1

I have a flask application(client) from where I need to send some data to a server(another flask application as of now) and get some corresponding data. I need to use REST because the server can be anything later(the current flask app is a dummy server for testing). I need to have SSL connection between client and server. I see that SSL works in several steps:

  1. Client requests for an encrypted connection.
  2. Server responds with an SSL Certificate which will have a public key.
  3. Client verifies the SSL Certificate
  4. Client creates a private key
  5. Client encrypts the private key with the public key and sends it to the server.
  6. Server decrypts it and gets the private key.
  7. Thus an encrypted connection is established between client and server. Further exchange of data between client and server happens by encrypting the data with the private key.

This is what I am trying to achieve. Please correct me if I got the SSL concept wrong.

I have seen below implementation and works perfectly for me.

Client side uses requests.get() with verify=<path to server SSL certificate>. I have generated SSL certificate for server using openssl as follows.

openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

But I don't think all the above 7 steps are being covered here. What is the actual way of implementing SSL? Any help would be appreciated.

Vipin Nagar
  • 105
  • 1
  • 4
  • What exactly do you think is missing? Also, that list of steps is incorrect for TLS with forward security. – Ry- Mar 05 '18 at 06:07
  • In the above method of implementation, client verifies the server's certificate for every rest call but I dont want to do this. I want to create an encrypted connection between client and server and then the further exchange of data should be encrypted. So, I think the initial creation of enrypted connection between client and server is missing. Also, the private key generation from client side is missing. I want to implement SSL and I think TLS is different from SSL. Correct me if I am wrong. – Vipin Nagar Mar 05 '18 at 07:14
  • TLS is the successor to SSL and is often referred to as “SSL”. You shouldn’t be using actual SSL (v2 and v3) because it’s insecure. As for keeping the connection open and reusing it – you do that with HTTP keep-alive. See https://stackoverflow.com/questions/25239650/python-requests-speed-up-using-keep-alive. *Secret* key generation isn’t missing either, it’s just abstracted far away from you, as it should be. You don’t need to know all the implementation details or refer to them in your program to use HTTPS. – Ry- Mar 05 '18 at 07:39
  • @EJP: Nobody mentioned session resumption. I linked to an answer explaining how to use HTTP keep-alive with the requests library. (What was mentioned – by me – was “keeping a connection open”, which session resumption is not, although it might be what the OP wants.) – Ry- Mar 05 '18 at 09:38

1 Answers1

0
  1. Client requests for an encrypted connection.

Correct.

  1. Server responds with an SSL Certificate which will have a public key.

Correct.

  1. Client verifies the SSL Certificate

Correct.

  1. Client creates a private key

Incorrect. It is already far too late for this to occur.

  1. Client encrypts the private key with the public key and sends it to the server.

Incorrect. There is no such step. See RFC 2246 and successors.

  1. Server decrypts it and gets the private key.

Incorrect, ditto.

  1. Thus an encrypted connection is established between client and server.

Incorrect, ditto.

Further exchange of data between client and server happens by encrypting the data with the private key.

Incorrect, ditto. TLS works by (1) establishing trust via the server certificate and PKI; (2) optionally establishing trust via the client certificate; and (3) establishing a symmetric session key via a process of key negotiation, in which the actual session key is never transmitted.

This is what I am trying to achieve.

No it isn't. You are trying to establish a TLS connection. What it does is really very little concern of yours.

Please correct me if I got the SSL concept wrong.

You got it totally wrong.

I have generated SSL certificate for server using openssl as follows.

No you haven't. You have created a Certificate Signing Request (CSR). This is useless until you get it signed by a Certificate Authority (CA). It isn't an SSL certificate.

In the above method of implementation, client verifies the server's certificate for every rest call but I dont want to do this. I want to create an encrypted connection between client and server and then the further exchange of data should be encrypted. So, I think the initial creation of enrypted connection between client and server is missing. Also, the private key generation from client side is missing. I want to implement SSL and I think TLS is different from SSL. Correct me if I am wrong.

You are wrong. TLS supports session resumption, which allows for abbreviated handshakes, which eliminates the certificate exchange steps. The 'private key generation from client side' step is missing because it doesn't necessarily exist. You're guessing.

user207421
  • 305,947
  • 44
  • 307
  • 483