home » IT technologies » Two-way ssl connection with the payment system. Setting up payment systems. Key features of the above certifications

Two-way ssl connection with the payment system. Setting up payment systems. Key features of the above certifications

TLS and SSL have been mentioned more and more lately, the use of digital certificates is becoming more relevant, and even companies have appeared that are ready to provide digital certificates for free to anyone who wants to, in order to guarantee the encryption of traffic between visited sites and the client's browser. This is necessary, of course, for security, so that no one on the network can receive data that is transmitted from the client to the server and vice versa. How does it all work and how to use it? To understand this, one must, perhaps, start with theory, and then show in practice. So SSL and TLS.

What is SSL and what is TLS?

SSL - Secure Socket Layer, secure socket layer. TLS - Transport Layer Security, transport layer security. SSL is an earlier system, TLS came later and is based on the SSL 3.0 specification developed by Netscape Communications. Nevertheless, these protocols have one task - to provide secure data transmission between two computers on the Internet. This transfer is used for various sites, for e-mail, for messaging and much more. In principle, you can transfer any information in this way, more on that below.

Secure transmission is ensured by authentication and encryption of the transmitted information. In fact, these protocols, TLS and SSL, work the same, there are no fundamental differences. TLS can be said to be the successor to SSL, although they can be used concurrently, even on the same server. This support is necessary in order to work with both new clients (devices and browsers) and legacy clients that do not support TLS. The sequence of occurrence of these protocols looks like this:

SSL 1.0 - never published
SSL 2.0 - February 1995
SSL 3.0 - 1996
TLS 1.0 - January 1999
TLS 1.1 - April 2006
TLS 1.2 - August 2008

How SSL and TLS work

The principle of SSL and TLS, as I said, is the same. On top of the TCP / IP protocol, an encrypted channel is established, within which data is transmitted using the application protocol - HTTP, FTP, and so on. This is how it can be represented graphically:

The application protocol is wrapped in TLS / SSL, which in turn is wrapped in TCP / IP. In fact, the application protocol data is transmitted over TCP / IP, but it is encrypted. And only the machine that established the connections can decrypt the transmitted data. For everyone else who receives the transmitted packets, this information will be meaningless if they cannot decrypt it.

The connection is established in several stages:

1) The client establishes a connection with the server and requests a secure connection. This can be provided either by establishing a connection on a port that was originally designed to work with SSL / TLS, for example, 443, or by an additional request by the client to establish a secure connection after establishing a normal one.

2) When establishing a connection, the client provides a list of encryption algorithms that he "knows". The server compares the received list with the list of algorithms that the server "knows" and selects the most reliable algorithm, and then tells the client which algorithm to use

3) The server sends the client its digital certificate signed by the certification authority and the server's public key.

4) The client can contact the server of the trusted certification authority that signed the server certificate and check if the server certificate is valid. But it may not be involved. The operating system usually already has the root certificates of CAs installed, with which the signatures of the server certificates, for example, browsers, are verified.

5) A session key is generated for a secure connection. This is done as follows:
- The client generates a random digital sequence
- The client encrypts it with the server's public key and sends the result to the server
- The server decrypts the received sequence using the private key
Given that the encryption algorithm is asymmetric, only the server can decrypt the sequence. When using asymmetric encryption, two keys are used - private and public. The publicly sent message is encrypted, and the private one is decrypted. You cannot decrypt a message if you have a public key.

6) Thus, an encrypted connection is established. The data transmitted over it is encrypted and decrypted until the connection is terminated.

Root certificate

I mentioned the root certificate just above. This is a certificate of an authorization center, the signature of which confirms that the certificate that is signed is exactly the one that belongs to the corresponding service. The certificate itself usually contains a number of information fields, which contain information about the name of the server to which the certificate was issued and the validity period of this certificate. If the certificate has expired, it is invalidated.

Certificate Sign Request (CSR)

To obtain a signed server certificate, you need to generate a signature request (CSR, Certificate Sign Request) and send this request to an authorization center, which will return a signed certificate installed directly on the server, let's see how to do this in practice. First, an encryption key is generated, then a signature request, CSR file, is generated based on this key.

Client certificate

A client certificate can be generated for both device use and user use. Typically, such certificates are used in two-way verification, when the client verifies that the server is really who it claims to be, and the server does the same in response. This interaction is called two-way authentication or mutual authentication. Two-way authentication allows you to increase the level of security compared to one-way, and can also serve as a substitute for authentication using a username and password.

Certificate Generation Action Chain

Let's see in practice how the actions associated with generating certificates take place from the very beginning, and at the same time in practice.

The first thing to do is generate a root certificate. The root certificate is self-signed. And then other certificates will be signed with this certificate.

$ openssl genrsa -out root.key 2048 Generating RSA private key, 2048 bit long modulus .......... +++ ................... ........................ +++ e is 65537 (0x10001) $ openssl req -new -key root.key -out root.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", The field will be left blank. ----- Country Name (2 letter code): RU State or Province Name (full name): N / A Locality Name (eg, city): Saint-Petersburg Organization Name (eg, company): My Company Organizational Unit Name (eg, section): IT Service Common Name (eg server FQDN or YOUR name): My Company Root Certificate Email Address: [email protected] Please enter the following "extra" attributes to be sent with your certificate request A challenge password: An optional company name: My Company $ openssl x509 -req -days 3650 -in root.csr -signkey root.key -out root.pem Signature ok subject \u003d / C \u003d RU / ST \u003d N / A / L \u003d Saint-Petersburg / O \u003d My Company / OU \u003d IT Service / CN \u003d My Company Root Certificate / [email protected] Getting private key

Thus, we first generated a private key, then a signature request, and then with our key we signed our own request and received our own digital certificate issued for 10 years. You can omit the challenge password when generating the certificate.

The private key MUST be stored in a safe place, having it you can sign any certificate on your behalf. And the resulting root certificate can be used to identify that the certificate, for example, of the server, was signed by us, and not by someone else. This is exactly what authorization authorities do when they generate their own certificates. After creating the root certificate, you can start generating the server certificate.

