• News
  • In-depth understanding of SSL protocol: from theory to practice

In-depth understanding of SSL protocol: from theory to practice

Preface

This is a technical article about the SSL protocol. It contains theoretical knowledge but also has a certain degree of practicality. The main content of the article shares the core concepts, working principles, common application scenarios of the SSL protocol, and the practical application of https. Application scenarios, and focus on sharing the specific working principles and how to implement https access to the website. Whether you are a beginner in information security technology or a professional, I believe this article can bring you some help or inspiration. If there are any mistakes, please point them out in the comment area so that we can grow and improve together.

What is SSL

SSL (Secure Sockets Layer) is a standard security technology used to protect information security on the Internet. It ensures the secure transmission of data between clients and servers by encrypting network connections. The SSL protocol uses asymmetric encryption and symmetric encryption technology to prevent data from being stolen or tampered with during transmission. SSL is mainly used to protect sensitive information on websites, such as personal information, credit card information, etc. In modern network communications, SSL has been replaced by its successor standard TLS (Transport Layer Security), but usually people still call it SSL.

How SSL works

Two key points are mentioned in the above conceptual description: first: SSL is a technical standard for protecting information security; second: SSL uses symmetric encryption technology and asymmetric encryption technology; specifically, the work of SSL The principle involves the following three key steps:

  1. Handshake phase: The client initiates a connection request with the server, and the server returns its SSL certificate. The client verifies the validity of the certificate and generates a pre-master key, which is then encrypted with the server's public key and sent to the server.
  2. Key negotiation phase: After the server receives the pre-master key sent by the client, it uses its own private key to decrypt it to obtain the pre-master key. Then both parties generate a session key (symmetric key) based on the pre-master key for encryption. communication data.
  3. Data transmission stage: The client and server use session keys to encrypt and decrypt communication data to ensure the confidentiality and integrity of the data during transmission.

Through the above steps, the SSL protocol realizes the encrypted transmission of data, preventing security threats such as man-in-the-middle attacks and eavesdropping, thereby ensuring the security of network communications.

Several questions about how SSL works

How does the client verify the validity of the SSL certificate returned by the server?

Usually the client specifically refers to the browser. The client browser verifies the validity of the SSL certificate returned by the server from the following aspects:

  1. Certificate chain verification

The client will first check whether the SSL certificate returned by the server is issued by a trusted certificate authority (CA), that is, verify whether the issuer of the certificate is in the client's trust list. This process, called certificate chain verification, ensures the trustworthiness of the server certificate.

  1. Certificate validity check

The client will verify the validity period of the certificate to ensure that the certificate has not expired. If the certificate has expired, the client will not trust it.

  1. hostname match

The client checks that the hostname in the certificate matches the hostname of the server the client is connecting to. This step prevents man-in-the-middle attacks against maliciously forged certificates.

  1. Certificate revocation checking

The client also checks whether the certificate authority has revoked the server certificate. This can be checked by querying the certificate authority's Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP).

  1. Optional additional verification

In some cases, the client may also perform other additional verifications, such as checking extended fields in the certificate, etc.

Through the verification in the above aspects, the client can ensure the validity and trustworthiness of the SSL certificate returned by the server, thereby establishing a secure communication connection. If certificate verification fails, the client will issue a warning or refuse the connection to protect the security of data communications.

What is a premaster key? What is the session key?

Pre-Master Secret:

The premaster key is a random value generated by the client during the initial phase of the SSL handshake and used to negotiate the key for the symmetric encryption algorithm used in subsequent communications. The client generates the pre-master key at the beginning of the handshake and sends it to the server. The pre-master key is not used directly to encrypt data, but is negotiated to generate the final session key.

Session Key:

The session key is a symmetric key generated by negotiation between the two parties based on the pre-master key and other information during the SSL handshake process, and is used to encrypt and decrypt communication data. The session key is only valid during the current session and is usually stored on the client and server side for encrypted data transmission. Once the session ends, the session key is usually discarded to ensure that a new session key is used for the next communication.

