Hands-on OpenSSL Programming

Hands-on OpenSSL Programming
November 13, 2000
Speaker: David Molnar, Harvard; Kevin Fu, MIT
Scribe: TBD

OpenSSL is an open-source software package which implements general-purpose cryptography and the Secure Sockets Layer (SSL). Learn how to use this tool.

What does that little padlock in your Web browser really mean? How does one set up a secure Web server? How does one implement client and server authentication? What about SSL for non-Web software? We will try to remove the mystique behind such questions.

Participants can passively watch our presentation, or compile along with us. We have several snippets of code:


  1. Getting started with OpenSSL.
    1. Install OpenSSL 0.9.6
        get openssl
        $ ./config --prefix=/usr/local
        $ make
        $ make test
        $ make install
    2. Connect to our server, type a string.
      	openssl s_client -connect snafu.fooworld.org:443 
      	GET / HTTP/1.0
  2. Certificate generation
    1. Demo certs.
      1. Sample X509 self-signed server certificate
      2. Sample X509 server certificate issued by Verisign
    2. Generate a key pair:
      	openssl genrsa -out server-key.pem 1024
    3. Generate certificate request:
      	openssl req -new -key server-key.pem -out server-req.pem
    4. Generate a self-signed cert and key at the same time:
       openssl req -x509 -newkey rsa:1024 -keyout server-key.pem -out server-req.pem
    5. Generate CA key pair. Trickier.
  3. Authentication
    1. Server authentication. Most common in SSL. Clients will require servers to prove who they claim to be.
    2. Client authentication. Clients can prove identity to a server. Available in SSL, but less common. Used at MIT. Most sites use passwords instead of client certificates.
  4. Non-Web SSL Applications
    1. Use our demo code. Compile client.
    2. Modify client to set client certificate.
    3. SSL Analyzer. Decrypt SSL traffic on the fly.
      1. Start the SSL dump program.
            ./ssldump -Ad -k /home/key.pem -p foobar -i eth0 host snafu-beta.mit.edu
      2. Start an SSL client to dump. Note, ssldump requires Kx=RSA.
        	openssl s_client -connect snafu-beta.mit.edu:443 -cipher DES-CBC3-SHA  
    4. SSL on the Web
      1. Apache
        untar apache, openssl, modssl
        install openssl
        cd mod_ssl-2.7.1-1.3.14
        ./configure --with-apache=../apache_1.3.14 \
         --with-ssl=../openssl-0.9.6 \
        cd ../apache_1.3.14/
        make certificate
        	[fill in values]
        make install
        load httpd.conf to see SSL stuff
        ./bin/apachectl startssl
        [enter cert password]
  5. Problems related to SSL
    1. Flawed implementation of SSL. E.g., bad random numbers
    2. Demonstrate bug in certificate management of Netscape <= 4.73
      1. Set DNS server to This simulates DNS spoofing. Might need to reboot.
      2. Visit https://snafu.mit.edu/ and click away the warnings
      3. Visit https://www5.etrade.com/etrade.html
      4. Enter the form data. Submit. It's harmless.
      5. technical explanation
    3. Caching on bad parameters. E.g., IP address instead of hostname. Remembering authentication based on certificate, not the hostname.
    4. CA could accidentally certify an inappropriate site. For instance.
    5. Root CA compromised (Sun cert)
    6. What CAs do you trust? Do you know all your CAs?
    7. SSL proxying. Server authentication does not imply content authentication.
    8. Misleading certificate management

Links to software


Brought to you by the MIT LCS Applied Security Reading Group