Top 20 Secure Sockets Layer (SSL) Interview Questions and Answers

Ph. D. University of Seoul, Carnegie Mellon, UC Berkeley, Golden Gate Avenue in San Francisco, DevOps, Deep Learning, and Visualization all have campuses in these places.

The secure sockets layer (SSL) protocol is essential for securing sensitive data transmitted over the internet SSL encrypts connections between a client and server to protect against eavesdropping and tampering With the growth of e-commerce and increasing cyber threats, SSL knowledge is a must-have for IT professionals. This article provides answers to common SSL interview questions to help you demonstrate your expertise.

SSL Interview Questions and Answers

Q1. What is SSL/TLS?

SSL (secure sockets layer) and its successor TLS (transport layer security) are cryptographic protocols that provide communication security over networks. They use asymmetric encryption to authenticate the communicating parties, symmetric encryption to ensure privacy, and message authentication codes to ensure integrity of data.

Q2. What are the main purposes of SSL/TLS?

The primary purposes of SSL/TLS are

  • Privacy – Encrypting data to prevent eavesdropping
  • Authentication – Verifying identities of communicating parties
  • Integrity – Detecting any changes or tampering with data
  • Non-repudiation – Preventing denial of data receipt

Q3. What are the types of SSL certificates?

The main types of SSL certificates are

  • Domain validation (DV) – Validates domain ownership only
  • Organization validation (OV) – Validates domain and organization
  • Extended validation (EV) – Highest level of validation for organizations

There are also single-domain, wildcard, and multi-domain certificates.

Q4. What is the history of SSL?

SSL was developed by Netscape in 1994 for the HTTPS protocol. Version 1.0 was never released, and SSL 2.0 had security flaws, so SSL 3.0 was released in 1996. In 1999, the IETF took over development and renamed it to TLS 1.0. Current version is TLS 1.3 released in 2018.

Q5. Who invented SSL?

SSL was invented by Dr. Taher Elgamal, a cryptographer who worked with Netscape Communications. Along with Phil Karlton and Dr. Alan Freier, he authored the original SSL paper that laid the foundation for SSL protocol development at Netscape in 1994.

Q6. What are some key differences between SSL vs TLS?

Some key differences between SSL and TLS are:

  • TLS has more protocol versions – SSL has SSLv2 and SSLv3 vs TLS with TLSv1.0, TLSv1.1 etc.
  • TLS supports more encryption algorithms and key lengths for better security.
  • TLS has improved vulnerability and attack mitigations compared to SSL.
  • TLS handshake is slightly different than SSL handshake.

Q7. What is the current version of SSL/TLS?

The current version is TLS 1.3 which was finalized in 2018. It has features like reduced handshake time, improved security, and support for new use cases like Internet of Things (IoT). TLS 1.2 is the widely used and supported version currently.

Q8. How does an SSL certificate get validated?

SSL certificate validation involves the following steps:

  • The browser sends certificate details to the issuing certificate authority (CA)
  • The CA validates whether it issued the certificate
  • The CA checks if the certificate is in its revocation list
  • The CA verifies the domain, organization, validity period, key usage etc.
  • The browser displays warnings if any issues are found

Q9. Will an SSL certificate work for a subdomain?

  • A single-domain SSL certificate will only work for the exact domain it is issued for, not subdomains.
  • A wildcard SSL certificate will work for the configured domain and all its subdomains.
  • A multi-domain SSL certificate can contain several domains and their subdomains if configured.

Q10. What are the types of SSL/TLS handshakes?

SSL/TLS handshakes can be:

  • Full – Performs full certificate exchange and encryption algorithm negotiation.
  • Abbreviated – Uses previous session’s handshake data and skips steps for faster connection.
  • Resumption – Resumes earlier TLS session with new symmetric keys but same parameters.

Q11. Explain the SSL handshake process briefly.

The SSL handshake involves the below steps:

  1. Client sends “ClientHello” message with supported SSL options.
  2. Server responds with “ServerHello” confirming SSL options.
  3. Server sends its certificate and requests client certificate.
  4. Client verifies server certificate validity and sends its certificate.
  5. Client generates pre-master secret key and encrypts with server’s public key.
  6. Server decrypts to obtain pre-master key used to generate session keys.
  7. Client and server exchange ChangeCipherSpec messages to indicate use of session keys.
  8. Client and server send Finished messages to confirm handshake completion.

