Secure Sockets Layer (SSL) Fundamentals

Course

July 3rd, 2019

Intro Video

Photo of Justin Mitchell

Justin Mitchell

Security Training Architect II in Content

Length

02:13:04

Difficulty

Beginner

Course Details

The backbone of securing network communications through encryption are Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS). SSL and TLS are the standards widely used today to secure many communication types: websites, email, and many others. This course is designed to give you a high-level understanding of how to implement and maintain an environment that supports SSL and TLS.

Interactive Diagram: https://interactive.linuxacademy.com/diagrams/SecureSocketLayerFundamentals.html

Syllabus

Course Introduction

Getting Started

Course Introduction

00:06:23

Lesson Description:

Welcome to our SSL Fundamentals course! Have you ever visited a secure website and wondered what it is that makes it secure? That's the exact topic we intend to tackle with this course! SSL — or, more appropriately, TLS (Transport Layer Security) — is how we secure those communications. We're excited that you're here! With all of that being said, let's get started! Make sure to give this video a thumbs up below and mark it complete when you're ready to move on to the first lesson.

About the Training Architect

00:00:28

Lesson Description:

Hello! I'm Justin Mitchell, the author of this course. In this video, you'll learn a little bit about me. As you progress through the course, if I can assist you in any way, please don't hesitate to reach out. You can reach me a few different ways: On LinkedInVia email at justin.mitchell@linuxacademy.comJoin the Linux Academy Community Slack, and follow the #security channel

SSL Fundamentals

Getting Started

Introduction to Cryptography

00:12:00

Lesson Description:

To understand SSL, it's vitally important to understand what cryptography is and why we use it in our computing environments. This lesson covers a high-level understanding of some of the key concepts associated with cryptography.

Introduction to Asymmetric Encryption

00:07:20

Lesson Description:

Now that we have a good understanding of what cryptography is and what it's used for, let's dive into asymmetric encryption. In this lesson, we'll establish how asymmetric encryption is used to mitigate the key issue with symmetric encryption: key distribution.

Introduction to Public Key Infrastructure (PKI)

00:10:26

Lesson Description:

Asymmetric encryption uses two keys: one to encrypt and the other to decrypt. This is especially prevalent in a public key infrastructure, or PKI. In this lesson, we'll take a look at how PKI works.

Using Encryption to Protect Network Communications

Secure Protocols Overview

00:08:42

Lesson Description:

To get a better understanding of SSL, it's first important to understand how we use the different protocols to facilitate communications. Let's dive in and look at some of the protocols, as well as discuss the methodology around how SSL secures those protocols.

The Use of Hybrid Encryption in SSL

00:04:37

Lesson Description:

As we discussed in Section 1, both symmetric and asymmetric encryption come with their own respective drawbacks. Thus, we use hybrid encryption to mitigate these issues. In this lesson, let's take a look at how hybrid encryption is used in our everyday work to ensure secure transmissions of data.

How a Public Key Exchange (PKE) Works

00:08:00

Lesson Description:

Now that we understand what hybrid encryption is and how it works, let's take a look at how we can then use it to encrypt data in transit between a web server and a client. In this lesson, we'll learn how a web server shares its public key with a client to enable secure communications. This is often referred to as the TLS handshake.

How (and Why) TLS Superseded SSL

00:10:02

Lesson Description:

The terms SSL and TLS are often used interchangeably in today's computing environment. However, there are some key differences between the two. In this lesson, we'll cover those differences, as well as some of the history involved that led us to use TLS today.

Real-World Use Cases

Requesting and Setting Up a Web Server Certificate

00:10:13

Lesson Description:

We'll start our real-world use cases off with one of the more common uses for SSL: setting up a web server certificate. For this lesson, we're using a Ubuntu 16.04 box with Nginx installed, but the same would work on CentOS 7. If you want to follow along, here's what we accomplish below: Install Nginx: sudo apt-get install nginx Or (if on CentOS): sudo yum install nginx Create the public and private key pair: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/test.key -out /etc/nginx/ssl/test.crt Modify the Nginx configuration file to redirect all HTTP traffic to HTTPS, listen on port 443, and add the certificates: sudo nano /etc/nginx/sites-enabled/default Under where you find HTTP traffic, or listening on port 80, add the line: return 301 https://$server_name$request_uri; If lines already exist for listening on port 443, simply uncomment them — otherwise, add them. Then add lines under that to make Nginx use your newly created certificates server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/test.crt; ssl_certificate_key /etc/nginx/ssl/test.key; }

Setting Up a Private Docker Registry Using SSL

00:15:25

Lesson Description:

