Page 235 - Open Soource Technologies 304.indd
P. 235
Unit 9: Web Techniques
Upon successful completion of all steps, the server is considered authenticated. If all Notes
parameters are matched and the server’s certificate correctly verified, the client sends the
server one or multiple messages. Next is the client__key_exchange message, which must be
sent to deliver the keys. The content of this message depends on the negotiation method of
key exchange. Moreover, at the server’s request, the client’s certificate is sent along with the
message enabling verification of the certificate. This procedure ends Phase 3 of negotiations.
Phase 4 is to confirm the messages so far received and to verify whether the pending data
is correct. The client sends a change_cipher_spec message (in accordance with the pending
SSL ChangeCipher Spec), and then sets up the pending set of algorithm parameters and
keys into the current set of the same. Then the client sends the finished message, which
is first protected with just negotiated algorithms, keys and secrets. This is to confirm that
the negotiated parameters and data are correct. The server in response to the client sends
the same message sequence. If the finished message is correctly read by either party, this
confirms that the transmitted data negotiated algorithms and the session key is correct. This
indicates that the session has been terminated and that it is possible to send the application
data between the server and the client, via SSL. At this point the TCP session between the
client and the server is closed; however a session state is maintained, allowing it to resume
communications within the session using the retained parameters.
It is worth noticing that both Phases 2 and 3 are used by both parties to verify the authenticity
of the server’s certificate and possibly the client’s certificate during the handshake step. If
the server cannot be successfully authenticated by the client on the basis of the delivered
certificate, the handshake terminates and the client will generate an error message. The same
will occur at the server if the client’s certificate authenticity cannot be confirmed.
At first glance this process seems to be somewhat complicated, however this takes place at
each connection with the server of an SSL-enabled service. For example, while requesting
the address of a site beginning with HTTPS://.
Questions:
1. What are the different protocols used in SSL?
2. Explain the all phases of process of negotiation in SSL.
Self Assessment
True or False:
5. A server cannot send one or more cookies to a browser in the headers of a response.
(a) True (b) False
6. By default, the session ID is stored in a cookie called PHPSESSID.
(a) True (b) False
7. Any state that should persist between user visits, such as a unique user ID, can be stored
in a cookie.
(a) True (b) False
Fill in the blanks:
8. ....................... software is a string that identifies the server.
9. The ....................... header contains details about the transaction between the client and server.
10. HTTP is the network protocol used to ....................... web content over the internet.
11. ....................... handles packaging information for delivery.
LOVELY PROFESSIONAL UNIVERSITY 229
