Skip to main content

SSL Certs, Keys and Trusts

Recently faced some weird issues with ssl, while building a new infrastructure. So this will be a post on SSL basics which actually is sufficient to fix even crazy error  like "SSLHandshakeException". For guys wondering what is that, I too have no idea abt it. Its computer way of saying, go and read basics  before bugging me.
Browser based Handshakes(One way cert validation):
Say I open gmail.com, browser sends a request to gmail.com, gmail.com will give me a certificate that will have hostname(gmail),  validity of certificate,  public key of gmail.com and a hash to make sure data is not tampered. Browser uses the public key to encrypt data to gmail which can be decrypted only with gmail's private key. Similarly gmail sends data encrypted with its private key which can be decrypted with its public key which the browser has.
SSL Session:
 But everybody will have gmail's public key. What if any culprit decrypts data from gmail and reads it? So at the start of https connection a session is established, meaning once the server sends a cert, the client  creates its own key(mostly symmetric ones Read DSA,RSA) which is valid for this session. The client then sends this key encrypted with the public key of the server thereby preventing man in the middle
Fake Server:
Say you request for gmail.com, if the DNS server is infected by a malware, it will redirect to some fake server, the fake server will be able to produce a cert impersonating as gmail.com and keys. This will lead to loss of passwords or confidential info. To avoid this, a trusted third party called CA(Certificate Authority) comes into picture. There are lot of commercial CAs like verisign. The browser will have public keys of trusted CA. Gmail's cert will be signed with the private key of one of the trusted CAs. So if I request gmail.com, gmail will send its cert signed with CA's private key. Now you open cert with CA's public key and then find gmail's public key. Its like double protection and the quality of protection depends on the reliability of CA. So that if you visit certain https site which dont use trusted CAs to sign their certificate, the browser would warn you.
Fake Client:
This case is not typically handled in our day to day activities. Whenever you visit gmail.com, you are authenticated as a valid client by application logics like passwords/cookies, not by ssl layer.
But there might be a case like I run a set of clients who periodically gets configuration(set of tasks) from a server. In such a case, the clients will also get their cert signed by CA, once the server is authenticated , the client sends its cert with the public key of server, the server decrypts with its private key, then with CA's public key and then validates client.

Confused?? The diagram below should put things in place

Comments

Popular posts from this blog

Lessons from Memory

Started debugging an issue where Linux started calling OOM reaper despite tons of memory is used as Linux cached pages. My assumption was if there is a memory pressure, cache should shrink and leave way for the application to use. This is the documented and expected behavior. OOM reaper is called when few number of times page allocation has failed consequently. If for example mysql wants to grow its buffer and it asks for a page allocation and if the page allocation fails repeatedly, kernel invokes oom reaper. OOM reaper won't move out pages, it sleeps for some time and sees if kswapd or a program has freed up caches/application pages. If not it will start doing the dirty job of killing applications and freeing up memory. In our mysql setup, mysql is the application using most of the Used Memory, so no other application can free up memory for mysql to use. Cached pages are stored as 2 lists in Linux kernel viz active and inactive.
More details here
https://www.kernel.org/doc/gorman…

Walking down the Memory Lane!!!

This post is going to be an account of  few trouble-shootings I did recently to combat various I/O sluggishness.
Slow system during problems with backup
We have a NFS mount where we push backups of our database daily. Due to some update to the NFS infra, we started seeing throughput of NFS server drastically affected. During this time we saw general sluggishness in the system during backups. Even ssh logins appeared slower. Some boxes had to be rebooted due to this sluggishness as they were too slow to operate on them. First question we wanted to answer, does NFS keep writing if the server is slow? The slow server applied back pressure by sending small advertised window(TCP) to clients. So clients can't push huge writes if server is affected. Client writes to its page cache. The data from page cache is pushed to server when there is a memory pressure or file close is called. If server is slow, client can easily reach upto dirty_background_ratio set for page cache in sysctl. This di…

The server, me and the conversation

We were moving a project from AWS to our co-located DC. We have setup KVMs scheduled by Cloudstack for each of the component in the architecture. The KVMs used local storage. The VMs are provisioned with more than required resources because we have the opinion that in our DC scaling during peak load and then downscaling doesn't offer much benefits financially as we are anyways paying for the hardware in advance and its also powered on. Its going to be idle if not used. Now we found something interesting our latency in co-located DC was 2 times more than in AWS. The time for first byte at our load balancer in aws was 60ms average and at our DC was 112ms. We started our debugging mission, Mission Conquer-AWS. All the servers are newer Dell hardwares. So the initially intuition was virtualisation is causing the issue.

Conversation with the Hypervisor We started with CPU optimisation, we started using the host-passthrough mode of CPU in libvirt so VMs dont see QEMU emulated CPUs, the…