2
0

ossl-guide-tls-introduction.pod 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317
  1. =pod
  2. =head1 NAME
  3. ossl-guide-tls-introduction
  4. - OpenSSL Guide: An introduction to SSL/TLS in OpenSSL
  5. =head1 INTRODUCTION
  6. This page will provide an introduction to some basic SSL/TLS concepts and
  7. background and how it is used within OpenSSL. It assumes that you have a basic
  8. understanding of TCP/IP and sockets.
  9. =head1 WHAT IS TLS?
  10. TLS stands for Transport Layer Security. TLS allows applications to securely
  11. communicate with each other across a network such that the confidentiality of
  12. the information exchanged is protected (i.e. it prevents eavesdroppers from
  13. listening in to the communication). Additionally it protects the integrity of
  14. the information exchanged to prevent an attacker from changing it. Finally it
  15. provides authentication so that one or both parties can be sure that they are
  16. talking to who they think they are talking to and not some imposter.
  17. Sometimes TLS is referred to by its predecessor's name SSL (Secure Sockets
  18. Layer). OpenSSL dates from a time when the SSL name was still in common use and
  19. hence many of the functions and names used by OpenSSL contain the "SSL"
  20. abbreviation. Nonetheless OpenSSL contains a fully fledged TLS implementation.
  21. TLS is based on a client/server model. The application that initiates a
  22. communication is known as the client. The application that responds to a
  23. remotely initiated communication is the server. The term "endpoint" refers to
  24. either of the client or the server in a communication. The term "peer" refers to
  25. the endpoint at the other side of the communication that we are currently
  26. referring to. So if we are currently talking about the client then the peer
  27. would be the server.
  28. TLS is a standardised protocol and there are numerous different implementations
  29. of it. Due to the standards an OpenSSL client or server is able to communicate
  30. seamlessly with an application using some different implementation of TLS. TLS
  31. (and its predecessor SSL) have been around for a significant period of time and
  32. the protocol has undergone various changes over the years. Consequently there
  33. are different versions of the protocol available. TLS includes the ability to
  34. perform version negotiation so that the highest protocol version that the client
  35. and server share in common is used.
  36. TLS acts as a security layer over some lower level transport protocol. Typically
  37. the transport layer will be TCP.
  38. =head1 SSL AND TLS VERSIONS
  39. SSL was initially developed by Netscape Communications and its first publicly
  40. released version was SSLv2 in 1995. Note that SSLv1 was never publicly released.
  41. SSLv3 came along quickly afterwards in 1996. Subsequently development of the
  42. protocol moved to the IETF which released the first version of TLS (TLSv1.0) in
  43. 1999 as RFC2246. TLSv1.1 was released in 2006 as RFC4346 and TLSv1.2 came along
  44. in 2008 as RFC5246. The most recent version of the standard is TLSv1.3 which
  45. was released in 2018 as RFC8446.
  46. Today TLSv1.3 and TLSv1.2 are the most commonly deployed versions of the
  47. protocol. The IETF have formally deprecated TLSv1.1 and TLSv1.0, so anything
  48. below TLSv1.2 should be avoided since the older protocol versions are
  49. susceptible to security problems.
  50. OpenSSL does not support SSLv2 (it was removed in OpenSSL 1.1.0). Support for
  51. SSLv3 is available as a compile time option - but it is not built by default.
  52. Support for TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 are all available by default
  53. in a standard build of OpenSSL. However special run-time configuration is
  54. required in order to make TLSv1.0 and TLSv1.1 work successfully.
  55. OpenSSL will always try to negotiate the highest protocol version that it has
  56. been configured to support. In most cases this will mean either TLSv1.3 or
  57. TLSv1.2 is chosen.
  58. =head1 CERTIFICATES
  59. In order for a client to establish a connection to a server it must authenticate
  60. the identify of that server, i.e. it needs to confirm that the server is really
  61. the server that it claims to be and not some imposter. In order to do this the
  62. server will send to the client a digital certificate (also commonly referred to
  63. as an X.509 certificate). The certificate contains various information about the
  64. server including its full DNS hostname. Also within the certificate is the
  65. server's public key. The server operator will have a private key which is
  66. linked to the public key and must not be published.