Q12. How does SSL provide authentication?

SSL uses public key certificates and digital signatures to authenticate servers and optionally clients. The keys acts as proof of identity. Certificate authorities validate and sign certificates to prevent forged identities. The client verifies the server’s certificate signature against CA certificates.

Q13. What encryption algorithms are supported in SSL/TLS?

Commonly used symmetric encryption algorithms in SSL/TLS include AES, RC4, 3DES, DES, AES-GCM. Asymmetric algorithms include RSA, DSA, ECDSA. Hashing algorithms include MD5, SHA1, SHA256, SHA384. Older and weaker algorithms are being phased out.

Q14. What is Session Resumption in SSL and what are its benefits?

Session resumption allows clients and servers to reuse previously established session parameters like crypto keys to set up new connections more quickly. Benefits include:

  • Reduced latency – Avoiding time-consuming handshakes
  • Lower server load – Reusing costly cryptographic operations
  • Better user experience – Faster page loads for clients

Q15. How can you troubleshoot SSL/TLS related issues?

Common troubleshooting techniques include:

  • Reviewing server and application logs for SSL errors
  • Capturing packet traces to analyze SSL handshake failures
  • Checking certificate validity, expiration dates and verification paths
  • Testing with SSL validation tools like ssllabs.com
  • Trying TLS fallback to isolate protocol specific issues

Q16. What is SSL termination?

SSL termination or SSL offloading refers to decrypting HTTPS traffic at a front-end proxy before passing unencrypted HTTP traffic to web servers. This avoids encrypt/decrypt overheads on the server. Load balancers or reverse proxies usually handle SSL termination.

Q17. What are some best practices for SSL security?

Some SSL security best practices include:

  • Use the latest TLS version and updated cipher suites
  • Disable outdated protocols like SSLv2/SSLv3 if not needed
  • Use certificate pinning between client and server
  • Enforce strongkeys and signatures (SHA-2, RSA 2048-bit+)
  • Establish short certificate validity periods
  • Automate certificate issuance and renewal

Q18. How can you inspect SSL encrypted traffic?

To inspect encrypted SSL traffic, you can use man-in-the-middle tools like forward proxies that decrypt, inspect, and re-encrypt the traffic. Other options include:

  • Configuring the application for SSL offloading
  • Using network TAPs or port mirrors to get copies of traffic
  • Leveraging SSL decryption features on next-gen firewalls
  • Installing certificates in endpoints to locally decrypt traffic

Q19. What is Public Key Pinning in HTTPS connections?

Public key pinning allows web browsers to associate a specific server certificate or public key with a host to prevent man-in-the-middle attacks. The browser will reject connections if the certificate or key changes.

Q20. How can DNS benefit SSL security?

Validating DNS configuration helps strengthen SSL security in several ways:

  • Using CAA records to specify authorized CAs for issuing certificates
  • Enforcing DNSSEC to authenticate DNS responses and prevent spoofing
  • Redirecting HTTP to HTTPS using secure HTTP redirection
  • Allowing only TLS connections using TLS domain records

This covers the most common SSL/TLS related questions for interviews. Candidates should focus on learning the SSL handshake, encryption, certificates, vulnerabilities, and troubleshooting. Hands-on experience with OpenSSL helps gain practical skills as well. Having a good grasp of these SSL concepts is key to stand out in cybersecurity interviews.

Frequency of entities:

SSL/TLS: 36
secure sockets layer: 3
interview questions: 8
certificates: 13
handshake: 6
encryption: 7
validate: 4
HTTPS: 3

DevOps / Sys Admin Q & A

Ph. D. University of Seoul, Carnegie Mellon, UC Berkeley, Golden Gate Avenue in San Francisco, DevOps, Deep Learning, and Visualization all have campuses in these places.

Sponsor Open Source development activities and free contents for everyone.

