Professional Documents
Culture Documents
Secure Connections
Secure Connections
Secure Connections
Liz Rice
@lizrice
Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.
@lizrice 2
@lizrice 3
A guide to TLS connections
■ What the hell are all these .crt, .key, .csr and .pem files?
@lizrice 4
Hello, I’m Liz
@lizrice 5
Hello, I’m Liz
59.97.3.25:60401 27.193.43.2:8080
HELLO
GetCertificate
<Server certificate>
(or Certificate)
Verify certificate, then call
VerifyPeerCertificate HELLO DONE
TLS Handshake
FINISHED
FINISHED
Symmetric encryption with session key blah blah blah Symmetric encryption with session key
@lizrice 10
Keys and certificates
Public / private key encryption
<encrypted>
“hello” “hello”
@lizrice 12
Public / private key signatures
“hello” “hello”
+ +
“hello” signature
+
signature
=
signature
@lizrice 13
Sharing a public key
Hi, I’m Liz. Here’s
my public key.
Why should I
believe you?
CA
@lizrice 15
Subject Name
@lizrice 16
Creating keys & certificates
Trusted Certificate Authorities
@lizrice 18
CLI tools
■ openssl
■ See contents of certificate: openssl x509 -text
■ Doesn’t easily support SANs (Subject Alternative Names)
■ cfssl
■ Comprehensive toolkit
■ mkcert
■ Local development
■ Installs CA into your system & browsers
■ minica
■ Easy generation of key & certs
@lizrice 19
@lizrice 20
Mutually-authenticated TLS (mTLS)
Takeaways
To establish your identity
The other end needs to trust the Certificate Authority that signed
your certificate. This may require appending the CA’s certificate.
@lizrice 23
Setting up a secure connection
Server:
■ ListenAndServeTLS(cert, key)
■ or TLSConfig.Certificates
■ or TLSConfig.GetCertificate
Client:
■ tls.Dial
■ or make HTTP request to “https”
■ May need to add CA cert to TLSConfig.RootCAs
■ TLSConfig.InsecureSkipVerify
■ Don’t check server’s certificate
@lizrice 24
Mutually authenticated TLS
Server
■ TLSConfig.ClientAuth:
tls.RequireAndVerifyClientCert
■ May need to add CA cert in TLSConfig.ClientCAs
Client
■ TLSConfig.Certificates
■ or TLSConfig.GetClientCertificate
@lizrice 25
File extensions
Inconsistently used
■ Information type : .crt for certificate, .key for private key...
■ Or file format: .pem
PEM files are base64-encoded and tell you what they contain
■ openssl can tell you about the contents
@lizrice 26
Common error messages
■ Connection refused
■ Check you’re connecting to the right port
■ Remote error
■ It’s the other end that’s complaining
@lizrice 27
github.com/lizrice/secure-connections
@lizrice
Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.
openssl
openssl.org
Welcome to OpenSSL!
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security
(TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.
@lizrice 30
OpenSSL for keys & certificates
@lizrice 31