Viewing information about a certificate

The contents of the certificate can be viewed like this:

$ openssl x509 -noout -issuer -enddate -in root.pem issuer \u003d / C \u003d RU / ST \u003d N / A / L \u003d Saint-Petersburg / O \u003d My Company / OU \u003d IT Service / CN \u003d My Company Root Certificate / [email protected] notAfter \u003d Jan 22 11:49:41 2025 GMT

We see who issued this certificate and when it expires.

Server certificate

To sign the certificate for the server, we need to do the following:

1) Generate key
2) Generate a Signature Request
3) Send CSR file to the authorization center or sign it yourself

The server certificate can include the certificate chain that signed the server certificate, but it can also be stored in a separate file. In principle, everything looks about the same as when generating the root certificate

$ openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ................................ .................................................. . +++ .......................... +++ e is 65537 (0x10001) $ openssl req -new -key server.key - out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", The field will be left blank. ----- Country Name (2 letter code): RU State or Province Name (full name): N / A Locality Name (eg, city): Saint-Petersburg Organization Name (eg, company): My Company Organizational Unit Name (eg, section): IT Service Common Name (eg server FQDN or YOUR name): www.mycompany.com Email Address: [email protected] Please enter the following "extra" attributes to be sent with your certificate request A challenge password: An optional company name: $ openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server. pem -days 365 Signature ok subject \u003d / C \u003d RU / ST \u003d N / A / L \u003d Saint-Petersburg / O \u003d My Company / OU \u003d IT Service / CN \u003d www.mycompany.com / [email protected] Getting CA Private Key $ openssl x509 -noout -issuer -subject -enddate -in server.pem issuer \u003d / C \u003d RU / ST \u003d N / A / L \u003d Saint-Petersburg / O \u003d My Company / OU \u003d IT Service / CN \u003d My Company Root Certificate / [email protected] subject \u003d / C \u003d RU / ST \u003d N / A / L \u003d Saint-Petersburg / O \u003d My Company / OU \u003d IT Service / CN \u003d www.mycompany.com / [email protected] notAfter \u003d Jan 25 12:22:32 2016 GMT

Thus, the server certificate is signed and we will know which organization issued this certificate. After signing, the ready-made certificate can be used for its intended purpose, for example, installed on a web server.

Installing an SSL / TLS certificate on a server with nginx

To install an SSL / TLS certificate on the nginx web server, you need to follow a few simple steps:

1) Copy the .key and .pem files to the server. In different operating systems, certificates and keys can be stored in different directories. In Debian, for example, this is / etc / ssl / certs for certificates and / etc / ssl / private for keys. On CentOS, these are / etc / pki / tls / certs and / etc / pki / tls / private

2) Register the necessary settings in the configuration file for the host. This is how it should look roughly (this is just an example):

Server (listen 443; server_name www.mycompany.com; root html; index index.html index.htm; ssl on; ssl_certificate server.pem; ssl_certificate_key server.key; ssl_session_timeout 5m; # SSLv3 not recommended !!! # It's here for example only ssl_protocols SSLv3 TLSv1; ssl_ciphers ALL:! ADH:! EXPORT56: RC4 + RSA: + HIGH: + MEDIUM: + LOW: + SSLv3: + EXP; ssl_prefer_server_ciphers on; location / (try_files $ uri $ uri / \u003d 404; ))

3) Restart nginx

4) Go to the server port 443 with your browser - https://www.mycompany.com and check its performance.

Installing SSL / TLS Certificate on a Server with Apache

Installing an SSL / TLS certificate on Apache looks similar.

1) Copy the key and certificate files to the server in the appropriate directories

2) Enable the ssl module for Apache with the "a2enmod ssl" command, if it is not already enabled

3) Create a virtual host that will listen on port 443. The config will look something like this:

ServerAdmin [email protected] DocumentRoot / var / www Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow, deny allow from all ScriptAlias \u200b\u200b/ cgi-bin / / usr / lib / cgi-bin / AllowOverride None Options + ExecCGI -MultiViews + SymLinksIfOwnerMatch Order allow, deny Allow from all ErrorLog $ (APACHE_LOG_DIR) /error.log LogLevel warn CustomLog $ (APACHE_LOG_DIR) /ssl_access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/server.pem SSLCertificateKeyFile /etc/ssl/private/server add directive containing a list # of all certificates that signed the server certificate #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt SSLOptions + StdEnvVars SSLOptions + StdEnvVars BrowserMatch "MSIE" \\ nokeepalive ssl-unclean-shutdown \\ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE" ssl-unclean-shutdown

That said, there is one more thing to do. Find in the httpd.conf, or apache2.conf, or ports.conf file, depending on the system, the following config section:

Listen 443

If there is no such condition, it must be added to the config. And one more thing: You need to add a line

NameVirtualHost *: 443

This line can be found in httpd.conf, apache2.conf or ports.conf

4) Restart Apache web server

Creating a client certificate

The client certificate is generated in much the same way as the server certificate.

$ openssl genrsa -out client.key 2048 Generating RSA private key, 2048 bit long modulus ........................ +++ ..... ............................................. +++ e is 65537 (0x10001) $ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", The field will be left blank. ----- Country Name (2 letter code): RU State or Province Name (full name): Saint-Petersburg Locality Name (eg, city): ^ C [email protected]: ~ / Temp / certs / CA $ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", The field will be left blank. ----- Country Name (2 letter code): RU State or Province Name (full name): N / A Locality Name (eg, city): Saint-Petrersburg Organization Name (eg, company): My Company Organizational Unit Name (eg, section): Engineering Common Name (eg server FQDN or YOUR name): Ivan Ivanov Email Address: [email protected] Please enter the following "extra" attributes to be sent with your certificate request A challenge password: An optional company name: $ openssl x509 -req -in client.csr -CA root.pem -CAkey root.key -CAcreateserial -out client. pem -days 365 Signature ok subject \u003d / C \u003d RU / ST \u003d N / A / L \u003d Saint-Petrersburg / O \u003d My Company / OU \u003d Engineering / CN \u003d Ivan Ivanov / [email protected] Getting CA Private Key $ openssl x509 -noout -issuer -subject -enddate -in client.pem issuer \u003d / C \u003d RU / ST \u003d N / A / L \u003d Saint-Petersburg / O \u003d My Company / OU \u003d IT Service / CN \u003d My Company Root Certificate / [email protected] subject \u003d / C \u003d RU / ST \u003d N / A / L \u003d Saint-Petrersburg / O \u003d My Company / OU \u003d Engineering / CN \u003d Ivan Ivanov / [email protected] notAfter \u003d Jan 25 13:17:15 2016 GMT