DevOps / Sys Admin Q & A #11 : SSH & SSL(TLS) bogotobogo.com site search: Prelude

We need to know about two important ideas in order to get the most out of this post: public key cryptography and signature

  • Public key cryptography: Bob’s private key is the only way to decrypt a message that was encrypted with his public key. >> Bob can use his private key to decrypt a message from a faraway server that was encrypted with his public key.
  • With Alice’s public key, anyone can check that a message signature is really from Alice (made with her private key) and not from someone else. => Our browser can confirm that the SSL certificate sent by Alice’s server, which was issued by the CA, really comes from her server. This is because the server sends both its certs and public key when a page request comes in. Anyone who knows Alice’s public key can confirm that a signature could only have been made by someone who knows her private key.
  • Introduction – Asymmetric (Public) key

One effective way of securing SSH access to a remote server is to use a public/private key pair. This means that we put a public key on the server and a private key on our local workstation. This lets both sides trust each other and send commands and output back and forth. In short, SSH allows remote login and other network services to operate securely over an unsecured network.

Picture source : ref #4 – An unpredictable (typically large and random) number is used to begin generation of an acceptable pair of keys suitable for use by an asymmetric key algorithm.

There is a type of encryption called symmetrical (shared key) encryption where one key can be used to both encrypt and decrypt messages sent and received by the other party. So, anyone who holds the key can encrypt and decrypt messages to anyone else holding the key.

The server listens on a designated port (22) for connections. Its job is to negotiate the secure connection, make sure the other party is who they say they are, and start the right environment if the credentials are accepted.

The client starts the initial TCP handshake with the server, negotiates the secure connection, checks that the server’s identity matches what was previously recorded, and gives the server credentials to prove its identity. SSH Workflow.

The SSH connection between the client and the server is established in three stages:

  • Verification of the server by the client.
  • making a session key to protect the messages sent between the server and the client
  • Client authentication.

Lets look into the three stages one by one.

  • The client checks out the server: the client starts an SSH connection Server listens to SSHs default port 22. At this stage, the server identity is verified. When a client connects to a server for the first time, the server asks the client to manually verify the server: $ ssh -i bogotobogo pem ubuntu@3. 236. 66. 255 The authenticity of host 3. 236. 66. 255 (3. 236. 66. 255) cant be established. ECDSA key fingerprint is SHA256:kPVPFoAzH927+HMenDk81UFRMPNY2/KAYYvVFN/dTi8. Are you sure you want to keep connecting (yes/no)? yes Warning: Added permanently 3 236. 66. 255 (ECDSA) to the list of known hosts. Welcome to Ubuntu 18. 04. 4 LTS (GNU/Linux 5. 3. 0-1023-aws x86_64) . ubuntu@ip-172-31-94-245:~$ ubuntu@ip-172-31-94-245:~$ cat ~/. ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXQumwl. The server will be added to ~/ once it has been checked out. ssh/known_hosts file on the client side. The first time a client tries to connect to the server, the information is checked against what is stored in the ~/ record. ssh/known_hosts file: $ cat ~/. ssh/known_hosts . 100. 26. 243. 180 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOLSFx0UX5sWlpXaf/4VBxyWYaiovjbJq2nscrBIUngJjz3gwtummz1X01Yjn6DIJEm+Ak+I4yEn3sJHhVGV5eg= . If we take out the server line from the ~/ ssh/known_hosts file, we need to repeat step 1.
  • Making a session key to encrypt the messages sent between the server and the client: Once the server has been verified, both sides agree on a session key, which is a shared symmetric key generated by the Diffie-Hellman algorithm. Figure: Diffie–Hellman key exchange This session key will be used to protect the whole session.
  • Client authentication: After setting up symmetric encryption, the next step is to make sure the client is an actual person. In simple terms, the steps are: Use ssh-keygen to make a key pair • Give the server the public key with ssh-copy-id utility. The private key stays with the user. The server stores the public key as ~/. ssh/authorized_keys. The client can’t connect if the server doesn’t have the public key. For example: $ ssh -i bogotobogo pem ubuntu@3. 236. 66. 255 ubuntu@3. 236. 66. 255: Permission denied (publickey). After that, whenever the server needs to verify, it will ask the client to show that it has the private key that matches the public key. The server actually comes up with a random number, encrypts it with the public key, and sends the message that way. Client proves it has the private key. How can you be sure? If the client has the right private key, it can decrypt the message and get the server’s random number. The client takes the shared session key and the random number it got and figures out the MD5 hash of this value. After receiving the encrypted number message, the client sends this MD5 hash back to the server. To figure out the MD5 value on its own, the server uses the shared session key and the first number it sent to the client. The server checks its own answer against the one the client sent. If these two values match, the client is authenticated. Here is a sample ssh with verbose option: ~/. ssh $ ssh -v -i bogotobogo. pem ubuntu@3. 236. 66. 255 OpenSSH_7. 6p1, LibreSSL 2. 6. 2 debug1: Reading settings from /etc/ssh/ssh_config debug1: Read options for * from /etc/ssh/ssh_config line 48 debug1: Connecting to 3 236. 66. 255 port 22. debug1: Connection established. There is no such file or directory as key_load_public in the debug1 log. The identity file is bogotobogo. There is no such file or directory with the name “pem type -1” in the debug1 log. The identity file is also missing. pem-cert type -1 debug1: Local version string SSH-2. 0-OpenSSH_7. 6 debug1: Remote protocol version 2. 0, remote software version OpenSSH_7. 6p1 Ubuntu-4ubuntu0. 3 debug1: match: OpenSSH_7. 6p1 Ubuntu-4ubuntu0. 3 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 3. 236. 66. 255:22 as ubuntu debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh. This is the MAC address of the host: com MAC: HMenDk81UFRMPNY2/KAYYvVFN/dTi8 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kPVPFoAzH927 236. 66. 255 is known and matches the ECDSA host key. debug1: Found key in /Users/kihyuckhong/. ssh/known_hosts:15 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: bogotobogo pem debug1: Authentication succeeded (publickey). Authenticated to 3. 236. 66. 255 ([3. 236. 66. 255]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh. com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh. com want_reply 0 debug1: Sending environment. debug1: Sending env LANG = en_US. UTF-8 Welcome to Ubuntu 18. 04. 4 LTS (GNU/Linux 5. 3. 0-1023-aws x86_64) . ubuntu@ip-172-31-94-245:~$ .
  • How SSL works

