Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Đầu tiên là hạn chế cơ bản của giao thức ssl bản thân. Đây là một hệ quả của việc thiết kế các ssl và dự định ứng dụng của nó. Các giao thức ssl cũng được thừa hưởng một số điểm yếu từ các công cụ sử dụng của nó, cụ thể là mã hóa và | 54 SSL TLS Essentials Securing the Web Step Action 3 Server sends its public key certificate in Certificate message. 4 Server concludes its part of the negotiation with ServerHello-Done message. 5 Client sends session key information encrypted with server s public key in ClientKeyExchange message. 6 Client sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send. 7 Client sends Finished message to let the server check the newly activated options. 8 Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send. 9 Server sends Finished message to let the client check the newly activated options. Client Server 0 ClientHello ServerHello Certificate ServerHelloDone a 3 3 ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Figure 3-5 Two SSL messages authenticate a server s identity. SSL Operation 55 3.5.1 Certificate When authenticating its identity the server sends a Certificate message instead of the Server Key Exchange message section 3.3.3 described. The Certificate message simply contains a certificate chain that begins with the server s public key certificate and ends with the certificate authority s root certificate. The client has the responsibility to make sure it can trust the certificate it receives from the server. That responsibility includes verifying the certificate signatures validity times and revocation status. It also means ensuring that the certificate authority is one that the client trusts. Typically clients make this determination by knowing the public key of trusted certificate authorities in advance through some trusted means. Netscape and Microsoft for example preload their browser software with public keys for well-known certificate authorities. Web servers that want to rely on this trust mechanism can only obtain their certificates at least indirectly from one of these well-known authorities. One additional detail in the certificate