In general, the pre-master key is used to securely negotiate the generation of the session key, and the session key is used for the actual data encryption and decryption process. In this way, the SSL protocol ensures that data transmission between communicating parties is encrypted and secure.

Characteristics of asymmetric encryption technology and symmetric encryption technology

Asymmetric encryption technology has the following main features:

  • Public and private keys

Asymmetric encryption uses a pair of keys, a public key and a private key. The public key is used to encrypt data and the private key is used to decrypt data. The public key can be made public for others to use, while the private key is kept secret.

  • Encryption and decryption

Data encrypted with the public key can only be decrypted with the corresponding private key, and data encrypted with the private key can only be decrypted with the corresponding public key. This feature ensures the security of data during transmission.

  • digital signature

Asymmetric encryption can also be used to generate and verify digital signatures. The sender can sign the message using his or her private key, and the recipient can verify the signature using the sender's public key, thus ensuring the integrity and authenticity of the message.

  • safety

The security of asymmetric encryption algorithms is based on mathematical problems, such as large number decomposition problems or elliptic curve discrete logarithm problems. Appropriate key length can improve the security of encryption algorithms.

  • key exchange

Asymmetric encryption is also used to securely exchange keys required for symmetric encryption algorithms, such as using asymmetric encryption to exchange symmetric keys during the TLS handshake.

  • efficiency

Asymmetric encryption algorithms are generally more computationally intensive than symmetric encryption algorithms and therefore may be less efficient when transmitting large amounts of data. Therefore, symmetric encryption and asymmetric encryption are often combined to achieve a balance of security and efficiency.

Symmetric encryption technology has the following characteristics:

  • Efficiency

Symmetric encryption algorithms are generally faster than asymmetric encryption algorithms because the same key is used in the encryption and decryption processes and no complex mathematical operations are required.

  • simplicity

Compared with asymmetric encryption algorithms, symmetric encryption algorithms are simpler to implement, require less calculation, and are suitable for encrypting large amounts of data.

  • Key management:

Symmetric encryption algorithms need to ensure the secure transmission and storage of keys, otherwise the keys may be stolen and result in data leakage. This poses key management challenges.

  • applicability

Symmetric encryption algorithms are suitable for most data encryption scenarios, such as data transmission, file encryption, etc. However, there are some limitations in key agreement and distribution, especially when transmitting data securely, other technologies may need to be combined to solve the key exchange problem.

  • symmetry

The keys used for encryption and decryption in symmetric encryption algorithms are the same, and this symmetry is also the source of its name. Therefore, both parties need to negotiate and share the same key before communicating.

Generally speaking, symmetric encryption technology has advantages in speed and efficiency, while asymmetric encryption technology has more advantages in key management and key exchange. Therefore, in many scenarios, the two technologies are used together to achieve The effect of learning from each other's strengths.

Is Md5 a type of asymmetric encryption technology?

The answer is no. MD5 and asymmetric encryption are two different encryption technologies. There are some connections between them, but there are also differences:

  • Function and use

MD5 (Message Digest Algorithm 5) is a hash algorithm mainly used to generate a digest of data to ensure data integrity and verify data consistency.

Asymmetric encryption algorithms (such as RSA, ECC, etc.) are an encryption algorithm that uses a pair of keys (public key and private key) to achieve encryption and decryption. It can also be used for digital signatures and key exchange functions.

  • Unidirectionality

MD5 is a one-way hash algorithm, that is, it can generate a digest from the data, but it cannot restore the original data from the digest.

The asymmetric encryption algorithm is two-way. You can use the public key to encrypt data and the private key to decrypt the data, or use the private key to sign the data and the public key to verify the signature.

  • safety

The MD5 algorithm has some security flaws, such as being susceptible to collision attacks, etc., and is not suitable for use in scenarios with high security requirements.

Asymmetric encryption algorithms are based on mathematical problems and are relatively safer and more reliable. They are often used in scenarios such as encrypted communications and digital signatures.