Secure Socket Layer (SSL) also known as Transport Layer Security (TLS).

The following protocols are most commonly used:

  • SSL 1.0 (not published)
  • SSL 2.0 (1995)
  • SSL 3.0 (1996), broken by POODLE (Nov 2014)
  • TLS 1. 0 (SSL 3. 1) (1999), a small change to SSLv3 that was made weaker by BEAST (2011) and Lucky 13 (2013).
  • TLS 1. 1 (SSL 3. 2) (2006), small change; Lucky 13 (2013) and RC4 (2013, 2015) made it less strong.
  • TLS 1. 2 (SSL 3. 3) (2008), better hashes and AEAD mode; only AEAD mode ciphers are safe.
  • TLS 1. 3 (2018), optimized version of TLS 1. Two trips are needed with TLS 1, but only one trip is needed with TLS 2. 2. No more RSA but using Diffie-Hellman.

Just watching the following video (ref. #5), we can get a high level of idea about how SSL (Secure Socket Layer) works!.

No one video is complete and the following three may help us to understand SSL.

The ref. #7 is a relatively thorough document regarding the SSL handshake! Your browser does not support the video tag. SSL-Handshake.

Key concepts:

  • Any message that is encrypted with Bob’s public key can only be decrypted with Bob’s private key. This means that Bob can use his private key to decrypt a message from a remote server as long as the message was encrypted with his public key.
  • Digital cert with signature: Anyone with Alice’s public key can confirm that a message signature is from Alice (made with her private key) and not someone else. This means that our browser can confirm that the SSL certificate sent by Alice’s server was issued by the CA and is actually from her server. This is because when a client requests a page, the server sends the client both its certificates and public key. Why digital certificate? .

After setting up a TCP/IP link between the client and the server, the client will send the requests to the destination IP on port 443 (the default TLS/SSL port). The control is now transferred to the SSL Protocol in the application layer.

Keep in mind that even though the client has the IP

Basically, 3 keys are used to set up the SSL connection: the public, private, and session keys.

It takes a lot of processing power to encrypt and decrypt with a private and public key, so they are only used during the SSL Handshake to make a symmetric session key. After the secure connection is made, the symmetric session key is used to encrypt all transmitted data.

