(1) INTRODUCTION

It’s surprisingly difficult to search for good resources online to learn about the functioning and internals of SSL, and related areas.

My objective in writing this article are the following:

(a) Organize what I already know and understand for quicker reference later on.

(b) Organize access to good resources on the topic that I have come across, to save someone else the hassle.

Just as it is rather rude to directly try to peer into the contents of someone’s stomach before trying to befriend and exchange pleasantries first, in this article, I go over some functional aspects of SSL, before looking at the internals and some advanced topics. 🙂

(2) WHAT HAPPENS IN AN SSL HANDSHAKE?

I would recommend reading a StackExchange article on an introduction to SSL/TLS first. And then, after the understanding of overall flow is clear, head over to Section 7.3 of TLS RFC , and spend some solid quality time there.After that,a nice article about the first few seconds of a HTTPS connection. This article with wire-shark data-capture , walks through the stages of Client Hello, Server Hello,Certificate validation, RSA prime factorization logic, certificate signing chain of trust, generation of pre-master secret on the client, sharing it with the server, generation of the symmetric master key and it’s exchange with the client… and finally encrypting the traffic with an XOR-based algorithm like RC4. This article includes several references to code of ssl implementation, and goes more in-depth about what happens in different stages,like the merits hash functions used and their security .( eg MD5 vs HMAC MD5).

(3) USING OpenSSL COMMANDS TO LEARN/DEBUG.

The man page about openssl command line options was definitely daunting for me to start directly figuring out what to do.So,I would recommend using some of these resources first. More common scenarios like generation of certificates, verification of certificates,converting between certificate formats, debugging connections by a test ssl client or server would have been encountered by folks before. Some of the pertinent stuff which should come handy include:

(a) Categorized command use-cases

(b) Frequently used commands

(c) Debugging SSL Communication

(d) Certificate Signing Request, Self signed Certificates and more

(e) A consolidated list

(4) PROGRAMMING WITH OPENSSL LIBRARY

The documentation of OpenSSL isn’t the best, and it has had a lot of criticism going it’s way. And most people do not need to write code directly invoking openssl library function calls. However, HP’s tutorial on OpenSSL programming is a pretty good starting point. This presentation with example code by Shteryana Shopova is good resource as well. This presentation is more recent (2014), and the author even talks about HeartBleed citing actual code-snippet etc.

I shall write an article with code in another article.

(5) TOOLS OF NOTE :

Wireshark – A rather obvious one.

Charles Web Debugging Proxy : This is a pretty popular and powerful tool. For instance, someone using could uses Charles for debugging something an android app which makes HTTPS requests.

(6) SOME “NICHE/Advanced” TOPICS RELATED TO SSL AND PERFORMANCE

(6.a) SSL Termination :

To offset the computation intensive portion of SSL Handshake, SSL termination is sometimes adopted. So, for instance,when HTTPS connections hit the “reverse proxy”, or the “load balancer”, the reverse proxy can terminate SSL connection, and send HTTP request to the servers sitting behind it. Here’s a nice resource on the same which investigates and compares tools that do SSL Termination, and also speaks about the performance impact of hash functions.

(6.b) SSL acceleration

The wiki article even points to few companies who do SSL acceleration.This is usually done using a dedicated chip or GPU. On the opposite side of the spectrum,someone from Google in 2010 published an article saying that SSL is not computationally expensive anymore. Important to note that this point was for 1024 bit keys, and not 2048 bit keys.

(6.c) SSL Session Reuse

In this article about SSL session reuse, the author presents convincing arguments to chose session reuse as opposed to SSL termination. Read the comments section as well, for the discussions were good.

(6.d) SSL VPN ( Virtual Private Network) :

This article gives a pretty decent introduction about SSL VPN’s.

(7) SUMMARY

I hope that in the truest sense of “hub and spoke” architecture,the reader finds this article to be a decent hub to learn and understand about SSL and related topics better.