All about SSL/TLS certificates

[tbazant]

Description

A new article that explains and shows what TLS is and how to implement it on SUSE hosts

Are there any relevant issues/feature requests?

• bsc#1194130
• jsc#DOCTEAM-480

Is this (based on) existing content?

no

[jirib]

My 2 cents:

• ssl vs tls (right in the beginning) - let's use only TLS later after clarification
• Goal -> plus manage the certs !
• Handshake -> TLS handshake (everywhere) - not sure but TLS 1.3 simplified the TLS handshake https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/#:~:text=The%20basic%20steps%20of%20a,cipher%20suites%20is%20vastly%20reduced. (not sure how DH params play role here)
• 1.1 should mention PFS https://en.wikipedia.org/wiki/Forward_secrecy (old days way to decrypt the captured communication while having the private key thus does not work...)
• DH params/key exchange might be good to mention
• 3 creating a private key - not sure if ECDSA key would be compat with all our SLES supported versions, it should be clear here
• 3.1 Tip - should read that some tools allow the passphrase to be provide via systemd unit... but probably not all, untested !

/usr/sbin/apache2-systemd-ask-pass:exec /usr/bin/systemd-ask-password "Enter SSL pass phrase for $1 ($2): "

• 7 - iiuc there are openssl and gnutls stores; 7.3 is gnutls
• 6 - not sure but java used to have its own trust store but on SLES it uses the system one
• there should be an example how to query if a cert is present in the trust store

# an example
$ awk -v cmd='openssl x509 -noout -subject -startdate -enddate' '/BEGIN/{close(cmd)}; { print | cmd }' \
    < /etc/ssl/ca-bundle.pem  2>/dev/null | grep -C 1 'DigiCert Global Root CA'
notAfter=Jan 15 12:00:00 2038 GMT
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
notBefore=Nov 10 00:00:00 2006 GMT

• maybe a TLS client-server auth with certs? so only a special tls client could use a tls server ?
• 4.1 - maybe an example for alt_names with an IP ?
• a troubleshooting section - https://www.wireshark.org/docs/dfref/t/tls.html:

$ tshark -G protocols 2>/dev/null | grep -P '\bTLS\s+tls\b'
Transport Layer Security        TLS     tls

$  # tshark -i jbelka -f 'tcp port 443' -Y tls                                                                   ������������������������������������������������������������������������������������������������      
Running as user "root" and group "root". This could be dangerous.                                                       
Capturing on 'jbelka'                                                                                                   
 ** (tshark:11479) 11:16:09.323193 [Main MESSAGE] -- Capture started.                                                   
 ** (tshark:11479) 11:16:09.323315 [Main MESSAGE] -- File: "/tmp/wireshark_jbelkaVJHJM2.pcapng"                         
    4 0.000799229 192.168.252.100 → 192.168.252.1 TLSv1 583 Client Hello                                                
    6 0.003643118 192.168.252.1 → 192.168.252.100 TLSv1.3 2574 Server Hello, Change Cipher Spec, Application Data, App:2lication Data, Application Data, Application Data                                                                       
    8 0.004548144 192.168.252.100 → 192.168.252.1 TLSv1.3 146 Change Cipher Spec, Application Data                      
   10 0.004677386 192.168.252.100 → 192.168.252.1 TLSv1.3 356 Application Data                                          
   12 0.004762303 192.168.252.1 → 192.168.252.100 TLSv1.3 369 Application Data                                          
   14 0.004865502 192.168.252.1 → 192.168.252.100 TLSv1.3 369 Application Data                   
...

[dariavladykina]

Hi, please see some suggestions here. Thanks!

[lvicoun]

Hi Tomas,
great job! Just a few suggestion. I'd prefer to have two "procedures" in this article - one for install TLS on a trusted CA and one to install the certificate using a private CA. Even though the procedure is outlined in sec 2 I still had problems to follow the flow. I think with the modular approach it is easy to achieve.
Sec 7 System-wide CA certificate store stands there as a concept where I'd expect a procedural part - that is in sec 8. Probably using the concept as part of sec 8 not a standalone section here would work.

[lvicoun]

The image has SSL instead of TLS as used in the rest of the article.