The SSL transaction has two phases:

  • SSL Handshake (the key exchange)
  • SSL data transfer

Pic. credit : SSL Handshake and HTTPS Bindings on IIS

Here are the steps of SSL/TLS handshake:

  • The client makes and sends a TLS packet called CLIENT HELLO. It has the SSL/TLS Protocol version, a list of Cipher Suites (for encryption), and a string of random bytes called “client random.” ” .
  • The server replies to the client with SERVER HELLO, which includes the SSL/TLS Protocol version, one of the cipher suites from the client’s list (whichever is the safest), the server’s certificate (with its public key), and “server random,” which is another random string of bytes that the server creates.
  • The Client uses the SERVER HELLO to perform SERVER AUTHENTICATION.
  • The client uses the server’s data to create a session pre-master secret. It then encrypts this secret with the server’s public key, which can be found in the server’s certificate, and sends the encrypted pre-master secret to the server. (asymmetric key).
  • The server decrypts the pre-master secret with its private key. It then creates a master secret by going through a series of steps that the client also goes through, starting with the same pre-master secret. The master secret is used by both the client and the server to create session keys. These are symmetric keys that are used to encrypt and decrypt information sent over SSL and to check that the information is still valid (that is, to see if it has changed between when it was sent and when it was received over SSL).
  • The CLIENT After that, it sends a separate, encrypted message saying that its part of the handshake is over. The SSL Handshake is done.
  • From now on, the Client sends the encrypted HTTP Request packet to the Server. The symmetric key is used by the server to decrypt the request. It then makes a response, encrypts it, and sends it the client. This continues normally for the entire session of secure communication.

To sum up, the server sends its public key, and the client and server agree on a secret that they can both use to encrypt the message. That’s why all the messages sent between the visitor and the server are encrypted with a symmetric key, which means that both sides have access to it.

Essentially, the first term is the Key Exchange, an algorithm that the two parties use to exchange keys. In this case, its based on the Diffie-Hellman algorithm, specifically, Elliptic-Curve Diffie–Hellman (ECDHE).

The second term is what type of key is in our Certificate. So every certificate has a public key of a certain type, Public Key Infrastructure (PKI) certifacate. In this case its RSA.

The third piece is our Transport Cipher, the encryption algorithm used to encrypt all the data. There are many factors that affect this, but the safest cipher is AES with Galois/Counter Mode (AES‑GCM). This is a pretty cheap and solid cipher to use.

The last one is Integrity with Secure Hash Algorithms (SHA) with one of SHA-2 family. The SHA384 produces the 384 bit digest of a message. There is a cache that goes with messages to make sure they haven’t been changed. If the message is encrypted and has integrity, we can move on. Digital Signature.

Digital signatures, like handwritten signatures, are unique to each signer. Digital signature uses Public Key Infrastructure (PKI).

A digital signature on a document is usually just a hash of the document that has been encrypted with the private key of the person giving the signature. If the signer’s public key can be used to decrypt this signature, then we know that this signer made it since they are the only one who can see the private key.

When someone electronically signs a document with their private key, a mathematical algorithm applies the document to a hash and encrypts the data. The resulting encrypted data is the digital signature. The signature is also marked with the time that the document was signed. If the document changes after signing, the digital signature is invalidated.

Picture from What are digital signatures?

Here is a sample case:

  • Alice clicks sign a file.
  • It is Alice’s computer that figures out the hash (the message is sent to a well-known mathematical function that turns it into a hash).
  • To make the digital signature, Alice’s private key is used to encrypt the hash.
  • Send the first message and its digital signature to Bob.
  • Bob receives the signed message. This document has been marked as signed, so his app knows what to do to make sure it is real.
  • Bobs computer decrypts the Digital Signature using Alices Public Key.
  • Bobs computer also calculates the hash of the original message.
  • The computer at Bob’s checks the hashes it made from the message it received against the hash it got from Alice’s message after it was decrypted.
  • CSR?

Steps to Request and Install SSL Certificate:

