Clarification Needed on SSL/TLS Certificate Verification Process

precious

Well-known member
Apr 22, 2024
262
132
5,971
Hello everyone,

I hope you’re all doing well! I wanted to share a recent teaching experience related to SSL/TLS certificate verification and seek your insights on a particular point of confusion that came up in class.

During a session on secure communications, I had my students test the SSL/TLS configuration of a web server using OpenSSL. We used the following command to retrieve and display the certificate details:

openssl s_client -connect 192.168.100.30:443 -showcerts

This command successfully connected to the server and displayed the server’s certificate chain. However, one student asked about the process of verifying whether the certificate is valid and trusted, particularly regarding the role of Certificate Authorities (CAs).

To clarify, I explained that the verification process involves checking several factors, including:
  1. Whether the certificate is signed by a trusted CA.
  2. The certificate’s expiration date.
  3. The certificate's revocation status, often checked through OCSP (Online Certificate Status Protocol).

However, I realized I could provide more depth on how to perform these checks effectively. For example, we can check the certificate expiration date using:

openssl x509 -in certificate.crt -noout -dates

I’d love to hear your suggestions on the following:
  1. How can I effectively demonstrate the entire SSL/TLS verification process in class, including checking the certificate’s revocation status?
  2. Are there any additional tools or techniques you recommend for teaching about certificate verification and the role of CAs in ensuring secure communications?

Thank you for your insights!
 
You’re absolutely right, @Gregory Childers. While SSL was deprecated in 2015, it’s still commonly referenced due to legacy systems, brand recognition, and its interchangeability with TLS in everyday usage. Since TLS evolved from SSL, many continue to use "SSL" as a blanket term, even though TLS is the correct and more secure protocol.
 
SSL they say because people are familiar with that term but I agree should just call it TLS 1.3 on everything instead of saying it is SSL when it is not. I inform my classes about those kind of things.

For Precious maybe could link up and go through some commands some time or some. I would like to show more using the command prompt in verify those kinds of things.
 
  • Like
Reactions: Tess Sluijter
SSL they say because people are familiar with that term but I agree should just call it TLS 1.3 on everything instead of saying it is SSL when it is not. I inform my classes about those kind of things.
I tell my classes that SSL was deprecated in June 2015, but they may still find references to it.
 
  • Like
Reactions: Fanuel and Eugene
Thanks for the suggestion @Eugene! I think creating a step-by-step guide or even recording a video on using the command prompt for OpenSSL and TLS certificate verification would be a great way to help everyone learn more effectively. It would cover verifying certificates, checking protocol versions, and ensuring secure connections. We could collaborate on this or You/I can put together a draft and we can refine it together. Let me know what you think!
 
  • Like
Reactions: Eugene
Thanks for the suggestion @Eugene! I think creating a step-by-step guide or even recording a video on using the command prompt for OpenSSL and TLS certificate verification would be a great way to help everyone learn more effectively. It would cover verifying certificates, checking protocol versions, and ensuring secure connections. We could collaborate on this or You/I can put together a draft and we can refine it together. Let me know what you think!

I think could be a great idea, I was looking for a particular video I watched to so I could share it but will have to hunt for it.
 
  • Like
Reactions: precious
That sounds great, @Eugene! If you find the video, definitely share it with me—I'd love to check it out for reference. In the meantime, I can start drafting the step-by-step guide and include some examples for using OpenSSL in the command prompt to verify certificates and protocols. Once I have a draft, we can go over it together and refine it. We can also brainstorm on how best to format the guide or video for everyone. Looking forward to collaborating on this
 
That sounds great, @Eugene! If you find the video, definitely share it with me—I'd love to check it out for reference. In the meantime, I can start drafting the step-by-step guide and include some examples for using OpenSSL in the command prompt to verify certificates and protocols. Once I have a draft, we can go over it together and refine it. We can also brainstorm on how best to format the guide or video for everyone. Looking forward to collaborating on this

Sounds good to me. :cool:
 
  • Love
Reactions: precious
Hello everyone,

I hope you’re all doing well! I wanted to share a recent teaching experience related to SSL/TLS certificate verification and seek your insights on a particular point of confusion that came up in class.

During a session on secure communications, I had my students test the SSL/TLS configuration of a web server using OpenSSL. We used the following command to retrieve and display the certificate details:

openssl s_client -connect 192.168.100.30:443 -showcerts

This command successfully connected to the server and displayed the server’s certificate chain. However, one student asked about the process of verifying whether the certificate is valid and trusted, particularly regarding the role of Certificate Authorities (CAs).

To clarify, I explained that the verification process involves checking several factors, including:
  1. Whether the certificate is signed by a trusted CA.
  2. The certificate’s expiration date.
  3. The certificate's revocation status, often checked through OCSP (Online Certificate Status Protocol).

However, I realized I could provide more depth on how to perform these checks effectively. For example, we can check the certificate expiration date using:

openssl x509 -in certificate.crt -noout -dates

I’d love to hear your suggestions on the following:
  1. How can I effectively demonstrate the entire SSL/TLS verification process in class, including checking the certificate’s revocation status?
  2. Are there any additional tools or techniques you recommend for teaching about certificate verification and the role of CAs in ensuring secure communications?

Thank you for your insights!
I'd suggest taking a look at some of the larger CAs OCSP capabilities and responders.

See this excellent tech note on OCSP from Microsoft.
 
  • Love
Reactions: precious
Thanks for the suggestion @Eugene! I think creating a step-by-step guide or even recording a video on using the command prompt for OpenSSL and TLS certificate verification would be a great way to help everyone learn more effectively. It would cover verifying certificates, checking protocol versions, and ensuring secure connections. We could collaborate on this or You/I can put together a draft and we can refine it together. Let me know what you think!
It's a shame I made it as work-for-hire for a past client, because I once made a 3h workshop about understanding and troubleshooting TLS. It included everything you're asking for and more.

But... since it was work-for-hire, the IP lies with the customer. I'd have to completely recreate it, which I just don't have time for.
 
  • Love
Reactions: precious
It's a shame I made it as work-for-hire for a past client, because I once made a 3h workshop about understanding and troubleshooting TLS. It included everything you're asking for and more.

But... since it was work-for-hire, the IP lies with the customer. I'd have to completely recreate it, which I just don't have time for.
Ooh I understand the situation. If you have any key points or topics you think would be valuable to include, I can start drafting something based on that. Your insights would be greatly appreciated.
 
How can I effectively demonstrate the entire SSL/TLS verification process in class, including checking the certificate’s revocation status?

Are there any additional tools or techniques you recommend for teaching about certificate verification and the role of CAs in ensuring secure communications?
Definitely look into using WireShark. In my workshop, I've used it to demonstrate both the TLS1.2 and TLS1.3 handshakes.

It's also a fun tool to perform debugging on intentionally broken TLS setups. That's what I've done for that workshop: create containerized mini applications which intentionally have a broken TLS-implementation for the students to debug.
 
  • Like
Reactions: precious
Definitely look into using WireShark. In my workshop, I've used it to demonstrate both the TLS1.2 and TLS1.3 handshakes.

It's also a fun tool to perform debugging on intentionally broken TLS setups. That's what I've done for that workshop: create containerized mini applications which intentionally have a broken TLS-implementation for the students to debug.
Thank you so much for your suggestion! WireSharK looks like a great tool for demonstrating the process behind the TLS handshakes. I also find it entertaining to think about employing containerized mini applications for debugging purposes; that seems like a great way to practice. I will incorporate it.
 
  • Like
Reactions: Tess Sluijter