If you need a client certificate in PKCS12 format, create it:

$ openssl pkcs12 -export -in client.pem -inkey client.key -certfile root.pem -out iivanov.p12 Enter Export Password: Verifying - Enter Export Password:

Now you can use the client certificate to work with our server.

Configuring nginx to use client certificates

Most often, as I said, one-way authentication is used, usually only the server certificate is verified. Let's see how to get the nginx web server to validate the client certificate. You need to add options for working with client certificates in the server section:

# Root certificate (s) that signed the client ssl_client_certificate /etc/nginx/certs/clientroot.pem; # Possible options: on | off | optional | optional_no_ca ssl_verify_client optional; # The depth of verification of the chain of certificates that signed the client ssl_verify_depth 2;

After that, you need to restart the settings or the entire server and you can check the work.

Configuring Apache to Use Client Certificates

Apache is also configured by adding additional options to the virtual host section:

# Directory containing root certificates for client verification SSLCARevocationPath /etc/apache2/ssl.crl/ # or file containing SSLCARevocationFile certificates /etc/apache2/ssl.crl/ca-bundle.crl # Client verification option. Possible options: # none, optional, require and optional_no_ca SSLVerifyClient require # The depth of the signature chain view. Default 1 SSLVerifyDepth 2

As you can see, the options are approximately the same as for nginx, since the verification process is organized in a uniform manner.

"Wiretapping" certificate information using openssl

To test the server's interaction with client certificates, you can test whether the connection is established using TLS / SSL.

On the server side, start listening on the port using openssl:

Openssl s_server -accept 443 -cert server.pem -key server.key -state

On the client side, we refer to the server, for example, with culr:

Curl -k https://127.0.0.1:443

In the console from the server side, you can observe the process of information exchange between the server and the client.

You can also use the -verify [check depth] and -Verify [check depth] options. The lower-case option asks the client for a certificate but is not required to provide it. Capitalized - if no certificate is provided, an error will occur. Let's start listening from the server side like this:

Openssl s_server -accept 443 -cert server.pem -key server.key -state -Verify 3

From the server side, the error looks like this:

140203927217808: error: 140890C7: SSL routines: SSL3_GET_CLIENT_CERTIFICATE: peer did not return a certificate: s3_srvr.c: 3287:

From the client side like this:

Curl: (35) error: 14094410: SSL routines: SSL3_READ_BYTES: sslv3 alert handshake failure

Add a certificate and a domain name from the client side (you can enter the hostname for the address 127.0.0.1 into the / etc / hosts file for verification):

Curl https://www.mycompany.com:443 --cacert root.pem --cert client.pem --key client.key

Now the connection will be successful and you can install the server certificate on the web server, give the client certificate to the client, and work with them.

Safety

When using SSL / TLS, one of the main methods is the MITM (Man In The Middle) method. This method relies on the use of a server certificate and key on some node that will listen to traffic and decrypt the information exchanged between the server and the client. To organize listening, you can use, for example, the sslsniff program. Therefore, it is usually advisable to store the root certificate and key on a machine that is not connected to the network, for signing, bring requests for signature on a flash drive, sign and also take away. And, of course, make backups.

In general terms, this is how digital certificates and the TLS and SSL protocols are used. If you have any questions / additions, write in the comments.

This entry was posted in a heading with tags,.

: 29 comments

cl-service.com
The client generates the CSR itself when ordering a certificate, where the client also decides to save the private key, we do not need a private key to issue a certificate and the client does not transfer it to us in any way. Naturally, if this happens on a regular virtual one, then administrators with root access to the server have access to the keys that are stored there.
Well-wisher.
The topic of boobs is not disclosed, because the described PKI technology has nothing to do with the topic title. If only for prichiya links to rfc resulted.
P.S. There was such an anecdote about a dog and a flea.
Well-wisher.
In no case did I want to offend you. I was looking for information about the difference between SSl and TLS in practice and your link in Google was the first. Was interested in the title of the topic. Everything's cool, keep it up!
DrAibolit
Thank you for the helpful explanations about digital certification. I'm new to this \u003d)
I hope to clarify the next question.
Since the topic of fraud is very developed in the Internet industry, I would like to learn how to determine the "lousiness" of the sites I independently visit (especially where there are coughs and payments, investments, etc.) and based on this, determine the degree of my trust (I often have to register, leave personal information, make purchases, transactions, investments). If I understood correctly, the presence of this certification allows us to make such an assessment. On the other hand, getting it is not a problem and even for free.
How or with which program can you determine the presence of a digital certificate for a particular site? and preferably its category, which is assigned when a special agency issues SSL DV (the certificate is issued with verification of only the domain), SSL OV (with verification of the organization), EV (with extended verification of the legal entity). Fraudulent websites will most likely not use the last certification option ..
I would be glad if you tell me more ways to determine the reliability of sites))
1. mnorin Post author
  I have not yet met any specific program for these purposes, but I can give a couple of tips on this matter.
  You can use, for example, Chromium or Google Chrome. Take, for example, the site https://www.thawte.com/ - a company that actually deals with digital certificates.
  The address bar will contain the name of the company and a green lock. This means that the organization is verified, this is at least an SSL OV.
  If you click on the lock, and in the drop-down box "Details", and then "View Certificate", you can see information about the certificate. For Thawte, the certificate is signed with the following certificate: "thawte Extended Validation SHA256 SSL CA", and the certificate for click.alfabank.ru is also signed by Thawte, but with a different certificate. This is "thawte EV SSL CA - G3", that is, they also passed Extended Validation.
  Something like this.
Ruslan
Section "How SSL and TLS work", "The client generates a random digital sequence."