  67. Along with the certificate the server will also send to the client proof that it
  68. knows the private key associated with the public key in the certificate. It does
  69. this by digitally signing a message to the client using that private key. The
  70. client can verify the signature using the public key from the certificate. If
  71. the signature verifies successfully then the client knows that the server is in
  72. possession of the correct private key.
  73. The certificate that the server sends will also be signed by a Certificate
  74. Authority. The Certificate Authority (commonly known as a CA) is a third party
  75. organisation that is responsible for verifying the information in the server's
  76. certificate (including its DNS hostname). The CA should only sign the
  77. certificate if it has been able to confirm that the server operator does indeed
  78. have control of the server associated with its DNS hostname and that the server
  79. operator has control of the private key.
  80. In this way, if the client trusts the CA that has signed the server's
  81. certificate and it can verify that the server has the right private key then it
  82. can trust that the server truly does represent the DNS hostname given in the
  83. certificate. The client must also verify that the hostname given in the
  84. certificate matches the hostname that it originally sent the request to.
  85. Once all of these checks have been done the client has successfully verified the
  86. identify of the server. OpenSSL can perform all of these checks automatically
  87. but it must be provided with certain information in order to do so, i.e. the set
  88. of CAs that the client trusts as well as the DNS hostname for the server that
  89. this client is trying to connect to.
  90. Note that it is common for certificates to be built up into a chain. For example
  91. a server's certificate may be signed by a key owned by a an intermediate CA.
  92. That intermediate CA also has a certificate containing its public key which is
  93. in turn signed by a key owned by a root CA. The client may only trust the root
  94. CA, but if the server sends both its own certificate and the certificate for the
  95. intermediate CA then the client can still successfully verify the identity of
  96. the server. There is a chain of trust between the root CA and the server.
  97. By default it is only the client that authenticates the server using this
  98. method. However it is also possible to set things up such that the server
  99. additionally authenticates the client. This is known as "client authentication".
  100. In this approach the client will still authenticate the server in the same way,
  101. but the server will request a certificate from the client. The client sends the
  102. server its certificate and the server authenticates it in the same way that the
  103. client does.
  104. =head1 TRUSTED CERTIFICATE STORE
  105. The system described above only works if a chain of trust can be built between
  106. the set of CAs that the endpoint trusts and the certificate that the peer is
  107. using. The endpoint must therefore have a set of certificates for CAs that it
  108. trusts before any communication can take place. OpenSSL itself does not provide
  109. such a set of certificates. Therefore you will need to make sure you have them
  110. before you start if you are going to be verifying certificates (i.e. always if
  111. the endpoint is a client, and only if client authentication is in use for a
  112. server).
  113. Fortunately other organisations do maintain such a set of certificates. If you
  114. have obtained your copy of OpenSSL from an Operating System (OS) vendor (e.g. a
  115. Linux distribution) then normally the set of CA certificates will also be
  116. distributed with that copy.
  117. You can check this by running the OpenSSL command line application like this:
  118. openssl version -d
  119. This will display a value for B<OPENSSLDIR>. Look in the B<certs> sub directory
  120. of B<OPENSSLDIR> and check its contents. For example if B<OPENSSLDIR> is
  121. "/usr/local/ssl", then check the contents of the "/usr/local/ssl/certs"
  122. directory.
  123. You are expecting to see a list of files, typically with the suffix ".pem" or
  124. ".0". If they exist then you already have a suitable trusted certificate store.
  125. If you are running your version of OpenSSL on Windows then OpenSSL (from version
  126. 3.2 onwards) will use the default Windows set of trusted CAs.
