Cryptography Reference
In-Depth Information
Again, these don't add up to a fantastic customer experience, but work well
enough to demonstrate server-side SSL.
You can run this and either connect to it with the sample HTTP client developed
in the section “Implementing an HTTP client” or connect with any standard
web browser. This implements RFC-standard HTTP, albeit a microscopically
small subset of it.
Roadmap for the Rest of This topic
SSL was originally specifi ed by Netscape, when it became clear that e-commerce
required secure communication capability. The fi rst release of SSL was SSLv2
(v1 was never released). After its release, SSLv2 was found to have signifi cant
fl aws, which will be examined in greater detail in Chapter 6. Netscape later
released and then turned over SSLv3 to the IETF, which promptly renamed it
TLS 1.0 and published the fi rst offi cial specifi cation in RFC 2246. In 2006, TLS
1.1 was specifi ed in RFC 4346 and in 2008, TLS 1.2 was released and is specifi ed
in RFC 5246.
The rest of this topic is dedicated to describing every aspect of what SSL does
and how it does it. In short, SSL encrypts the traffi c that the higher-level protocol
generates so that it can't be intercepted by an eavesdropper. It also authenticates
the connection so that, in theory, both sides can be assured that they are indeed
communicating with who they think they're communicating with.
SSL support is now standard in every web browser and web server, open-
or closed-source. Although SSL was originally invented for secure HTTP, it's
been retrofi tted, to varying degrees of success, to work with other protocols. In
theory, SSL is completely specifi ed at the network layer, and any protocol can
just layer invisibly on top of it. However, things aren't always so nice and neat,
and there are some drawbacks to using SSL with protocols other than HTTP.
Indeed, there are drawbacks even to using it with HTTP. I guess you can say that
nothing is perfect. You come back to the details of HTTPS, and how it differs
from HTTP, in Chapter 6 after you've examined the underlying SSL protocol.
Additionally, there are several open-source implementations of the SSL protocol
itself. By far the most popular is Eric A. Young's
openssl
. The ubiquitous Apache
server, for example, relies on the openssl library to provide SSL support. A more
recent implementation is GnuTLS. Whereas openssl 0.9.8e (the most recent version
as of this writing) implements SSLv2, SSLv3 and TLS 1.0, GnuTLS implements
TLS 1.0, 1.1 and 1.2. Therefore it's called TLS rather than SSL because it doesn't
technically implement SSL at all. Also, Sun's Java environment has SSL support
Search WWH ::
Custom Search