TLS handshake

Written on 12 February 2015, 09:59pm

Tagged with: , ,

The initial communication in a HTTPS connection relies on a traditional D-H key exchange – which will serve as symmetric encryption key for the rest of the HTTPS conversation.
The outline of the handshake is:
– client/server hello: list the available encryption algorithms
– certificate exchange
– certificate validation
– key exchange
– finished

Here is the process explained in layman words:

1. Client sends a Client hello message to the server with some metadata (TLS version, cipher algorithms, compression methods)
2. The server replies with a Server hello message to the client with the corresponding metadata + the Server public certificate signed by a CA.
3. The client verifies the server digital certificate and cipher a symmetric cryptography key using an asymmetric cryptography algorithm, attaching the server public key and an encrypted message for verification purposes.
4. The server decrypts the key using its private key and decrypts the verification message with it, then replies with the verification message decrypted and signed with its private key
5. The client confirm the server identity, cipher the agreed key and sends a finished message to the server, attaching the encrypted agreed key.
6. The server sends a finished message to the client, encrypted with the agreed key.
From now on the TLS session communicates information encrypted with the agreed key

The same process – explained in full details.

Note: Excepting the initial TLS handshake, the other HTTPS content (headers + payload) is encrypted with the key agreed during the TLS handshake.

CFHTTP calling HTTPS urls

Written on 6 February 2015, 02:46pm

Tagged with: , ,

To use HTTPS with the cfhttp tag, you might need to manually import the certificate for each web server into the keystore for the JRE that ColdFusion uses.

Here is how to do that:
1. Load the HTTPS url in your browser and export the certificate as a .cer file (see link above for more details)

2. Copy the .cer file on the CF server

3. Locate the path of ‘Java Home’ in CF Admin. It should be something like /usr/java/jre1.7.0_51, usually with a symlink to /usr/java/default.
The keystore location should be {Java Home}/lib/security/cacerts and it’s password protected.

4. Import the .cer file into the keystore:

#/usr/java/default/bin/keytool -import -keystore 
/usr/java/default/lib/security/cacerts -alias thomas 
-file thomas.cer -storepass changeit

5. Check that the certificate was installed:

#/usr/java/default/bin/keytool -list -keystore 
/usr/java/default/lib/security/cacerts -storepass changeit -alias thomas 
# thomas, Feb 6, 2015, trustedCertEntry, Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

6. Restart ColdFusion server

See also this and that.