I was sure that the client generates the session private and, accordingly, the public keys (which you, obviously, called "number sequence"). The public key is transmitted to the server and the server encrypts the packets towards the client with the client's session public key.

Please clarify.
Newbie
The article is very useful! There are even practical examples \u003d) Only I did not understand one thing - what is the difference between a root certificate and a server one? or is it the same thing?
Vitaly
Hello.
The hoster offered a service - SSL for virtual servers. We took advantage of it. It turned out that for the third level, i.e. http://www.site.ru certificate is invalid, only for site.ru. Moreover, visitors are stubbornly thrown at the https protocol, it does not matter if they visit site.ru or http://www.site.ru. Of course, in the second case, the browser starts to swear heart-rendingly, and the visitor does not get to the site.
And for those who did get to the site, the site began to look crooked, part of the menu disappeared, some of the images in the search results were no longer displayed by some components.

"RBS BS-Client. Private Client" v.2.5

Configuring access channels. TLS / SSL protocols

Version 2.5.0.0

1. Abstract

This document contains information that is current at the time of its preparation. does not guarantee that this document will be free of errors. reserves the right to make changes to the document without prior notice.

This document is intended for system administrators.

The document contains information on working in the system with TLS / SSL protocols designed to solve traditional problems of ensuring the protection of client / server information interaction.

1. Annotation. 2

2. Principles of operation of the TLS / SSL protocols. 4

3. Secure Socket Layer (SSL). 6

3.1. Creating an SSL Certificate Request 7

3.2. SSL Certificate Installation 14

3.3. Setting up SSL on the website. 17

4. Transport Layer Security (TLS). eighteen

4.1. Two-Way SSL (TLS) Configuration Workflow 18

4.2. Generating a certificate and private keys for the Web server. 19

4.3. Server certificate installation (performed on the web server computer) 22

4.4. Assigning a certificate to a website. 31

4.5. Configuring two-way SSL on a website. 35

4.6. Configuring BSI - RTS Bond for Two-Way SSL 36

4.7. Generation of the client's certificate and secret keys. 38

4.8. Installing the client certificate (performed on the client computer) 39

2. How the TLS / SSL protocols work

To establish a connection between the Client and the Bank, the “Private Client” system provides for two channels with the necessary information security tools:

SSL - Secure Socket Layer

TLS - Transport Layer Security

TLS / SSL protocols are designed to solve traditional problems of ensuring the protection of information interaction, which in a client / server environment are interpreted as follows:

· The user, connecting to the server, must be sure that he is not exchanging information with a fake server, but with the one he needs (otherwise, this can lead to funny, if not sad, consequences). Many applications also require the server to be able to reliably identify the client without being limited to password protection;

· After establishing a connection between the server and the client, the entire information flow between them must be protected from unauthorized access;

· When exchanging information, the parties must be sure that there is no accidental or deliberate distortion during its transfer.

TLS / SSL protocols solve these problems as follows:

· The identity of the partners can be ascertained using asymmetric cryptography (eg RSA, GOST (using CryptoPro TLS), etc.). This authentication can be made optional, but it is required for at least one of the partners.

· The connection is confidential. Symmetric cryptography is used to encrypt data (e.g. DES, RC4, GOST (when using CryptoPro TLS), etc.). The encryption keys are generated independently for each connection and are based on a secret obtained using another protocol (such as the TLS conversation protocol).

· The connection is reliable. The message transmission procedure includes an integrity check using a MAC computation. Hash functions are used to calculate\u003e MAC (e.g. SHA, MD5, etc.).

These protocols assume that the transport protocol is a connection-oriented protocol (for example, TCP) and consist of two layers. The first layer includes an application protocol and three so-called handshake protocols: the Handshake Protocol, the Change Cipher Spec Protocol, and the Alert Protocol. The second layer is the so-called. Record Protocol.

Handshake protocols are responsible for establishing or resuming secure sessions.

The record protocol performs the following functions:

· Splits data received from the application layer into blocks and collects incoming blocks for transmission to the application layer.

· Compresses outgoing data and decompresses incoming data.

· Attaches a MAC or hash to outgoing blocks of data and uses the attached MAC to verify the integrity of the incoming.

· Encrypts outgoing and decrypts incoming data blocks.

Symmetric cryptography is used to encrypt the transmitted data, that is, one and the same key can both encrypt and decrypt encrypted data.

On each side there is a set of two keys (the same for both sides), used to encrypt the received / transmitted data, and a set of two keys, used to generate the MAC (HMAC).

During transmission, data is divided into blocks, MAC (or HMAC in the case of TLS) is calculated for each block, the resulting value is added to the transmitted block, then each block is encrypted with a session key and transmitted to the receiving side.

Upon receipt, the block is decrypted, the MAC is calculated from it (or HMAC in the case of TLS), the resulting value is compared with the value transmitted with the block (data integrity check).

When using the CryptoPro TLS software, it becomes possible to use cryptographic encryption algorithms in accordance with GOST, key exchange using the Diffie-Hellman algorithm and hashing in accordance with GOST R 34.11-94.

The standard implementation of the SSL / TLS protocols for Windows is capable of working correctly only with the RSA algorithm.

TLS features

TLS is based on the SSL 3.0 protocol specification published by Netscape. The differences between this protocol and SSL 3.0 are subtle, but they are enough to make TLS 1.0 and SSL 3.0 incompatible (although TLS 1.0 has a mechanism by which applications can support SSL 3.0).

Improvements in TLS over SSL:

· In TLS, the Message Authentication Code (MAC) algorithm used in SSL to compute the message hash has been replaced by the more robust HMAC (keyed-Hashing for Message Authentication Code) algorithm.