  • combined use

In practical applications, MD5 digests are often used in conjunction with asymmetric encryption algorithms. For example, in digital signatures, an asymmetric encryption algorithm can be used to generate a digital signature, and then MD5 can be used to digest the signature to ensure the integrity and authenticity of the signature.

SSL application scenarios

There are many common application scenarios for the SSL protocol, such as the following. Of course, in addition to the following, there are many other scenarios, so I won’t go into details here.

  • Website encrypted communication: Protect data transmission on the website through the HTTPS protocol to ensure the security of communication between users and the website.
  • Email encryption: For example, use protocols such as SMTPS, IMAPS, and POP3S to protect the transmission process of emails and ensure the confidentiality of email content.
  • Virtual Private Network (VPN): Establish a secure remote access connection through SSL VPN technology so that remote users can safely access the company's internal network resources.
  • Remote management and access: For example, remote server management through SSH (Secure Shell), and access to the remote management interface through HTTPS.
  • Secure chat and instant messaging: Many instant messaging applications use SSL/TLS to encrypt communications between users to ensure the confidentiality of chat content.

General steps to implement https access

Among the application scenarios of the SSL protocol, one is to use the https protocol to implement encrypted communication on the website. Some friends may have questions. https and ssl are both protocols. Is there any difference or connection? It can be understood this way: HTTPS is actually a secure version of the HTTP protocol. It adds the encryption mechanism of the SSL/TLS protocol to HTTP and protects communication security by encrypting data at the transport layer.

Currently, most websites use HTTPS. If you want to implement HTTPS on your website, you usually need the following steps:

  1. Get an SSL certificate

Generally, there are only a few ways to obtain an SSL certificate. The following are some common ways:

  • Commercial Certificate Authority (CA): You can choose to purchase an SSL certificate issued by a commercial CA (such as Comodo, DigiCert, GlobalSign, Symantec, etc.). These certificates typically offer more features and guarantees and are suitable for a variety of enterprise-level needs.
  • Hosting service provider: If you use cloud hosting services (foreign such as AWS, Azure, Google Cloud, etc., domestic such as Alibaba Cloud, Tencent Cloud, etc.), these platforms usually provide integrated SSL certificate management services that can be easily obtained and configured SSL certificate.
  • Let's Encrypt: Let's Encrypt is a free certificate authority. Through their service, you can obtain free SSL certificates and support automated issuance and renewal.
  • Third-party certificate market: There are some third-party certificate markets (such as SSLs.com, Namecheap, etc.) that also provide various types of SSL certificate options. You can purchase and obtain certificates on these markets.
  • Self-signed certificate: If you are only using SSL encryption in an internal environment or for testing purposes, you can also generate a self-signed certificate for use. Be aware, however, that self-signed certificates may not be trusted on public networks.
  1. Install SSL certificate

Once you obtain your SSL certificate, you need to install it on your web server. This usually involves configuring the certificate file and key file to the corresponding location of the server software (such as Apache, Nginx, etc.). This will be done later using nginx as an example to install a self-signed certificate.

  1. Configure server

It is necessary to modify the configuration of the web server, enable the SSL/TLS protocol, and configure security parameters such as cipher suite and protocol version.

  1. Update website link

Change all links on the website to start with https:// and ensure that all resources on the website are accessed through encrypted connections.

  1. force redirect

To ensure that all access goes over HTTPS, it is common to force redirect HTTP access to HTTPS.

  1. Test and verify

Finally, testing and verification are required to ensure that the configuration of HTTPS takes effect and that the website displays a secure lock logo in the browser.

At this point, you can access the target website relatively safely.

How HTTPS works

I believe you already know the steps on how to implement HTTPS for ordinary websites. But do you understand how the whole process works? And look down. The working principle of HTTPS (Hypertext Transfer Protocol Secure) is mainly based on the SSL/TLS protocol. Its key steps include:

  1. handshake phase

The client initiates a connection request with the server, and the server returns its SSL certificate, which contains the public key and other information. The client verifies the validity of the certificate, generates a random symmetric key, encrypts it with the server's public key and sends it to the server.

