www.dedoimedo.com all rights reserved
• The server will then send back to the client its certificate and the public en-
cryption key. The certificate is a sort of an ID, telling the client important
information about the server. To make this information credible, the certifi-
cate must be signed by a reputable Certificate Authority (CA), like EquiFax,
Thawte or others. The public key will be used by the client to generate its
own encryption hash should it choose to accept the server’s certificate.
• The client receives the certificate. In most browsers, the certificate is first
compared to an existing list of authorities. If the digital signature matches,
the certificate will be accepted. If no match is found for the certificate, the
browser might use the Online Certificate Status Protocol (OCSP) to connect
to CAs in real time in an attempt to verify the certificate. Generally, the use
of OCSP is not enabled by default in most browsers, in order to speed up the
authentication process. If no match is found still, the client will be issued a
warning by the browser, informing it that the certificate could not be verified.
The user now must decide whether he/she can take the risk and accept the
certificate. In addition to being self-signed (i.e. no CA signature), the typical
issues arising with certificate prompts include a mismatch between the site
you are trying to access and the one registered in the certificate, dubious
credentials or an expired certificate.
• Regardless of what may occur, if the client accepts the connection, it will send
back a hash encrypted with the server’s public key. This hash will be used
to encrypt all communication between the server and the client throughout
the session. Only the client will be able to decrypt the communications - or
rather, anyone who possesses the private key. But if the client side is fairly
secure and the server’s certificate is valid, the communication is safe.
5.2 Requirements
We have already mentioned that the client must support some sort of encryption
to able to establish secure connections to a server. On the server end, the server
must also support the secure communication protocols. The Apache Web server
uses the mod_ssl module, which provides an interface to the OpenSSL library,
allowing the use of SSL and TLS.
By default, most distributions today ship with the OpenSSL library installed and
the Apache server compiled against the mod_ssl module. If your distro does not
81