Secure Sockets Layer

The Secure Sockets Layer (SSL) is a protocol created by Netscape Communications Corporation for authentication and encryption over TCP/IP networks. SSL is, for the most part, invisible to the end user. The web browser may notify the user that they are about to enter a secure web page, and perhaps use a visual cue to indicate the duration that SSL is active. The HTTPS prefix on the URL (https://www.goahead.com) indicates that the SSL protocol will be used.

WebServer 2.1 provides a code patch file (websSSL.c) that implements SSL via a toolkit provided by RSA Security called RSA BSAFE SSL-C. This product is required to enable SSL on WebServer 2.1 and can be acquired directly from RSA Security. Refer to Incorporating RSA Security for additional information.

SSL uses two layers: the SSL Message Layer and the SSL Record Layer. The Message Layer constructs and sends user data, handshake messages, alert messages, and change cipher specification messages. Its primary task is to set up the mutual understanding required by both client and server for the SSL Record Layer, which is responsible for sending SSL data records.

The sequence of events for Secure Socket Layer is as follows:

    1. Client sends a ClientHello message (a part of the HTTPS request).
    2. Server sends a ServerHello message.
    3. Server sends its certificate.
    4. Server sends ServerKeyExchange message.
    5. Server sends CertificateRequest message.
    6. Client sends its certificate.
    7. Client sends a ClientKeyExchange.
    8. Client sends a CertificateVerify.
    9. Client and server both send ChangeCipherSpec messages.
    10. Client and server both send Finished messages.
    11. Application data can now flow via SSL Record Layer.

SSL Record Layer

The SSL Record Layer sends blocks of data called "records" between client and server. The maximum number of bytes that a block can contain is 16,383.

Each record layer message contains the following:

  • Content type
  • Protocol version number
  • Length
  • Data payload (optionally compressed and encrypted)

The SSL protocol begins with the compression function CompressionMethod.null and encryption method of SSL_NULL_WITH_NULL_NULL. This can change during an SSL session.