Tls,ssl,https with Python

Background knowledge to know:

• Terminology HTTPS,SSL,TLS
• The relationship between long connections and short connections
• Understanding CA Certificates
• Basic process

I. Terminology literacy 1. What is SSL?

SSL (Secure Sockets Layer, secured sockets), because the original HTTP protocol used on the Internet is clear, there are many drawbacks-such as the transmission of content will be peeping (sniffing) and tampering. The invention of the SSL protocol is to solve these problems.

2. So what is TLS?

By the year 1999, SSL has become a de facto standard on the Internet because of its wide application. The IETF standardized SSL in that year. The name after normalization is changed to TLS (the abbreviation for "Transport Layer Security"), and Chinese is called the "Transport Layer secure Protocol".

Many of the related articles refer to these two terms (SSL/TLS) because they can be regarded as different stages of the same thing.

3. So what is HTTPS?

HTTPS = http + SSL/TLS, that is, HTTP over SSL or HTTP over TLS. This is the origin of the following add S

Relative to http:

• HTTP and HTTPS use a completely different connection, the same port, the former is 80, the latter is 443.
• The HTTP connection is simple and stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.

Two. Long Connection vs Short connection

HTTP connection usage for TCP is divided into:

• Short connection
• Long connection (also known as "persistent connection", or "keep-alive" or "persistent Connection")

In the case of a short connection, for each HTML resource, a TCP connection is initiated for each external resource separately. Conversely, if it is a "long connection", the browser initiates a TCP connection to crawl the page. However, after crawling the page, the TCP connection does not close immediately, but is temporarily maintained (so-called "keep-alive"). Then the browser analyzes the HTML source code, found that there are a lot of external resources, using the TCP connection just now to crawl the external resources of this page.

Attention:

• In the HTTP 1.0 version, "Default" uses "Short Connection" (at that time the web was born, the Web page is relatively simple, "short connection" problem is not big)
• In HTTP 1.1, "Default" takes the form of "keep-alive".

Three. Design of HTTPS

HTTPS is designed to be compatible with HTTP

• HTTPS or TCP-based transmission
• Using a new protocol alone, wrapping up the HTTP protocol (so-called "http over SSL" is actually a layer of SSL encapsulation outside of the original HTTP data.) HTTP protocol of the original GET, POST and other mechanisms, basically intact)

With regard to the performance of HTTPS, in order to ensure performance, SSL designers should consider at least the following points:

• How do I choose a cryptographic algorithm ("symmetric" or "asymmetric")?
• How to take into account the "short connection" TCP method used by HTTP?

Four. Simple Operation process

The basic idea of the SSL/TLS protocol is to use public key cryptography, that is, the client requests the public key to the server, then encrypts the information with the public key, and the server receives the ciphertext and decrypts it with its private key.

Problem:

• How do I ensure the public key is not tampered with? WORKAROUND: Place the public key in a digital certificate. As long as the certificate is trustworthy, the public key is trustworthy.
• Public key encryption calculation is too large, how to reduce the elapsed time? WORKAROUND: Every session, the client and server generate a "conversation key" (Session key), which is used to encrypt the information. Because the "conversation key" is symmetric encryption, the operation is very fast, and the server public key is used only to encrypt the "conversation key" itself, which reduces the time spent on cryptographic operations.

Therefore, the basic process of the SSL/TLS protocol is this:

• The client requests and validates the public key from the server side.
• Both parties negotiate to generate a "conversation key".
• Both parties use the "conversation key" to encrypt the communication.

As solution:

Five. Detailed Operation process

As shown:

Note that all communication in the "handshake phase" is clear

1. Client making a request (ClientHello)

C provides information to S as follows:

• Supported protocol versions, such as TLS version 1.0.
• A random number generated by a client that is later used to generate a "conversation key".
• Supported encryption methods, such as RSA public key cryptography.
• The supported compression methods.

2. Server Response (Severhello)

After the server receives the client request, it sends a response to the client, called Severhello. The server's response contains the following content.

• Confirm the version of the encrypted communication protocol used, such as the TLS 1.0 version. If the browser does not match the version supported by the server, the server turns off encrypted communication.
• A random number generated by a server that is later used to generate a "conversation key".
• Confirm the encryption method used, such as RSA public key cryptography.
• Server certificate.

In addition to the above information, if the server needs to confirm the identity of the client, it will include a request to provide the client with a "client certificate".

3. Client response

After the client receives the server response, the server certificate is first validated. If the certificate is not issued by a trusted authority, or if the domain name in the certificate is inconsistent with the actual domain name, or if the certificate has expired, a warning is displayed to the visitor to choose whether or not to continue communicating.

If there is no problem with the certificate, the client will remove the server's public key from the certificate. Then, send the following three messages to the server.

• A random number. This random number is encrypted with the server public key to prevent eavesdropping.
• The code changes the notification, indicating that subsequent information will be sent using both mutually agreed encryption methods and keys.
• The client handshake end notification indicates that the client's handshake phase has ended. This is also the hash value of all the content that was sent earlier, and is used for server verification.

There are now a total of 3 random numbers, the third is called "Pre-master key", with it, the client and the server will have three random numbers, and then the two sides using the previously agreed encryption method, each generation of the session using the same "session key."

4. Final response from the server

After the server receives the third random number of the client Pre-master key, the session key used to generate the session is computed. Then, the following message is sent to the client at the end.

• The code changes the notification, indicating that subsequent information will be sent using both mutually agreed encryption methods and keys.
• The server handshake end notification indicates that the server's handshake phase has ended. This is also the hash value of all the content that was sent before, which is used for client verification.

At this point, the entire handshake phase is all over. Next, the client and the server into encrypted communication, it is completely using the normal HTTP protocol, but with "session key" encryption content.

Six. Disadvantages of HTTPS

The incomplete summary is as follows:

• Encryption of the data determines that it is slower than HTTP
• The HTTPS protocol requires a certificate to be applied to the CA.

Seven. Python Operation SSL

Create a certificate first

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem

Instance code in: Ssl_demo

Eight. Reference:

• Talk about HTTPS and SSL/TLS protocols
• Diagram HTTPS
• Overview of the operating mechanism of SSL/TLS protocol

Tls,ssl,https with Python (RPM)