  • Generate a CSR and key pair locally on our server. The key pair has a public key and a private key. The public key is embedded in * csr): $ openssl req -new -newkey rsa:2048 -nodes -keyout bogo-privatekey key -out bogo. csr Generating a 2048 bit RSA private key . +++ . +++ writing new private key to bogo-privatekey. key . $ ls bogo-privatekey. key bogo. csr $ cat bogo-privatekey. key —–BEGIN PRIVATE KEY—– MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDU5OXoQLIjCKIM . tggWYqo+TH2fRTop5XSwUnLozDxvhmxUdlhBTDK4IYVV6XXRl8tWxwUgf4z7AerK pH4X+Yh23ug9/gRAFG5npgk= —–END PRIVATE KEY—– $ cat bogo. csr —–BEGIN CERTIFICATE REQUEST—– MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UE . The following OpenSSL command will easily decode the CSR on our server: $ openssl req -in bogo Please find the certificate request data below. The version number is 0 (0x0), and the subject lines are “C=US, ST=CA, L=San Jose, O=bogotobogo, CN=www.” bogotobogo. com/emailAddress=kihyuck. hong@gmail. com Subject: Public Key Information: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d4:e4:e5:e8:40:b2:23:08:a2:0c:21:3e:ee:ba: a0:17:af:a1:7c:10:51:4a:41:c0:c1:0d:84:1a:0b: This is the message that was sent: 8a:a9:34:cf:46:ff:2d:40:8a:69:f3:41:e5:cc:9c: 6c:78:f1:92:30:83:44:f7:c8:b7:4c:4e:73:00:c3: b7:d3 Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 49:06:2f:38:67:87:a8:c3:23:96:92:a1:49:9c:65:8b:02:82: 8f:f7:9a:1f:63:ac:b1:64:17:ae:1b:55:33:8e:7a:32:78:92: 10e:69:3e:1a:51:3f:8d:a5:37:e3:fd:7f:e1:c7:d6:e1:a4:1f: a3:a3:8f:61:70:9f:a7:e1:b5:c4:46:18:20:1e:3c:8c:43:59: 64:40:b5:88 Start Time: 1625171760 Timeout: 7200 (sec) Check return code: 0 (ok) —
  • Send the CSR and public key to a CA. They will check our legal identity and see if we own the domain name we put in our application. Our organization is checked by the Certificate Authority to see if it is registered at the address given in the CSR and to see if the domain exists.
  • After being checked, the company gets a copy of their SSL certificate with their business information and the public key. The organization can now install the certificate on their server.
  • The certificate from one CA is linked to a “trusted root” certificate from another CA. Root certificates are built into every browser and linked to certificates that were issued specifically for each user to make an HTTPS connection.
  • Certificate chains (Building Trusts, SSL chain of Trusts) – Root Cert, Intermediate Certificate, Server Certificate

A certificate chain is a logical list of certificates that includes an SSL Certificate and Certificate Authority (CA) Certificates. It lets the receiver check that the sender and all of the CAs are reliable. The SSL certificate starts the chain or path, and each certificate in the chain is signed by the entity that is named in the certificate before it.

This is the name for any certificate that comes after the Root Certificate but before the SSL Certificate. The Intermediate Certificate is the signer/issuer of the SSL Certificate. The Root CA Certificate is the signer/issuer of the Intermediate Certificate. Some browsers, mobile devices, apps, and other things may not be able to connect if the Intermediate Certificate is not installed on the server where the SSL certificate is installed. from trusting the SSL certificate. For the SSL certificate to work with all clients, the Intermediate Certificate needs to be put in place.

The picture below shows a certification path that starts with the certificate owner and ends with the Root CA. This is where the chain of trust starts:

Picture from How certificate chains work

List of Certificate Authorities (CA):

Rank Issuer Usage Market share
1 IdenTrust 38.0% 51.2%
2 DigiCert 14.6% 19.7%
3 Sectigo 13.1% 17.7%
4 GoDaddy 5.1% 6.9%
5 GlobalSign 2.2% 3.0%
6 Certum 0.4% 0.7%
7 Actalis 0.2% 0.3%
8 Entrust 0.2% 0.3%
9 Secom 0.1% 0.3%
10 Lets Encrypt 0.1% 0.2%
11 Trustwave 0.1% 0.1%
12 WISeKey Group < 0.1% 0.1%
13 StartCom < 0.1% 0.1%
14 Network Solutions < 0.1% 0.1%

The chain terminates with a Root CA Certificate. The Root CA Certificate is always signed by the CA itself. The signatures of all certificates in the chain must be verified up to the Root CA Certificate.

We can see the Root CA Certificate was self-signed:

Here is a sample of a cert list on a Mac:

Getting a Free Certificate – Option 1

Lets Encrypt is a non-profit CA that issues certificate completely free of charge. Moreover, they use the Automatic Certificate Management Environment (ACME) protocol, which automates the identity verification and certificate issuing process.

We can get a certificate from Lets Encrypt via Certbot ACME client. Getting a Free Certificate – Option 2

Lets start with https://www.startcomca.com/

Retrieve the certificate (1lnx.com.pem).

