Skip to main content

SSL Certs, Keys and Trusts

Recently faced some weird issues with ssl, while building a new infrastructure. So this will be a post on SSL basics which actually is sufficient to fix even crazy error  like "SSLHandshakeException". For guys wondering what is that, I too have no idea abt it. Its computer way of saying, go and read basics  before bugging me.
Browser based Handshakes(One way cert validation):
Say I open gmail.com, browser sends a request to gmail.com, gmail.com will give me a certificate that will have hostname(gmail),  validity of certificate,  public key of gmail.com and a hash to make sure data is not tampered. Browser uses the public key to encrypt data to gmail which can be decrypted only with gmail's private key. Similarly gmail sends data encrypted with its private key which can be decrypted with its public key which the browser has.
SSL Session:
 But everybody will have gmail's public key. What if any culprit decrypts data from gmail and reads it? So at the start of https connection a session is established, meaning once the server sends a cert, the client  creates its own key(mostly symmetric ones Read DSA,RSA) which is valid for this session. The client then sends this key encrypted with the public key of the server thereby preventing man in the middle
Fake Server:
Say you request for gmail.com, if the DNS server is infected by a malware, it will redirect to some fake server, the fake server will be able to produce a cert impersonating as gmail.com and keys. This will lead to loss of passwords or confidential info. To avoid this, a trusted third party called CA(Certificate Authority) comes into picture. There are lot of commercial CAs like verisign. The browser will have public keys of trusted CA. Gmail's cert will be signed with the private key of one of the trusted CAs. So if I request gmail.com, gmail will send its cert signed with CA's private key. Now you open cert with CA's public key and then find gmail's public key. Its like double protection and the quality of protection depends on the reliability of CA. So that if you visit certain https site which dont use trusted CAs to sign their certificate, the browser would warn you.
Fake Client:
This case is not typically handled in our day to day activities. Whenever you visit gmail.com, you are authenticated as a valid client by application logics like passwords/cookies, not by ssl layer.
But there might be a case like I run a set of clients who periodically gets configuration(set of tasks) from a server. In such a case, the clients will also get their cert signed by CA, once the server is authenticated , the client sends its cert with the public key of server, the server decrypts with its private key, then with CA's public key and then validates client.

Confused?? The diagram below should put things in place

Comments

Popular posts from this blog

The FB outage

 This outage has caused considerable noise everywhere. It was quite discomforting for me because during the whole conversation nobody bothered to understand the gravity of the issue. I don't expect end users to understand the issue. But this is going to be a blogpost for all of those in the tech field, Such an event can happen how much ever chaos engineering, best of the tech jargon we implement in the stack To all my Site Reliability Engineer friends, Site Up is our first priority. I myself said many a times outage is news and SREs should prevent outage. But I'm afraid this is leading to a cult in the industry who despises outages and takes no learnings from it. I don't know what has happened in Facebook. I can explain a scenario which may or may not be right but that can definitely show the gravity of the issue. Let's draw a probable Facebook architecture Disclaimer I don't work at Facebook. So this might not be how facebook routes traffic. This is based on my exp

How we have systematically improved the roads our packets travel to help data imports and exports flourish

This blog post is an account of how we have toiled over the years to improve the throughput of our interDC tunnels. I joined this company around 2012. We were scaling aggressively then. We quickly expanded to 4 DCs with a mixture of AWS and colocation. Our primary DC is connected to all these new DCs via IPSEC tunnels established from SRX. The SRX model we had, had an IPSEC throughput of 350Mbps. Around December 2015 we saturated the SRX. Buying SRX was an option on the table. Buying one with 2Gbps throughput would have cut the story short. The tech team didn't see it happening. I don't have an answer to the question, "Is it worth spending time in solving a problem if a solution is already available out of box?" This project helped us in improving our critical thinking and in experiencing the theoretical network fundamentals on live traffic, but also caused us quite a bit of fatigue due to management overhead. Cutting short the philosophy, lets jump to the story.

More on Memory

 A post almost after 2 years!!! One common question I get asked is, "what is the reference I follow for troubleshooting an issue at hand". I would not be able to give an answer to the question directly as most of the times, I won't have even a single reference material handy. It's not a self boasting article. It's an article describing how knowledge we gather at random places help during an issue. Let's dissect a memory usage issue in Linux I faced recently and see how the triage shaped up. One of our processes was getting repeated ENOMEM when it was trying to call malloc for some reason despite the box had plenty of unused RAM. Lets see how the triage went through I didn't understand in my Operating systems course what a virtual memory is. I did convincing myself that virtual memory is physical memory + swap(in a way correct but not completely) I attended an interview in 2013, where the Director of the division asked me when you do malloc do you get physi