Documente Academic
Documente Profesional
Documente Cultură
Certificate*
<-------- ServerHelloDone Phase 2:
Phase 3 ClientKeyExchange
CertificateVerify* ¾ Server authentication and key exchange
[ChangeCipherSpec]
Phase 4
Finished -------->
[ChangeCipherSpec] Phase 3:
<-------- Finished
Application Data <-------> Application Data ¾ Client authentication and key exchange
Record
Protocol
Fig. 1 - Message flow for a full handshake
Phase 4:
* Indicates optional or situation-dependent messages that are not
always sent. ¾ Finish
SSL HANDSHAKE
SSL HANDSHAKE: PHASE 2
PROTOCOL SERVER AUTHENTICATION & KEY EXCHANGE
Client Server
Phase 1
ClientHello --------> Certificate message
ServerHello
Certificate* ¾ server’s X.509v3 certificate followed by optional chain of
ServerKeyExchange* certificates
Phase 2 CertificateRequest*
<-------- ServerHelloDone ¾ required for RSA, Fixed DH, Ephemeral DH but not for
Certificate*
Phase 3 ClientKeyExchange Anonymous DH
CertificateVerify*
[ChangeCipherSpec] Server Key Exchange message
Finished -------->
Phase 4 [ChangeCipherSpec] ¾ not needed for RSA, Fixed DH
<-------- Finished
Application Data <-------> Application Data ¾ needed for Anonymous DH, Ephemeral DH
Record Fig. 1 - Message flow for a full handshake ¾ needed for RSA where server has signature-only key
Protocol • server sends temporary RSA public encryption key to client
* Indicates optional or situation-dependent messages that are not
always sent.
¾ ends phase 2, always required * Indicates optional or situation-dependent messages that are not
always sent.
Phase 4
Finished -------->
[ChangeCipherSpec] ¾ sentunder new algorithms and keys
<-------- Finished
Application Data <-------> Application Data ¾ content is hash of all previous messages
Record
Protocol
Fig. 1 - Message flow for a full handshake
and master secret
* Indicates optional or situation-dependent messages that are not
always sent.
close_notify(0),
2 byte alert messages unexpected_message(10),
bad_record_mac(20),
¾ 1 byte level
decryption_failed(21),
record_overflow(22),
decompression_failure(30),
• fatal or warning handshake_failure(40),
bad_certificate(42),
¾1 byte unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
• alert code certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
© Ravi Sandhu 2000-2004 41 © Ravi Sandhu 2000-2004 42
SSL ALERT MESSAGES APPLICATIONS AND SSL
APPLICATION PORTS
OFFICIAL AND UNOFFICIAL