CECS Home | ANU Home | Search ANU
The Australian National University
ANU College of Engineering and Computer Science
School of Computer Science
COMP3310/COMP6331
Home
Announcements
Discussion
Lecture Notes
Labs/Tutorials
Assignments
Marks and Lab Registration
Reading Material
CECS Links
SoCS Home
CECS Home
ANU Home
Printer Friendly Version of this Document

UniSAFE

Computer Networks

Experimenting with SSL

This weeks exercise is designed to introduce you to the Secure Sockets Layer (SSL), used by various TCP based services such as HTTPS and SSH to provide end-to-end security.

SSL Certificates

Most computers with a web-browser will have a set of SSL Root Certificates issued by Certificate Authorities (CAs) that the web-browser can trust when opening a secure connection to a web-site using the HTTPS protocol. Find where these certificates are stored on your computer and determine how many there are.

Using the openssl(1SSL) command, examine a couple of these certificates. What information can you glean from them? (hint: use openssl x509 -text -in cert.pem - see the manpage for more options, also look at sites like: http://www.madboa.com/geek/openssl/#cert-exam). Which countr(y|ies) are the root certificates issued in? Can you write a little shell script to examine all the certificates and produce a list of all the countries that have issuing authorities trusted by your operating system/web-browser? Is Australia (AU) in the list?

Your web browser will "trust" all web-sites with an SSL certificate which is currently valid and signed by _any_ one of these root CAs, or by a secondary certification trusted by any one of these CAs. That is, it will not warn you if the site you are visiting is not really the site you wanted to visit, if that site can produce a certificate signed by one of these root CAs. Several recent, relatively high-profile, incidents of this type have occurred, including one in January 2010 between the Chinese government and Google Inc. (search the web for more details, if you are interested).

SSL programming

Start off by downloading openssl-examples-20020110.tar.gz somewhere in your home directory area and then uncompress and untar it:

tar xzf openssl-examples-20020110.tar.gz

Look at the README and RUNNING files, compile up the code and then test it out.

Modify sclient to print out details of the certificate that is sent back when connecting to the https server on port 443 of cs.anu.edu.au. In particular, print out the issuer and country of issue of that certificate.

Use tcpdump, or ethereal, to actually examine the packets going to and from the server.

If you are keen, you should now write your own SSL-enabled echo server (look at modifying the wserver2 program) and try connecting to it with the sclient program.

More information about SSL and the version installed in our labs can be found here.

Also, a good introduction/tutorial on programming for SSL can be found here (pt 1) and here (pt 2) (both PDF files).

Please direct all enquiries to: bob@cs.anu.edu.au
Page authorised by: Head of School, SoCS
The Australian National University — CRICOS Provider Number 00120C