TLS is standardized in RFC 2246

Added several alarm messages

· TLS allows the use of certificates issued by a subordinate (non-root) CA.

· TLS specifies padding block values \u200b\u200bthat are used with block encryption algorithms.

Fortezza algorithms are not included in the TLS RFC because they are not open to the public (this is an Internet Engineering Task Force (IETF) policy)

· Subtle differences in different message fields.

Pros and cons of using SSL

Pros:

Does not require installation of additional software on the client's computer.

Less use of system resources because traffic is protected using less resource-intensive symmetric cryptographic algorithms.

Minuses:

There is an exchange of key information between the parties.

Pros and cons of using TLS

Pros:

More secure algorithms are used to encrypt traffic, sign packets and exchange key information than in the case of SSL.

Minuses:

This option can only be used when using CryptoPro CSP / TLS cryptography.

It is necessary to install additional software at the client's workplace (CryptoPro).

3. Secure Socket Layer (SSL)

Secure Socket Layer (SSL) is a security protocol that was developed in 1996 by Netscape and provides a secure connection between a client's web browser and a web server. SSL is an integrated part of most web browsers and web servers and uses RSA encryption. SSL provides secure data transmission using two main components:

· Authentication;

· Encryption.

To make a secure connection using the SSL protocol, a digital SSL certificate must be installed on the web server. A digital SSL certificate is a file that uniquely identifies the server to which the connection is made. A digital certificate is sometimes referred to as a digital passport or digital ID.

SSL certificate contains the following details:

· The domain to which the certificate was issued;

· The owner of the certificate;

· Configuring a WWW server and creating a new website for the Internet client to work over two-way SSL (TLS).

· Configuring the BSI module.

· Configuring the RTS module.

· Generation of keys and certificate request for Web server.

· Generation of a client certificate.

· Installing certificates on appropriate computers.

· Assigning the installed certificate to the Web server.

· Setting up two-way SSL (TLS) on the website.

4.2. Generating Web Server Certificate and Secret Keys

Generation of keys and a request for a Web server certificate can be performed using standard RBS tools.

To do this, select the Security -\u003e Crypto protection -\u003e Manual certificate generation menu item.

ð A dialog opens Generating a certificate request and private key(Fig. 4-1).

Figure: 4-1 Generating a Certificate Request and Private Key

https://pandia.ru/text/78/460/images/image023_1.jpg "width \u003d" 411 "height \u003d" 466 src \u003d "\u003e

Figure: 4-3 CryptoPro CSP Properties Dialog Box

Go to the bookmark "Service" and click on the button « Install Personal Certificate " .

"Private certificate installation wizard"(Figure 4‑4).

Figure: 4-4 Dialog Box « Private certificate installation wizard "

· Click on the Next button.

Installing the certificate (Figure 4-5).

Figure: 4-5 Certificate Installation Dialog Box

· Select the required certificate file and click on the "Next" button.

ð The following window for installing the certificate will open (Fig. 4‑6).

Figure: 4-6 Certificate Installation Dialog Box

· Click on the Next button.

ð This will open the following dialog box for installing the certificate (Fig. 4-7).

Figure: 4-7 Certificate Installation Dialog Box

· When choosing a key container, select "Computer", then select the required container. Click on the Next button.

ð This will open the following dialog box for installing the certificate (Fig. 4‑8).

Figure: 4-8 Certificate Installation Dialog Box

· Click on the "Browse" button.

ð This opens a dialog box « SelectCertificateStore "(Fig. 4-9).

https://pandia.ru/text/78/460/images/image030.jpg "width \u003d" 502 "height \u003d" 385 src \u003d "\u003e

Figure: 4-10 Certificate Installation Dialog Box

· Click on the "Finish" button.

ð Thus, the server certificate will be included in the personal directory of the local computer with a bunch of secret keys installed at the OS level.

To install the certificate, you can use the items in the main Windows menu « Start - \u003e Run " .

ð A window will open. « Run "(Fig. 4-11).

Microsoft "href \u003d" / text / category / microsoft / "rel \u003d" bookmark "\u003e Microsoft ManagementConsole ".

· Select the mmc main menu item "Console -\u003e New" or press the "Ctrl + N" keys.

ð This opens a dialog box « Console Root "(Fig. 4-12).

https://pandia.ru/text/78/460/images/image033_0.jpg "width \u003d" 415 "height \u003d" 309 src \u003d "\u003e

Figure: 4-13 Add / Remove Snap-in Dialog Box

· Click on the "Add" button.

ð This opens a dialog box « AddStandaloneSnap-in "(Fig. 4-14).

https://pandia.ru/text/78/460/images/image035_0.jpg "width \u003d" 523 "height \u003d" 195 src \u003d "\u003e

Figure: 4-15 Certificates Snap-in Dialog Box

· Check the box "Computer account" and click on the "Next" button.

ð A dialog box appears on the screen. « SelectComputer "(Fig. 4-16).

https://pandia.ru/text/78/460/images/image037.jpg "width \u003d" 415 "height \u003d" 292 src \u003d "\u003e

Figure: 4-17 Add / Remove Snap-in Dialog Box

· Click on the "Ok" button.

ð A window will open. Console Root(Figure 4-18), which contains a list of certificates LocalComputer.

https://pandia.ru/text/78/460/images/image039.jpg "width \u003d" 474 "height \u003d" 345 src \u003d "\u003e

ð This will open the settings wizard « CertificateimportWizard ".

· Click on the Next button.

ð This opens the following dialog box « CertificateimportWizard "(Fig. 4-20).

Figure: 4-20 Dialog Box "Certificate import Wizard»

· Specify the path to the certificate file of the Authorization Center and click the "Next" button.

ð This opens the following dialog box « CertificateimportWizard ".

· Check the box "Automatically determine the location of the certificate or place it in the specified directory" and click on the "Next" button.

ð This opens the following dialog box « CertificateimportWizard ".

· To complete the procedure and close the settings wizard window, click the "Finish" button.