As part of our practical, real-world use cases, let's look at setting up a private Docker registry using SSL. In this example, we're going to use a CentOS 7 machine with Docker installed. Here are the steps we're going to take: Update the system and install Docker Engine: yum update curl -fsSL https://get.docker.com/ | sh systemctl start docker Add server IP to OpenSSL config file before creating certs: vim /etc/pki/tls/openssl.cnf Add line: subjectAltName=IP:serverIPaddress Then, create the certificates: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /certs/test.key -out /certs/test.crt Create the Docker registry: docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.crt -e REGISTRY_HTTP_TLS_KEY=/certs/test.key registry:2 Add certificates to Docker's trusted certs, and then reload Docker: mkdir -p /etc/docker/certs.d/<serverIP>:5000 cd /certs cp /certs/test* /etc/docker/certs.d/<serverIP>:5000/ cd /etc/docker/certs.d/<serverIP>:5000/ mv test.crt ca.crt

Encrypting File System (EFS) Overview

00:04:46

Lesson Description:

EFS is a built-in Microsoft Windows utility that allows us to encrypt data stored within Windows OS. EFS provides another method in which we can demonstrate how hybrid encryption works. In this lesson, we'll take a look at how EFS works, as well as walk through a demonstration of how to encrypt a folder with EFS. To mimic the lesson, on a Windows server, just right-click on a file or folder, and select Properties > Advanced > Encrypt.

Setting Up OpenLDAP to Use SSL/TLS

00:15:51

Lesson Description:

OpenLDAP is an open-source tool that provides LDAP (Lightweight Directory Access Protocol) services. Traditionally, secure LDAP connections used the LDAPS (LDAP-Secure) protocol that communicates via port 636. However, this approach has been deprecated and replaced with a STARTTLS function that rides over the LDAP port 389. For this example, we're using a CentOS 7 machine with OpenLDAP installed. If you want to follow along, here are the steps to accomplish: First, update your system, configure your hostname, and then install OpenLDAP: sudo yum update vim /etc/hosts Update 127.0.0.1 to your new hostname — should be formatted: IP FQDN short server name. For instance: 127.0.0.1 ldapsrv.local ldapsrv. Then, install OpenLDAP: sudo yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel Go ahead and start and enable the slapd service, and then reset the slap password. Make sure to copy the generated password hash for use later. systemctl start slapd.service systemctl enable slapd.service slappasswd Configure the OpenLDAP configuration to use your domain name established when you changed the hostname and the username/password combination you just changed with slappasswd: cd /etc/openldap/slapd.d vim init.ldif Then, paste the following, modifying dc=____ to your domain name. So, for instance, if you changed the hostname to ldapserv.local, then dc=local. But if you changed it to ldapsrv.local.com, then line 4 should read olcSuffix: dc=local, dc=com. Then, on the last line, make sure to copy and paste your newly generated password hash, or else authentication will fail when trying to commit changes to the configuration. Dn: olcDatabase={2}hdb, cn=config changetype: modify Replace: olcSuffix olcSuffix: dc=local Dn: olcDatabase={2}hdb, cn=config changetype: modify Replace: olcRootDN olcSuffix: cn=ldap, dc=local Dn: olcDatabase={2}hdb, cn=config changetype: modify Replace: olcRootPW olcRootPW: {SSHA}AmuhKv7p8YuN/JYHV0ph1kFOQRkQhpYm/ Commit those changes: ldapmodify -Y EXTERNAL -H ldapi:/// -f init.ldif Generate your key pair, and give the ldap user ownership of the location where you store them: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/openldap/certs/ldaptest.key -out /etc/openldap/certs/ldaptest.crt chown -R ldap:ldap /etc/openldap/certs/ Create an ldif file that modifies the OpenLDAP config to use the certs we just created: vim certs.ldif Copy the below changes to the ldif file (of course substituting the appropriate directory and file names into lines 4 and 9): dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/ldaptest.key dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldaptest.crt Commit those changes to the configuration: ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif Note: You can test the configuration at any time by running: slaptest -u You can always check your current configuration by opening the cn=config.ldif file: vim cn=config.ldif

Conclusion

Wrapping Up

The DMV Model of Acquiring a Certificate

00:11:21

Lesson Description:

Acquiring an SSL certificate is much like visiting your local Department of Motor Vehicles (DMV) to obtain your driver's license or a license plate for your vehicle. This lesson is designed to show the similarities between the two to help you correlate acquiring this certificate with something you have most likely done before.

What's Next?

00:07:15

Lesson Description:

Now that you've completed the SSL Fundamentals course, let's take a look at some of the other Linux Academy offerings that may be of interest to you.