summaryrefslogtreecommitdiff
path: root/ssl.adoci
diff options
context:
space:
mode:
Diffstat (limited to 'ssl.adoci')
-rw-r--r--ssl.adoci101
1 files changed, 0 insertions, 101 deletions
diff --git a/ssl.adoci b/ssl.adoci
deleted file mode 100644
index 87c9ef1..0000000
--- a/ssl.adoci
+++ /dev/null
@@ -1,101 +0,0 @@
-== SSL Practical, Week 9 ==
-
-The purpose of this practical is to provide a secure way to communicate with
-our website. We will use SSL over HTTP for this purpose.
-
-At this end of the practical, we should be able to avoid any attempt of
-intercepting or altering our communications with our website when using the
-SSL layer.
-
-=== Problem 1: Passing the certificate out of band ===
-
-Using HTTP in order to send our certificate seems to be a very bad idea.
-Indeed, if a user is tampering our connection at the time the certificate is
-sent, he will be able to send to replace our certificate with a rogue crafted
-one.
-
-Since the purpose of using SSL over HTTP is exactly to avoid this king of
-attack, it seems very important to use a secure channel to send our
-certificate.
-
-==== Resolution ====
-
-Instead of using HTTP to send our certificate, we will use a trusted channel.
-Since we use SSH to access our virtual machine, we will use it to retrieve the
-certificate as well.
-
- $ rsync csvm2c4e.kent.ac.uk:rootCA.crt .
- > rootCA.crt
- > 1,415 100% 1.35MB/s 0:00:00 (xfr#1, to-chk=0/1)
-
-Now we can add our 'rootCA.crt' file to the list of trusted CA of our web
-browser.
-
-Otherwise, we can use 'curl' directly:
-
-.trying to access the secure website without giving the CA certificate
-======
-
- $ curl https://csvm2c4e.kent.ac.uk
- > curl: (60) SSL certificate problem: self signed certificate
-
-======
-
-.trying to access the secure website using the CA certificate
-======
-
- $ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt
- > <h1>It works!</h1
-
-======
-
-=== Problem 2: The certificate is only valid for Olivier Gayot ===
-
-When browsing our secure website with 'Firefox', it complains about the
-certificate being only valid for Olivier Gayot.
-
-It is actually the 'Common Name' field that 'openssl' was asking when signing
-our certificate with our private key.
-
-==== Resolution ====
-
-Although 'openssl' prompts:
-
- > Common Name (e.g. server FQDN or YOUR name) []:
-
-we actually need to enter our FQDN (Fully Qualified Domain Name) so that
-'Firefox' stops complaining. We can figure our what our FQDN is by issuing the
-following command on our virtual machine.
-
- $ hostname --fqdn
- > csvm2C4E.kent.ac.uk
-
-Then, by regenerating our certificate with 'csvm2C4E.kent.ac.uk' as 'Common
-Name', 'Firefox' feels better.
-
-=== Problem 3: Testing our security ===
-
-What we would like to know now is what would happen if someones is altering our
-connection and trying to redirect our traffic to a rogue web server.
-
-==== Resolution ====
-
-We will use the file '/etc/hosts' to override the IP address of our web server.
-By adding the following line inside, we force our resolver to assume that the
-IP address of 'csvm2c4e.kent.ac.uk' is '104.130.219.184' (which is in fact the
-IP address of 'httpd.apache.org').
-
- 104.130.219.184 csvm2c4e.kent.ac.uk
-
-We can check that our entry has been taken into account:
-
- $ resolveip csvm2c4e.kent.ac.uk
- > IP address of csvm2c4e.kent.ac.uk is 104.130.219.184
-
-So now, we try to access the website using our CA certificate:
-
- $ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt
- > curl: (60) SSL certificate problem: unable to get local issuer certificate
-
-Our security layer seems to work!
-