Reader feedback is always very important, but especially so in this case, because this is a living book. In traditional publishing, often years pass before reader feedback goes back into the book, and then only if another edition actually sees the light of day (which often does not happen for technical books, because of the small market size). With this book, youll see new content appear in a matter of days. Ultimately, what you send to me will affect how the book will evolve.
About Bulletproof SSL/TLS and PKI
Bulletproof SSL/TLS and PKI, the book that Im working on at the moment, is the book I wish I had back when I was starting to get involved with SSL. I dont remember when I started using SSL, but I do remember that when I was writing my first book, Apache Security, I began to appreciate the complexities of cryptography. I even began to like it. Before that point I thought that SSL was simple, but then I realized how vast the world of crypto actually is.
In 2009 I began to work on SSL Labs, and for me, the world of cryptography began to unravel. Fast-forward a couple of years, and in 2013 I still feel like Im only starting. Cryptography is a unique field in which the more you learn, the less you know.
In supporting the SSL Labs users over the years, Ive realized that theres a lot of documentation on SSL/TLS and PKI but also that it suffers from two problems: (1) its not documented in one place, so the little bits and pieces (e.g., RFCs) are difficult to find, and (2) it tends to be very detailed and low level. It took me years of work and study to begin to understand the entire ecosystem.
Bulletproof SSL/TLS and PKI aims to address the documentation gap, as a very practical book that first paints the whole picture and then proceeds to discuss the bits and pieces that you need in daily work, going as deep as needed to explain what you need to know.
About the Author
Ivan Risti is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools, and guides published on the SSL Labs web site.
He is the author of two books, Apache Security and ModSecurity Handbook, which he publishes via Feisty Duck, his own platform for continuous writing and publishing. Ivan is an active participant in the security community, and youll often find him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. Hes currently Director of Application Security Research at Qualys.
Personal copy of gg ggg
OpenSSL Cookbook
OpenSSL is an open source project that consists of a cryptographic library and an SSL toolkit. From the projects web site:
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
OpenSSL is a de facto standard in this space and comes with a long history. The code initially began its life in 1995 under the name SSLeay,[] when it was developed by Eric A. Young and Tim J. Hudson. The OpenSSL project was born in the last days of 1998, when Eric and Tim stopped their work on SSLeay to work on a commercial SSL toolkit called BSAFE SSL-C at RSA Australia.
Today, OpenSSL is ubiquitous on the server side and in many client tools. Interestingly, browsers tend to use other libraries. The command-line tools provided by OpenSSL are most commonly used to manage keys and certificates.
OpenSSL is dual-licensed under OpenSSL and SSLeay licenses. Both are BSD-like, with an advertising clause. The license has been a source of contention for a very long time, because neither of the licenses is considered compatible with the GPL family of licenses. For that reason, you will often find that GPL-licensed programs favor GnuTLS.
Getting Started
If youre using one of the Unix platforms, getting started with OpenSSL is easy; youre virtually guaranteed to already have it on your system. The only problem that you might face is that you might not have the latest version. In this section, I assume that youre using a Unix platform, because thats the natural environment for OpenSSL.
Windows users tend to download binaries, which might complicate the situation slightly. In the simplest case, if you need OpenSSL only for its command-line utilities, the main OpenSSL web site links to Shining Light Productions for the Windows binaries. In all other situations, you need to ensure that youre not mixing binaries compiled under different versions of OpenSSL. Otherwise, you might experience crashes that are difficult to troubleshoot. The best approach is to use a single bundle of programs that includes everything that you need. For example, if you want to run Apache on Windows, you can get your binaries from the Apache Lounge.
Determine OpenSSL Version and Configuration
Before you do any work, you should know which OpenSSL version youll be using. For example, heres what I get for version information with openssl version
on Ubuntu 12.04 LTS, which is the system that Ill be using for the examples in this chapter:
$ openssl versionOpenSSL 1.0.1 14 Mar 2012