On closing Microsoft Management Console ( MMC) click the button « Yes " to save your settings.

4.4. Assigning a Certificate to a Web Site

To set up two-way SSL:

· Launch Internet Services Manager ("Start -\u003e Settings -\u003e Control Panel -\u003e Administrative Tools -\u003e Internet Services Manager").

· In the window that appears on the left, open the tree "Internet Information Services".

ð A branch will appear in the tree *<сетевое имя Вашего компьютера>.

· In the list of sites, select the site for which you want to configure two-way SSL and open the "Properties".

Attention!

Only additional site configuration is described here so that it correctly supports the operation of a channel with a two-way SSL security type. Only the parameters listed below are subject to additional configuration. All other parameters remain unchanged.

· Go to the “Directory Security” tab (Fig. 4-21).

https://pandia.ru/text/78/460/images/image003_23.jpg "width \u003d" 503 "height \u003d" 386 src \u003d "\u003e

· Click on the Next button.

ð This opens a dialog box « IISCertificateWizard "(Fig. 4‑22).

https://pandia.ru/text/78/460/images/image043.jpg "width \u003d" 503 "height \u003d" 248 src \u003d "\u003e

Figure: 4-23 Dialog Box "IIS Certificate Wizard"

· Select the installed certificate from the list and click on the "Next" button.

ð This opens the following dialog box « IISCertificateWizard "(Fig. 4-24).

Figure: 4-24 Dialog Box "IIS Certificate Wizard"

· Click on the Next button.

ð This opens the following dialog box « IISCertificateWizard "(Fig. 4-25).

DIV_ADBLOCK427 "\u003e

Attention!

The site must be created and configured according to the document "System Installation and Configuration Guide".

This section only describes additional configuration of the site so that it correctly supports the operation of a channel with a two-way SSL security type. Only the parameters listed below are subject to additional configuration. All other parameters remain unchanged.

· Go to the "Directory Security" tab.

· In the "Secure Communication" section, click on the "Edit" button.

In the opened dialog box, check the following boxes:

▼ Require Secure Channel

▼ Require Client Certificates.

4.6. Configuring BSI - RTS Bond for Two-Way SSL

The utility is used to configure BSISET. EXE ... The settings are made as follows:

· Start the bsiset utility. exe (the utility is located in the "% BSSRoot% \\ EXE" directory).

ð This opens a dialog box « Choose BSI. DLLlocation» .

· Specify the path to the bsi file in the "Library" field. dll. If the BSI module settings were made earlier, then the path can be selected from the list below. To select a path to bsi. dll manually use the button.

· Click on the "Edit" button.

ð This will open the “ BSIConfiguration ".

For the type of client channel protection used - two-sided SSL ( TLS) need to tweak the configuration RTS .

· It is necessary to create a new configuration for RTS. To create a new setting in the right part of the window on the Configs tab, click the New button.

ð This will create a new configuration named NewItemwhich you can rename.

ð To copy the default configuration, run the bsiset utility. exe. Click on the Edit button. Select the required configuration and click on the "New Copy" button.

· Place the cursor on the "NewItem" line and enter the name of the setting in the "ConfigID" field.

· Then, with the cursor positioned over the name of the new setting, click on the "Configuration" button.

ð The settings window appears on the screen « BSISet ".

· Open the "Options" section and go to the "Authentification" tab.

· You must configure the client authentication type. To do this, check the box “Identify by client certificate (TLS)”.

To configure RTS parameters, find the server icon in the system tray, right-click on it:

ð The context menu is activated.

· Select the "Settings ..." command from the context menu

ð This opens a dialog box "Settings".

· Open the "Options" section and go to the "Client identification" tab (Fig. 4-26).

https://pandia.ru/text/78/460/images/image049_0.jpg "width \u003d" 510 "height \u003d" 368 "\u003e

Figure: 4-27 Generating a Certificate Request and Private Key for a Client

Enter the name of the subscriber, select the type of crypto library - Ms Crypto Api 2.0 and click Next.

ð The following window for entering the certificate parameters will appear on the screen.

When generating a client certificate, specify the following parameter values \u200b\u200bin this window:

Scope of the certificate 1.3.6.1.5.5.7.3.2;

Scope of the private key DigitalSignature; NonRepudiation; KeyEncipherment; DataEncipherment. Types.

4.8. Installing the client certificate (performed on the client computer)

To install the client certificate, use the CryptoPro control panel (Fig. 4-28).

Use the main Windows menu items Start -\u003e Setting -\u003e Control Panel -\u003e CryptoPro CSP.

Figure: 4-28 Starting CryptoPro CSP Setup

A window will open Properties: CryptoPro CSP.

Open the page Service and press the button Install Personal Certificate.

A window will open Private certificate installation wizard.

Press the button Next.

Select the required certificate file and click the button Next..

· The following window will open to install the certificate.

Press the button Next.

The following window will open to install the certificate.

Figure: 4-29 Selecting Certificate Installation Options

When choosing a key container, specify “ User”, Then select the required container. Click the button Next(Fig. 4‑29).

· The following window will open to install the certificate.

Press the button Browse.

A window will open Select Certificate Store.

Provide a reference personal to install the certificate and click Ok.

Then in the window for installing the certificate, click Next.

· The following window will open with the settings for installing the certificate.

Press the button Finish.

Thus, the server certificate will be stored in the personal store of the current user.

We have released a new book, “Content Marketing on Social Media: How to Get Into the Heads of Subscribers and Fall in Love with Your Brand”.

The world is obsessed with internet security. If you are in trend and correspond exclusively in Telegram, then read about how to establish a secure connection on the site. It will come in handy in any case, and if you are an online store, then you cannot do without it at all. Along the way, let's talk about certificates: what they are and what they are for.

What is HTTPS

It is a secure connection protocol. It encrypts the information exchanged between the server and the user's browser - this helps to protect data about passwords, credit card numbers and email addresses. The use of HTTPS is powerful and makes it a little more attractive in the eyes of search engines - Google ranks secure sites higher than non-secure sites. To enable HTTPS on your site, you first need to install an SSL certificate on the server.

