unit. SSL supports the following:
756<ul>
757<li>No digest (Null choice)
758<li>MD5, a 128-bit hash
759<li>Secure Hash Algorithm (SHA-1), a 160-bit hash
760</ul>
761The message digest is used to create a Message Authentication Code (MAC) which
762is encrypted with the message to provide integrity and to prevent against
763replay attacks.
764<h3><a name="ToC16">Handshake Sequence Protocol</a></h3>
765The handshake sequence uses three protocols:
766<ul>
767<li>The <em>SSL Handshake Protocol</em>
768    for performing the client and server SSL session establishment.
769<li>The <em>SSL Change Cipher Spec Protocol</em> for actually establishing agreement
770    on the Cipher Suite for the session.
771<li>The <em>SSL Alert Protocol</em> for
772    conveying SSL error messages between client and server.
773</ul>
774These protocols, as well as application protocol data, are encapsulated in the
775<em>SSL Record Protocol</em>, as shown in <a href="#figure2">Figure 2</a>. An
776encapsulated protocol is transferred as data by the lower layer protocol,
777which does not examine the data. The encapsulated protocol has no knowledge of
778the underlying protocol.
779<p>
780<div align="center">
781<a name="figure2"></a>
782<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
783<caption align="bottom" id="sf">Figure 2: SSL Protocol Stack</caption>
784<tr><td bgcolor="#cccccc">
785<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
786<tr><td valign="top" align="center" bgcolor="#ffffff">
787<img src="ssl_intro_fig2.gif" alt="" width="428" height="217">
788</td>
789</tr></table>
790</td></tr></table>
791</div>
792<p>
793The encapsulation of SSL control protocols by the record protocol means that
794if an active session is renegotiated the control protocols will be transmitted
795securely. If there were no session before, then the Null cipher suite is
796used, which means there is no encryption and messages have no integrity
797digests until the session has been established.
798<h3><a name="ToC17">Data Transfer</a></h3>
799The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>, is used to
800transfer application and SSL Control data between the client and server,
801possibly fragmenting this data into smaller units, or combining multiple
802higher level protocol data messages into single units. It may compress, attach
803digest signatures, and encrypt these units before transmitting them using the
804underlying reliable transport protocol (Note: currently all major SSL
805implementations lack support for compression).
806<p>
807<div align="center">
808<a name="figure3"></a>
809<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
810<caption align="bottom" id="sf">Figure 3: SSL Record Protocol</caption>
811<tr><td bgcolor="#cccccc">
812<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
813<tr><td valign="top" align="center" bgcolor="#ffffff">
814<img src="ssl_intro_fig3.gif" alt="" width="423" height="323">
815</td>
816</tr></table>
817</td></tr></table>
818</div>
819<h3><a name="ToC18">Securing HTTP Communication</a></h3>
820One common use of SSL is to secure Web HTTP communication between a browser
821and a webserver. This case does not preclude the use of non-secured HTTP. The
822secure version is mainly plain HTTP over SSL (named HTTPS), but with one major
823difference: it uses the URL scheme <code>https</code> rather than
824<code>http</code> and a different server port (by default 443). This mainly
825is what mod_ssl provides to you for the Apache webserver...
826<h2><a name="ToC19">References</a></h2>
827<ul>
828<p>
829<li><a name="AC96"></a>
830[AC96] Bruce Schneier, <em>Applied Cryptography</em>, 2nd Edition, Wiley,
831       1996. See <a href="http://www.counterpane.com/">http://www.counterpane.com/</a> for
832       various other materials by Bruce Schneier.
833<p>
834<li><a name="X208"></a>
835[X208] ITU-T Recommendation X.208, <em>Specification of Abstract Syntax Notation
836       One (ASN.1)</em>, 1988. See for instance <a
837       href="ftp://ftp.neda.com/pub/itu/x.series/x208.ps">
838       ftp://ftp.neda.com/pub/itu/x.series/x208.ps</a>.
839<p>
840<li><a name="X509"></a>
841[X509] ITU-T Recommendation X.509, <em>The Directory - Authentication
842       Framework</em>, 1988. See for instance <a
843       href="ftp://ftp.bull.com/pub/OSIdirectory/ITUnov96/X.509/97x509final.doc">
844       ftp://ftp.bull.com/pub/OSIdirectory/ITUnov96/X.509/97x509final.doc</a>.
845<p>
846<li><a name="PKCS"></a>
847[PKCS] Kaliski, Burton S., Jr., <em>An Overview of the PKCS Standards</em>, An RSA
848     Laboratories Technical Note, revised November 1, 1993.
849     See <a href="http://www.rsa.com/rsalabs/pubs/PKCS/">
850     http://www.rsa.com/rsalabs/pubs/PKCS/</a>.
851<p>
852<li><a name="MIME"></a>
853[MIME] N. Freed, N. Borenstein, <em>Multipurpose Internet Mail Extensions
854       (MIME) Part One: Format of Internet Message Bodies</em>, RFC2045.
855       See for instance <a href="ftp://ftp.isi.edu/in-notes/rfc2045.txt">
856       ftp://ftp.isi.edu/in-notes/rfc2045.txt</a>.
857<p>
858<li><a name="SSL2"></a>
859[SSL2] Kipp E.B. Hickman, <em>The SSL Protocol</em>, 1995.
860       See <a href="http://www.netscape.com/eng/security/SSL_2.html">
861       http://www.netscape.com/eng/security/SSL_2.html</a>.
862<p>
863<li><a name="SSL3"></a>
864[SSL3] Alan O. Freier, Philip Karlton, Paul C. Kocher, <em>The SSL Protocol
865       Version 3.0</em>, 1996. See <a
866       href="http://www.netscape.com/eng/ssl3/draft302.txt">
867       http://www.netscape.com/eng/ssl3/draft302.txt</a>.
868<p>
869<li><a name="TLS1"></a>
870[TLS1] Tim Dierks, Christopher Allen, <em>The TLS Protocol Version 1.0</em>,
871       1997. See <a
872       href="ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-protocol-06.txt">
873       ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-protocol-06.txt</a>.
874</ul>
875      <p>
876      <br>
877      <table summary="">
878      <tr>
879        <td>
880           <table width="600" border="0" summary="">
881           <tr>
882            <td valign="top" align="left" width="250">
883<a href="ssl_overview.html" onmouseover="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_bot'); return true" onfocus="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Overview</font>
884            </td>
885            <td valign="top" align="right" width="250">
886<a href="ssl_reference.html" onmouseover="ro_imgOver('ro_img_next_bot', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_bot'); return true" onfocus="ro_imgOver('ro_img_next_bot', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_bot'); return true"><img name="ro_img_next_bot" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">Reference</font>
887            </td>
888           </tr>
889           </table>
890         </td>
891      </tr>
892      <tr>
893        <td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
894      </tr>
895      <tr>
896        <td><table width="598" summary="">
897        <tr>
898        <td align="left"><font face="Arial,Helvetica">
899        <a href="http://www.modssl.org/">mod_ssl</a> 2.8, User Manual<br>
900        The Apache Interface to OpenSSL
901        </font>
902        </td>
903        <td align="right"><font face="Arial,Helvetica">
904        Copyright &copy; 1998-2001
905        <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
906        All Rights Reserved<br>
907        </font>
908        </td>
909        </tr>
910        </table>
911        </td>
912      </tr>
913      </table>
914  </td>
915</tr>
916</table>
917</div>
918</body>
919</html>
920