Security SSL and TLS protocols (SSL TLS) - Yash-777/Axis1x_Soap GitHub Wiki
Digital Signatures
Once a cryptographic hash is created for a message, the hash is encrypted with the sender's private key. This encrypted hash is called a digital signature.
The SSL Process
Communication using SSL begins with an exchange of information between the client and the server. This exchange of information is called the SSL handshake.
The three main purposes of the SSL handshake are:
- Negotiate the cipher suite
- Authenticate identity (optional)
- Establish information security by agreeing on encryption mechanisms
Secure Sockets Layer (SSL) is the most widely used protocol for implementing cryptography on the Web. SSL uses a combination of cryptographic processes to provide secure communication over a network.
SSL and TLS protocols wiki
| Protocol | Published | Status |
|---|---|---|
| SSL | 1.0 | Unpublished Unpublished |
| SSL | 2.0 | 1995 Deprecated in 2011 (RFC 6176) |
| SSL | 3.0 | 1996 Deprecated in 2015 (RFC 7568) |
| TLS | 1.0 | 1999 Deprecated in 2020 |
| TLS | 1.1 | 2006 Deprecated in 2020 |
| TLS | 1.2 | 2008 |
| TLS | 1.3 | 2018 |
TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity. As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties like Key exchange, Cipher security and Data integrity.
TCP/IP Protocol Stack with SSL
| TCP/IP Layer | Protocol |
|---|---|
| Application Layer | HTTP, NNTP, Telnet, FTP, etc. |
| Secure Sockets Layer | SSL |
| Transport Layer | TCP |
| Internet Layer | IP |
Why Use SSL?
Transferring sensitive information over a network can be risky due to the following three issues: You cannot always be sure that the entity with whom you are communicating is really who you think it is. Network data can be intercepted, so it is possible that it can be read by an unauthorized third party, sometimes known as an attacker. If an attacker can intercept the data, the attacker may be able to modify the data before sending it on to the receiver.
TLS 1.2 In this case the client and the server ask for each others certificate, it is more secure.
| Steps | Image From stackexchange |
|---|---|
|
1. A client request access to a trusted server 2. The server presents its certificate to the client 3. The client verifies the server’s certificate 4. If successful, the client sends its certificate to the server 5. The server verifies the client’s credentials 6. If successful, the server grants access to the protected resource requested by the client 7. A secure message channel is established |
 |
Checks From OS end for TLS:
[root@Yash001 ~]# openssl ciphers -v |grep TLS
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
Checks from Java level: The output should not show TLSv1 on disabling it so change on JavaSecurity.
[root@Yash001 ~]# openssl s_client -connect 10.55.88.4:7775 -tls1
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
The following chart depicts the protocols and algorithms supported in each JDK version:
| JDK 8 (March 2014 to present) |
JDK 7 (July 2011 to present) |
JDK 6 (2006 to end of public updates 2013) |
|
|---|---|---|---|
| TLS Protocols | TLSv1.2 (default) TLSv1.1 TLSv1 SSLv3 |
TLSv1.2 (default) TLSv1.1 (default) TLSv1 SSLv3 |
TLS v1.1 (JDK 6 update 111 and above) TLSv1 (default) SSLv3 |
Tomcat Server.xml
<Connector port="7890" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/tomcat/SSL/my-keystore" type="RSA"
maxThreads="150" scheme="https" secure="true"
keystorePass="changeit" clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2" <!-- TLSv1.2,SSLv2Hello-->
/>
</SSLHostConfig>
</Connector>At Java level change file content: /java/jdk1.8.0_151/jre/lib/security/java.security
From :
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
EC keySize < 224
To:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
EC keySize < 224, TLSv1, TLSv1.1
Encryption is one of the most important tools governments, companies, and individuals have to promote safety and security in the new digital age.To keep information safe from cybercriminals, hackers, and rogue states.
Personal Messaging:
WhatsApp's end-to-end encryption is used when you message another person using WhatsApp Messenger. End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them.
Messages that Stay with You: End-to-end encrypted messages are stored on your device and not WhatsApp servers after they are delivered.