  127. If you have built your version of OpenSSL from source, or obtained it from some
  128. other location and it does not have a set of trusted CA certificates then you
  129. will have to obtain them yourself. One such source is the Curl project. See the
  130. page L<https://curl.se/docs/caextract.html> where you can download trusted
  131. certificates in a single file. Rename the file to "cert.pem" and store it
  132. directly in B<OPENSSLDIR>. For example if B<OPENSSLDIR> is "/usr/local/ssl",
  133. then save it as "/usr/local/ssl/cert.pem".
  134. You can also use environment variables to override the default location that
  135. OpenSSL will look for its trusted certificate store. Set the B<SSL_CERT_PATH>
  136. environment variable to give the directory where OpenSSL should looks for its
  137. certificates or the B<SSL_CERT_FILE> environment variable to give the name of
  138. a single file containing all of the certificates. See L<openssl-env(7)> for
  139. further details about OpenSSL environment variables. For example you could use
  140. this capability to have multiple versions of OpenSSL all installed on the same
  141. system using different values for B<OPENSSLDIR> but all using the same
  142. trusted certificate store.
  143. You can test that your trusted certificate store is setup correctly by using it
  144. via the OpenSSL command line. Use the following command to connect to a TLS
  145. server:
  146. openssl s_client www.openssl.org:443
  147. Once the command has connected type the letter "Q" followed by "<enter>" to exit
  148. the session. This will print a lot of information on the screen about the
  149. connection. Look for a block of text like this:
  150. SSL handshake has read 4584 bytes and written 403 bytes
  151. Verification: OK
  152. Hopefully if everything has worked then the "Verification" line will say "OK".
  153. If its not working as expected then you might see output like this instead:
  154. SSL handshake has read 4584 bytes and written 403 bytes
  155. Verification error: unable to get local issuer certificate
  156. The "unable to get local issuer certificate" error means that OpenSSL has been
  157. unable to find a trusted CA for the chain of certificates provided by the server
  158. in its trusted certificate store. Check your trusted certificate store
  159. configuration again.
  160. Note that s_client is a testing tool and will still allow you to connect to the
  161. TLS server regardless of the verification error. Most applications should not do
  162. this and should abort the connection in the event of a verification error.
  163. =head1 IMPORTANT OBJECTS FOR AN OPENSSL TLS APPLICATION
  164. A TLS connection is represented by the B<SSL> object in an OpenSSL based
  165. application. Once a connection with a remote peer has been established an
  166. endpoint can "write" data to the B<SSL> object to send data to the peer, or
  167. "read" data from it to receive data from the server.
  168. A new B<SSL> object is created from an B<SSL_CTX> object. Think of an B<SSL_CTX>
  169. as a "factory" for creating B<SSL> objects. You can create a single B<SSL_CTX>
  170. object and then create multiple connections (i.e. B<SSL> objects) from it.
  171. Typically you can set up common configuration options on the B<SSL_CTX> so that
  172. all the B<SSL> object created from it inherit the same configuration options.
  173. Note that internally to OpenSSL various items that are shared between multiple
  174. B<SSL> objects are cached in the B<SSL_CTX> for performance reasons. Therefore
  175. it is considered best practice to create one B<SSL_CTX> for use by multiple
  176. B<SSL> objects instead of having one B<SSL_CTX> for each B<SSL> object that you
  177. create.
  178. Each B<SSL> object is also associated with two B<BIO> objects. A B<BIO> object
  179. is used for sending or receiving data from the underlying transport layer. For
  180. example you might create a B<BIO> to represent a TCP socket. The B<SSL> object
  181. uses one B<BIO> for reading data and one B<BIO> for writing data. In most cases
  182. you would use the same B<BIO> for each direction but there could be some
  183. circumstances where you want them to be different.
  184. It is up to the application programmer to create the B<BIO> objects that are
  185. needed and supply them to the B<SSL> object. See
  186. L<ossl-guide-tls-client-block(7)> for further information.
  187. Finally, an endpoint can establish a "session" with its peer. The session holds
  188. various TLS parameters about the connection between the client and the server.