Get a complete CA bundle in a zip file by clicking the item under SSL/TLS:

Unzip will give us the following certs for several servers:

Well use 1_1lnx. com_bundle. crt which is for Nginx. It is a bundle file that contains root and intermediate certificates. nginx with SSL/TLS.

To see how we use NGINX with SSL, please visit DevOps / Sys admin Q & A #26 : NGINX SSL, Caching, and Session. TLS.

It’s not easy to decide whether the TLS handshake should happen with a proxy (termiantion/offloading) or the real backend server (passthrough). Each has pros and cons.

When proxy SSL passthrough is set up, the load balancer does not need to have an SSL certificate installed. Because they handle the SSL connection instead of the load balancer, SSL certificates are put on the backend server.

From servers perspective, SSL passthrough is more costly because it uses more CPU for encryption. Proxy SSL passthrough doesn’t look at traffic or join SSL sessions on network devices before they get to the server; it only sends encrypted data. SSL passthrough is better suited for smaller deployments.

SSL passthrough passes HTTPS traffic to a backend server without decrypting the traffic on the load balancer. The data is sent fully encrypted, and the Proxy only sees the socket (ip/port, layer 4) and doesn’t do anything on layer 7.

SSL termination (or offloading), decrypts all HTTPS traffic on the load balancer. Layer 7 actions are carried out and the data proceeds to the backend server as plain HTTP traffic. SSL offloading allows data to be inspected as it passes between the load balancer and server. It also reduces CPU demand on an application server by decrypting data in advance. But attacks can happen with SSL offloading because the data goes from the load balancer to the application server over HTTP without being encrypted. Checking connnections with openssl.

My domain, sub. mydomain. com is running a syslog server behind an AWS NLB. A TLS cert from digicert CA is installed on the LB via ACM and TLS terminates there. Then regular TCP communications are setup between the NLB and backend server. The server is listening on port 6514.

openssl comes with a client tool that we can use to connect to a secure server. The tool is like telnet or nc in that it handles the encryption part but gives us full control over the next layer.

The first few lines of the output will show information about the server certificate. The next section will list all the certificates that the server sent in the order that they were received. For each certificate, the first line will show the subject and the second line will show the issuer information.

The next item in the output is the server certificate. References

SSL Certificates and TLS Handshake | Computer. Networking Tutorial | DevOps/SRE Interview Questions

FAQ

What is SSL Secure Socket Layer used for?

SSL: Secure Sockets Layer SSL is standard technology for securing an internet connection by encrypting data sent between a website and a browser (or between two servers). It prevents hackers from seeing or stealing any information transferred, including personal or financial data.

What is an SSL certificate for interview questions?

SSL, which stands for Secure Socket Layer, is a common security technology that makes online communication safe. It ensures that when you visit a website, the information exchanged between your browser and the website’s server, such as credit card details or login information, is encrypted and secure.

What is the difference between Secure Sockets Layer SSL and TLS?

SSL supports older algorithms with known security vulnerabilities. TLS uses advanced encryption algorithms. An SSL handshake is complex and slow. A TLS handshake has fewer steps and a faster connection.

What is the difference between SSL connection and SSL session?

Difference between connection and session is that connection is a live communication channel, and session is a set of negotiated cryptography parameters.

What are Secure Sockets Layer (SSL) interview questions & answers?

Explore our comprehensive guide on Secure Sockets Layer (SSL) interview questions and answers. Gain insights into key concepts and prepare effectively for your next interview in the field of cybersecurity. Secure Sockets Layer (SSL) is a standard security technology that’s integral to the safe transmission of data over the internet.

What questions are asked in an SSL interview?

SSL, short for Secure Socket Layer, is solely responsible for protecting data during transfer from source to destination. Here is a list of SSL interview questions and answers generally asked in an interview. Q1. What are SSL/TLS certificates? Q2. Explain how SSL/TLS works. Q3. What is asymmetric and symmetric encryption? Q4.

What is Secure Sockets Layer (SSL)?

Secure Sockets Layer (SSL) is a standard security technology that’s integral to the safe transmission of data over the internet. It establishes an encrypted link between a web server and a browser, ensuring that all data passed between them remains private and secure.

What are the most common SSL handshake interview questions?

Here are 20 commonly asked SSL Handshake interview questions and answers to prepare you for your interview: 1. Can you explain what a SSL Handshake is? A SSL handshake is the process that occurs when two devices first establish a secure connection.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *