What are the types of SSL certs?
What are the types of SSL certs and what are their functions / relationships? (i.e. intermediate certs, etc)
I agree with Mod_MarlEE, seems like a homework question.
TLS V1 standard: http://www.ietf.org/rfc/rfc2246.txt
Baed on SSL V3, SSL was developed by NetScape TLS is the RCF'ed public version of SSL.
TLS V1 standard: http://www.ietf.org/rfc/rfc2246.txt
Baed on SSL V3, SSL was developed by NetScape TLS is the RCF'ed public version of SSL.
ASKER
Moderator- im troubleshooting an issue. Specifically, what would cause a server to fail to send a server hello in response to a client hello while using SSL but not TLSv1, SSLv2, or SSLv3...
All others- what are the relationships between the different type of certs? Do they interact together or do they serve different purposes?
All others- what are the relationships between the different type of certs? Do they interact together or do they serve different purposes?
Q: Do they interact together?
A: No
Q: do they serve different purposes?
A: No
All of the certs are used to identify the client and server in the communication.
It is similar in concept to using a "pass phrase" when a telephone call is made.
The Caller asks a question - the Recipient must respond correctly, then the Recipient asks a question, and the Caller must respond correctly. That way, each side can have some level of trust that the "person" on the other end of the call is who they say they are...
Q: What's the difference between the different certs?
A: Consider the situation where multiple SSL certificate protocols are supported, each can have it's own certificate.
A: No
Q: do they serve different purposes?
A: No
All of the certs are used to identify the client and server in the communication.
It is similar in concept to using a "pass phrase" when a telephone call is made.
The Caller asks a question - the Recipient must respond correctly, then the Recipient asks a question, and the Caller must respond correctly. That way, each side can have some level of trust that the "person" on the other end of the call is who they say they are...
Q: What's the difference between the different certs?
A: Consider the situation where multiple SSL certificate protocols are supported, each can have it's own certificate.
ASKER
HonorGod - If I understand you correctly, then each different SSL cert is responsible for a different protocol.
Therefore, is it safe to assume that if TLSv1.0, SSLv2, and SSLv3 function normally, but the server fails to send a "Server Hello" in response to the client's "Client Hello" via SSL... then the certs responsible for TLSv1.0, SSLv2, and SSLv3 might be installed correctly, while the cert responsible for SSL is not correctly installed?
Therefore, is it safe to assume that if TLSv1.0, SSLv2, and SSLv3 function normally, but the server fails to send a "Server Hello" in response to the client's "Client Hello" via SSL... then the certs responsible for TLSv1.0, SSLv2, and SSLv3 might be installed correctly, while the cert responsible for SSL is not correctly installed?
Then what is the server?
What is the client?
What is the client?
Q: but the server fails to send a "Server Hello" in response to the client's "Client Hello" via SSL... then the certs responsible for TLSv1.0, SSLv2, and SSLv3 might be installed correctly, while the cert responsible for SSL is not correctly installed?
A: It is really had to say exactly what is occurring without a trace. Are we talking about an application program (as the client) sending the "Client Hello" message to the server?
As giltjr said, "what is the client"? Is it an application, or a browser?
And what is the server? is it a web server, or an application, or an application server behind a web server?
A: It is really had to say exactly what is occurring without a trace. Are we talking about an application program (as the client) sending the "Client Hello" message to the server?
As giltjr said, "what is the client"? Is it an application, or a browser?
And what is the server? is it a web server, or an application, or an application server behind a web server?
If this is a trouble shooting issue, then you really should have one question.
Based on one of your responses in one of the other questions, there is not a whole lot you will be able to do.
Since you don't have the private key, you will not be able to run a sniffer program and truly see what is going on.
The server side has the they, they need to run the sniffer and the using the private key they can decode the trace and see what is going on.
Based on one of your responses in one of the other questions, there is not a whole lot you will be able to do.
Since you don't have the private key, you will not be able to run a sniffer program and truly see what is going on.
The server side has the they, they need to run the sniffer and the using the private key they can decode the trace and see what is going on.
ASKER
The server is a Citrix Access Gateway 2010. The client is internet explorer and/or firefox running on end user laptops. The issue is reported via internet explorer more often than firefox... this could be an inaccurate observation or browser settings related... more below.
The only consistency that I have found (via packet capture) is that each and every "failed" connection begins with a Client Hello sent over SSL. The server sends an ACK, but fails to send a Server Hello via SSL. 30 seconds pass. The client sends a Client Hello via SSLv2. The server then sends an ACK, followed by a Server Hello via SSLv3. Traffic then passes as normal. To the end user, the initial login page attempts to load for approximately 30 seconds... when the client attempts via SSLv2, the page instantly loads and their experience is normal.
The other scenario (where the user has a normal experience), the connection begins with a Client Hello sent over TLSv1.0. The server sends an ACK, followed by a Server Hello via TLSv1.0.
Communication is breaking down when the client attempts to negotiate via SSL. I am trying to understand why this might happen.
I disabled TLSv1.0 on my browsers and left SSLv3 enabled as an initial test. Thus far, I have not experienced any issues while doing so.
Why would this behavior occur? What can be done to further isolate the issue?
The only consistency that I have found (via packet capture) is that each and every "failed" connection begins with a Client Hello sent over SSL. The server sends an ACK, but fails to send a Server Hello via SSL. 30 seconds pass. The client sends a Client Hello via SSLv2. The server then sends an ACK, followed by a Server Hello via SSLv3. Traffic then passes as normal. To the end user, the initial login page attempts to load for approximately 30 seconds... when the client attempts via SSLv2, the page instantly loads and their experience is normal.
The other scenario (where the user has a normal experience), the connection begins with a Client Hello sent over TLSv1.0. The server sends an ACK, followed by a Server Hello via TLSv1.0.
Communication is breaking down when the client attempts to negotiate via SSL. I am trying to understand why this might happen.
I disabled TLSv1.0 on my browsers and left SSLv3 enabled as an initial test. Thus far, I have not experienced any issues while doing so.
Why would this behavior occur? What can be done to further isolate the issue?
ASKER
It is an internal server and I have access to any of the certs that are installed on it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
intermediate Root Signed and is there by trusted
end user "refelcts" the user/service. But the authenticity is based on the process the signing entity goes through to verify that the person applying for the certificate is who they say they are and represent what they say they represent.
I.e a person presenting a State issued document is presumed to be who they say they are given it is a State issued document. If a person presents a school ID, the school is somewhat similar to an intermediate i.e. recognized by the State and thereby derives its credibility from the state. If someone presents a school ID from a school you've never heard of, you will likely be more suspicious of whether the person is who they say they are.
As far as types, there are too many to enumerate, but can easily be found when searched.
Trusted, intermediate, subordinated.
Code, user, Web sites, etc.
The end result is the same to convey that who ever presents is who/what/and come from an entity represented in the certificate.