Archive for the ‘SSL/TLS’ Category

How to export the SSL certificate from a Wireshark packet capture

April 10th, 2014 No comments

How to obtain the SSL certificate from a Wireshark packet capture: Read more…

Categories: SSL/TLS Tags:

Installing a Signed X.509 SSL Certificate into ASA via the CLI

March 11th, 2014 No comments

Having already generated the RSA key-pair on the ASA with “crypto key generate rsa mod 2048”) create a trustpoint for the VPN users, generated an SSL cetificate and CSR and have received the signed X.509 certificate and CA and intermediate SSL certificates, the certificate and CA certs will need to be installked onto the Cisco ASA.  This procedure describes the method using the CLI. Read more…

Categories: Network Design, SSL/TLS Tags:

OpenSSL Client Commands – Check the Contents of an SSL Certificate

March 7th, 2014 No comments

Here are a list of useful OpenSSL commands which might be useful to use in a Bash script:

Determine who issued the certificate:
$ echo | openssl s_client -connect 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Company Inc/ Read more…

Categories: SSL/TLS Tags: , ,

SSL/TLS Handshake and Record Data Protocol

March 3rd, 2014 No comments

When an TLS/SSL session (such as HTTPS (default port 443) is established an SSL handshake or exchange of messages occur between the client (initiating the connection) – and a server. (See this post for an explanation of SSL certificates and encoding).

The first set of messages are called the Handshake Protocol after which both client and server enter the Record (or Data) Protocol. The messages exchanged during the Handshake Protocol achieves the following: Read more…

Categories: Security, SSL/TLS Tags: ,

Understanding IPSec VPN

January 16th, 2014 No comments

IPSec involves many component technologies and encryption methods. Yet IPSec’s operation can be broken down into five main steps. The five steps are summarised as follows:

Step 1 Interesting traffic initiates the IPSec process—Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.
Step 2 IKE phase one—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase two.
Step 3 IKE phase two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.
Step 4 Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.
Step 5 IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.

A crypto map—is a Cisco IOS software configuration entity that performs two primary functions. First, it selects data flows that need security processing. Second, it defines the policy for these flows and the crypto peer that traffic needs to go to. A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPsec.  This aide-memoir pulls together items from to provide a useful recipe and refresher. Read more…

Categories: CISCO, Security, SSL/TLS Tags: