Several months ago, I wrote a project, the main purpose of which is to manage certificates, establish secure connection over HTTPS, and do a list of verifications regarding certificates downloaded from backend server, to achive the goal, I reviewed a lot of source code of OpenSSL, BTW, I, recently, realize that greate product might consist of a bunch of messy source code, which, however, doesn’t undermine the greatness of itself,also read a lot of wiki pages, stackoverflow pages, finally got the job done. Summerizing the knowledge acquired during the process would make it easier for future use I suppose, in case I will forgot, which I definetely will, in the future.
1. SSL/TLS, SSL stands for “Secure Sockets Layer”, while TLS stands for “Transport Layer Security”. There definetely historical drama between these two, as we can see from their names. TLS is successor of SSl, TLS1.0 is also known as SSL3.1, when browsers handshake with servers over HTTPS, the server would return a number 0x0301(3.1), which indicate that this is a version 3.1 record which shows that TLS 1.0 is essentially SSL 3.1, anyway, there were 3 version of SSL(1.0, 2.0, 3.0), while there are 3 versions of TLS(1.1, 1.2,1.3). SSL was created by the gone greate company Netscape( that is one of the reasons I still stuck with the browser FF).You can find more info about this here: https://en.wikipedia.org/wiki/Transport_Layer_Security
2.X509, or X.509, is a standard system that specifies a lot of stuff, the most well-known of which might be certificate, in PKI and PMI. There are a lot of knowlege associated with the X.509 system, such as CRL, private key/ public key algorithm, we, who want to introduce SSL to our system and benefit from it, however, doesn’t care about those very much, but knowing the basic meanings of these tech terms would be better for you to understand the usage.
3. Certificate, can be several differernt format, such as PEM,P7B,P12, is a file that contains info that certifies the holder is someone it claims to be, on top of that, if a certificate of a web site is trusted, we can say the web site is trusted.
4. Verification, in HTTPS, base on #3, the verification of web site’s identity is equivalent to the verification of its certificate, usually we will get a certificate chain, which is like a array of certificate, let’s say c1->c2->c3, tipically, the root c1 is a self-signed certificate, or not, and it signs c2, c2 signs c3, c3 shows that the web site is itself, so how can I trust c3, I will check the signature of c1->c2->c3, to make sure the root certificate c1 signs c2, c2 signs c3, then if I trust c1, then I trust c3, then I can say I trust the web site.
In firefox, if the intermedia certificate c2 is trusted, the certificate chain you will see in the browser will be c2-c3, OpenSSL, however, will build the longest chain as its best, and then check if the root certificate is trusted, so if you are using firefox to export the certificate chain, there is possiblity that the chain you get isn’t the whole chain.
In Java, we usually use a class that implement X509TrustManager to use SSL.
本文链接地址: SSL related knowledge