  189. The session details can then be reused in a subsequent connection attempt to
  190. speed up the process of connecting. This is known as "resumption". Sessions are
  191. represented in OpenSSL by the B<SSL_SESSION> object. In TLSv1.2 there is always
  192. exactly one session per connection. In TLSv1.3 there can be any number per
  193. connection including none.
  194. =head1 PHASES OF A TLS CONNECTION
  195. A TLS connection starts with an initial "set up" phase. The endpoint creates the
  196. B<SSL_CTX> (if one has not already been created) and configures it.
  197. A client then creates an B<SSL> object to represent the new TLS connection. Any
  198. connection specific configuration parameters are then applied and the underlying
  199. socket is created and associated with the B<SSL> via B<BIO> objects.
  200. A server will create a socket for listening for incoming connection attempts
  201. from clients. Once a connection attempt is made the server will create an B<SSL>
  202. object in the same way as for a client and associate it with a B<BIO> for the
  203. newly created incoming socket.
  204. After set up is complete the TLS "handshake" phase begins. A TLS handshake
  205. consists of the client and server exchanging a series of TLS handshake messages
  206. to establish the connection. The client starts by sending a "ClientHello"
  207. handshake message and the server responds with a "ServerHello". The handshake is
  208. complete once an endpoint has sent its last message (known as the "Finished"
  209. message) and received a Finished message from its peer. Note that this might
  210. occur at slightly different times for each peer. For example in TLSv1.3 the
  211. server always sends its Finished message before the client. The client later
  212. responds with its Finished message. At this point the client has completed the
  213. handshake because it has both sent and received a Finished message. The server
  214. has sent its Finished message but the Finished message from the client may still
  215. be in-flight, so the server is still in the handshake phase. It is even possible
  216. that the server will fail to complete the handshake (if it considers there is
  217. some problem with the messages sent from the client), even though the client may
  218. have already progressed to sending application data. In TLSv1.2 this can happen
  219. the other way around, i.e. the server finishes first and the client finishes
  220. second.
  221. Once the handshake is complete the application data transfer phase begins.
  222. Strictly speaking there are some situations where the client can start sending
  223. application data even earlier (using the TLSv1.3 "early data" capability) - but
  224. we're going to skip over that for this basic introduction.
  225. During application data transfer the client and server can read and write data
  226. to the connection freely. The details of this are typically left to some higher
  227. level application protocol (for example HTTP). Not all information exchanged
  228. during this phase is application data. Some protocol level messages may still
  229. be exchanged - so it is not necessarily the case that, just because the
  230. underlying socket is "readable", that application data will be available to read.
  231. When the connection is no longer required then it should be shutdown. A shutdown
  232. may be initiated by either the client or the server via a message known as a
  233. "close_notify" alert. The client or server that receives a close_notify may
  234. respond with one and then the connection is fully closed and application data
  235. can no longer be sent or received.
  236. Once shutdown is complete a TLS application must clean up by freeing the SSL
  237. object.
  238. =head1 FURTHER READING
  239. See L<ossl-guide-tls-client-block(7)> to see an example of applying these
  240. concepts in order to write a simple TLS client based on a blocking socket.
  241. See L<ossl-guide-quic-introduction(7)> for an introduction to QUIC in OpenSSL.
  242. =head1 SEE ALSO
  243. L<ossl-guide-introduction(7)>, L<ossl-guide-libraries-introduction(7)>,
  244. L<ossl-guide-libssl-introduction(7)>, L<ossl-guide-tls-client-block(7)>,
  245. L<ossl-guide-quic-introduction(7)>
  246. =head1 COPYRIGHT
  247. Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
  248. Licensed under the Apache License 2.0 (the "License"). You may not use
  249. this file except in compliance with the License. You can obtain a copy
  250. in the file LICENSE in the source distribution or at
  251. L<https://www.openssl.org/source/license.html>.
  252. =cut