What is an SSL certificate for?

It generates a unique digital signature on the site, which helps to secure the connection. Without an SSL certificate, you won't be able to get HTTPS, no matter how hard you try. It contains:

site domain;
full legal name of the owner company;
the physical address of the company;
validity period of the certificate;
sSL developer details.

You will also need a certificate to connect to any payment system, for example, Yandex.Money. The logic is simple - no one will allow you to risk other people's money.

How to choose an SSL certificate

They are divided into two types, depending on the degree of protection and.

Domain Validation SSL

The easiest option. It will work after you verify domain ownership. This can be done in three ways:

Via E-mail. You will receive an email with verification instructions. Either mail from the Whois domain, or admin or webmaster mailboxes is selected as the sending address.

Through a DNS entry. If you have an email server configured, create a custom DNS record. The system will use it to confirm that you are really the owner of the site. The method is automated and is suitable for those who have their Whois mail hidden in their settings.

Through a hash file. Place the special .txt file on your server so that the certification authority can determine its presence.

Such verification is suitable if you have a personal blog or a small offline business, because it does not allow you to protect subdomains and conduct financial transactions. Plus, to confirm the purity of the domain and your thoughts, you do not need to do anything complicated, and the finished certificate is done quickly.

Business Validation

This type of SSL certificate is more reliable because you confirm that the company is connected to the site. To do this, you need to send several documents to the verification center and take a call to the corporate number. Business Validation certificates are divided into 3 types:

Extended Validation SSL. These are extended validation certificates. They are needed by everyone who works with a large amount of money: banks, large online stores, financial companies, payment systems.

Wildcard SSL. Such a certificate protects both the site itself and its subdomains. Moreover, there can be any number of them, and they can be located on different servers. Required if you use subdomains with different regional binding or different projects.

SAN SSl. The main advantage of this type of certificate is the support for alternate domain names, both external and internal.

CodeSigning SSL. Validates the code and software products from the site. Suitable for developers of any applications.

Can I install a free SSL certificate on my site?

Yes. Most of these products are paid, but there are also options for which you do not have to pay money. These are domain-validated basic certificates. They will not allow you to attach an online cash register to the resource, but they will be able to protect the connection between the user and the server. Such SSL is suitable for small informational websites or offline businesses. An example is the StartSSL base certificate.

Install SSL Certificate

First you need to generate a CSR request for a certificate. It contains all the information about the domain owner and the public key. Most SSL providers allow you to do this during the certificate ordering process, but you can also generate a request on the web server side.

When generating a CSR key, you need to specify:

Server name: "site.com" or "* .site.com" if you receive a WIldcard certificate. An asterisk means any number of any characters before point.
Country code: RU, UA, KZ and so on.
Region, for example, Saratov Region.
City.
The full name of the organization or the name of the site owner.

The CSR request is sent to the verification center. As a result, you receive an SSL certificate and a file with a private key, which cannot be lost and made public.

After that, you need to install the certificate on the web server. Let's consider the cases with Apache and nginx.

Apache

To do this, you need to upload all certificates to the server: both basic and intermediate. First of all, you need the latter in the / usr / local / ssl / crt directory (used by default, in your case it may be different). All certificates will be stored in it.

After that download the main certificate, open it in any text editor and completely copy the content along with the lines "BEGIN" and "END".

In the / ssl / crt / directory, create a vashsite.crt file and paste the contents of the certificate into it.

Move the private key file to the / usr / local / ssl / private / directory

In your VirtualHost file add the lines:

SSLEngine on

SSLCertificateKeyFile /usr/local/ssl/private/private.key

SSLCertificateFile /usr/local/ssl/crt/vashsite.crt

SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt

You need to specify valid paths to files. Save changes and restart the server.

nginx

Here the process for installing an SSL certificate is slightly different. First, you need to combine the root, intermediate and SSL certificates into one. To do this, create a vashsite.crt file and paste the contents of the certificates there along with the "BEGIN" and "END" lines (order: SSL, intermediate, root). There should be no blank lines.

You need to do almost the same with the private key - create a vashsite.key file and transfer the contents of the key downloaded from the vendor's website.

Place both files (vashsite.crt and vashsite.key) in the / etc / ssl / directory (it is used by default, but may differ).

In the configuration file, edit VirtualHost. Add:

server (
listen 443;
ssl on;

ssl_certificate /etc/ssl/vashsite.crt;
ssl_certificate_key /etc/ssl/vashsite.key;
server_name vashsite.com;

If the directory with the certificate and key is different from the default, change it.

Now save your changes and restart nginx.

How to get a working HTTPS connection

After installing SSL certificates, the site will be available at two addresses: http://vashsite.com and https://vashsite.com. You only need to leave the last one. To do this, set up a robots.txt file and make a 301 redirect from the old site.

In "robots" you need to update the host. Example: Host: https://vashsite.com. To set up a redirect, add the following lines to the .htacsess file:

RewriteCond% (SERVER_PORT)! ^ 443 $

RewriteRule ^ (. *) $ Https://vashsite.com/$1.

Now it remains to inform the search engines about the changes. In the "Webmaster" of "Yandex" add a page with https and specify it as the main one for the old site.

Outcome

We figured out what https is, how to install it on your website, and how to configure everything correctly. This protocol has already become a connection standard and over time all live sites will switch to it. This process is encouraged by search engines - having an established secure HTTPS connection protocol has become one of the ranking factors. Therefore, if you want to get to the top, you will have to install it.

Pleasant news of November 2016 for our dear customers and site users. Our online store does not stand still, regularly updating not only the range of product offers, but also expanding the functionality of the site, its safety for users and its significance in the global Internet system. So, on September 26, 2016, the online store site received an SSL certificate with extended verification, and from November 1, 2016, after testing and improving the algorithms of work, we connected payment systems to the site!

Now let's take a closer look at the need for these actions and what advantages do our precious clients get from this?