  1. key agreement phase

After the server receives the encrypted symmetric key sent by the client, it uses its own private key to decrypt it to obtain the symmetric key. Then both parties generate a session key based on the symmetric key to encrypt communication data.

  1. Data transfer stage

The session key is used between the client and the server to symmetrically encrypt and decrypt the communication data, ensuring the confidentiality and integrity of the data during transmission.

Through the above steps, HTTPS achieves encrypted transmission of data, thus ensuring the security of data during transmission. In addition, HTTPS also uses digital certificates to verify the identity of the server, prevent man-in-the-middle attacks, and ensure the security and reliability of communication between the client and server.

Configure SSL certificate in Nginx to achieve https access to the website

Configuring an SSL certificate in Nginx enables client HTTPS access. The configuration process is not complicated, but the premise is that you must have a certificate.

1. Obtain an SSL certificate:

As mentioned above, you can obtain an SSL certificate from a trusted Certificate Authority (CA) or by using a free certificate service such as Let's Encrypt. It should be noted that self-signed certificates are best used only on the intranet. Self-signed certificates may not be trusted on the Internet.

2. Configure SSL certificate

In the Nginx configuration, specify the location of the SSL certificate, private key, and other related configurations. The following is an example of a key configuration in nginx.conf:

server {
        listen       443 ssl;
        server_name  192.168.35.106;
        root         /usr/share/nginx/html;
        ssl_certificate /etc/nginx/ssl/cert.crt;
        ssl_certificate_key /etc/nginx/ssl/key.pem;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
        ssl_prefer_server_ciphers on;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;


        error_page 404 /404.html;
        location = /404.html {
        }


        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
   server {
        listen 80;
      server_name 192.168.35.106;
    return 301 https://$host$request_uri;
   }
上面的配置示例内容中,需要重点关注几个地方:
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.


  • ssl_certificate: Specify the path to the SSL certificate file, here is /etc/nginx/ssl/cert.crt. The certificate file contains the public key, certificate chain and other necessary information.
  • ssl_certificate_key: Specify the private key file path of the SSL certificate, here is /etc/nginx/ssl/key.pem. The private key is used to decrypt the encrypted data sent by the client.
  • ssl_protocols TLSv1.2 TLSv1.3;: Specifies the SSL/TLS protocol version supported by Nginx. The TLS 1.2 and TLS 1.3 versions are configured here.
  • ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';: Set the priority of cipher suites. Two cipher suites are specified here, namely ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-RSA-AES256-GCM-SHA384.
  • ssl_prefer_server_ciphers on;: Enable server-side cipher suite priority settings, which means that the server will preferentially select the cipher suites it supports to negotiate encryption methods with the client.
  • listen 443 ssl;: When using the HTTPS protocol, port 443 is usually used to provide encrypted website access, so you need to ensure that 443 can pass the firewall and enable SSL encryption.
  • listen 80; in the second server: The function of this configuration is to redirect all requests to the server through HTTP (port 80) to HTTPS (port 443) to ensure that website access is through an encrypted secure connection;
  • return 301 https://$host$request_uri;: This is the redirect instruction. When an HTTP request is received, an HTTP 301 permanent redirect response will be returned, redirecting the request to the same request URL, but using the HTTPS protocol. Where $host represents the host name of the original request, and $request_uri represents the URI of the original request.

3. Restart Nginx

After completing the SSL configuration, you need to reload or restart Nginx for the changes to take effect. You can use the command nginx -s reload or systemctl restart nginx to reload the configuration.

nginx -s reload
 systemctl restart nginx
  • 1.
  • 2.

4. Verification

Use a browser to access your website, and change the original http access to https access. If it can be accessed through HTTPS and the secure connection logo is displayed in the browser address bar, it means the configuration has been successful.

write at the end

Thank you very much for your patience in reading my article. I hope my sharing will be helpful to you. Of course, if you think this article is helpful to you, you might as well click the like button to let more people see this high-quality technology sharing. At the same time, don’t forget to bookmark this article for easy reference in the future.