The main visual advantage that every client can notice is the ability to pay ONLINE with a bank card for any order from our online store and take it to a convenient address. As for the internal, hidden dignity of site updates - an SSL certificate is a special way to encrypt a site between the global Internet, a browser and a site user, in other words, this is that the site is now protected from the possibility of an attack and the seizure of your payment (and even contact) information by third parties. To obtain an SSL certificate, our site had to go through a check on the real existence of the organization, confirm the receipt and bind the certificate to the domain, and integrate the new secure site system into the site familiar to everyone. From now on, users of our site can be completely confident in the safety of using our convenient and modern site, make purchases and not be afraid of leaking their data to third parties.

By the way, we also do not stand still in expanding the possibilities of receiving our orders, and in the fall of 2016 we began to offer our customers the opportunity to receive orders by new delivery methods - the CDEK courier service and through inPost parcel terminals. Both services are present in many large cities of Russia, the cost of their services is very democratic, and the speed of work sometimes amazes even fans of expensive and high-quality courier services! We advise you to try new delivery methods, this will save you time and money, and will give you a pleasant experience of receiving the goods.

Our online store site is a modern, dynamically developing company, offering our customers the most modern and safe ways to pay and receive our orders. Stay tuned for the updates that are coming to be grandiose and global, both in expanding the range, and in providing more opportunities for our precious customers !!

Payment systems setup

Setting up payment systems largely depends on how the operator of the payment system provides communication with its terminals. As a rule, if city payment terminals are used, then a secure SSL connection is used and you need to enable and configure a WEB server for communication with SSL terminals as shown below. If websites on the Internet are used to make payments, then how often in such cases is it necessary to configure the http server for Carbon Billing. Before setting up Carbon Billing, be sure to check with your payment system operator for what kind of communication protocol it provides a connection to its payment terminals.
SSL WEB-server for payments has several parameters, the values \u200b\u200bof which are described below.

Enable SSL WEB server for payments - If the payment system operator works with payment terminals via SSL, then you need to enable exactly the SSL WEB-server.
IP address for HTTPS connection - address for connecting terminals or sites of payment systems for making a payment to a client in the Carbon Billing database.
Port for connection via HTTPS - port 1443 is used by default. If there is a need to change this port, specify ports higher than 1024 if possible.
Allowed Client Addresses for SSL WEB Server
Domain for server SSL certificate - indicate here your public domain or separately registered for the payment server on Carbon Billing domain. This option is optional and allows you to access the SSL-WEB-server by domain name instead of IP-address.
Require and Verify Client Certificate - Must be noted if you are setting up the cashier's web interface. If you are setting up work with a payment system, then check the need to check the client certificate with the payment system operator.
Create client certificate - A client certificate will be created, which will need to be provided to the payment system operator. The certificate with the .pfx suffix will be available on the server in the / var / lib / usrcert directory and will have a file name equal to the CN name you specified when creating the certificate. You can download the certificate file from the server using the winscp program.

In the case of setting up an HTTP WEB server for payments.

Enable HTTP server for payments - If the operator of the payment system works with payment terminals via an open http connection, then turn on the HTTP server.
IP address for HTTP connection - Web server address for connecting terminals or payment servers to it.
HTTP port - port 1444 is used by default. If it is necessary to change this port, specify ports higher than 1024 if possible.
Allowed client addresses for HTTP server - if not specified, then access will be open to everyone.

If you use the services of the payment system operators listed below on this tab, then enable the corresponding menu items. In the future, these flags will set the specific system settings required for each operator you use. If your carrier is not one of the listed below, then do not include any of them.

When setting up the Robokassa payment system, do not forget to specify the secret password required to establish a connection between the terminal and the server.

Severity of the subjectAltName parameter of ssl-certificates

When generating ssl certificates for a server, for example, for an https payment server, the subjectAltName extension is used. Historically, by default, this extension is marked as critical in the certificate, which can lead to problems when integrating billing with some payment systems.

The subjectAltName is not specified when generating client certificates.

The criticality of the parameter is canceled by the option in the local console "Server configuration - Additional settings - Settings for developers - Do not make SSL AltName parameter critical".

After enabling this option, all newly generated server certificates will be generated with the non-critical subjectAltName extension. The old certificate for the https payment server will have to be manually regenerated as follows:

1. Remount the section containing the config into rw (for this, the remote assistance mode must be enabled):

Mount -o rw, remount / mnt / bk_disc /

2. Open the /etc/ics/ics.conf file with the editor and comment out the line with MHTTPD_F_CERT.

3. Restart the https payment server:

/etc/init.d/mhttpd_F restart

Changing the certificate at the https payment server does not in any way affect the previously generated client certificates for cashiers or payment systems.

Configuring payment acceptance via http without encryption

If you need to accept payments from payment systems using the unprotected http protocol, you must make the following settings:

1) Turn on the http server to receive payments.

2) Specify the IP address on which the receiving of requests should work. This address must belong to one of the Carbon Billing interfaces:

Then specify the port on which the server will accept requests.

3) Make a list of IP addresses from which requests will be accepted. This is a very important step since http does not imply authorization of the payment system through a certificate:

By default, the protocols of the payment system Robokassa and Unikassa can work with HTTP. If it is necessary, for example, to accept requests for http via the OSMP protocol, then you must do the following:

1) Load the server in ud mode. helper and ssh as root.

2) Run the following commands:

Mount -o rw, remount / mnt / ro_disc chattr -i -R / var / www / fiscal / htdocs / http / cp / var /www/fiscal/htdocs/osmp.php / var / www / fiscal / htdocs / http / osmp.php chown mhttpd_F: mhttpd_F / var /www/fiscal/htdocs/http/osmp.php

You need to edit the line in the script:

Mcedit / var /www/fiscal/htdocs/http/osmp.php line: include "../include/class_page.php"; replace with: include "../../include/class_page.php";

Save the file and exit the editor.

After a soft restart, the module for accepting payments via the OSMP protocol will be available at http://1.1.1.1:1444/osmp.php from the IP address 2.2.2.2.