Overview

Create a certificate for a website, configure a web server to use HTTPS and study SSL by capturing packets.

Updates

New information/hints added since the original instructions:

• 2015-05-06 9am: If you have already submitted a CSR and received a PEM, and then try to submit a new CSR, it will be ignored. If you really want to submit a new CSR then create a file called "new-cert-please.txt" in your public_html/private directory (the contents of the file don't matter), which will trigger the old certificate to be ignored, and the new CSR will be processed. Note that your new CSR MUST be for a different domain. (You cannot get a new certificate for a domain that already has a certificate issued).
• 2015-05-06 9am: When you capture, make sure you start the capture BEFORE starting your browser (lynx) on the client. In that way you should capture the first full SSL handshake. Look for the full SSL handshake in the capture, i.e. at the start. Subsequent requests from your browser to server may use a shortened SSL handshake, and if you use that shortened handshake you cannot answer all the questions.
• 2015-05-06 9am: When you run the "openssl s_client ..." command, an error about self-signed certificate may be reported. This is not an error, but just a message from OpenSSL about the certificate chain. We expect the CA to have a self-signed certificate.

Tasks

1. Using virtnet, create a virtual network with client (browser), router and server
2. Setup a demo website on the server
3. Create a Certificate Signing Request and send to the Certificate Authority (CA)
4. Setup the web server to support HTTPS
5. Test the website and study SSL

Detailed instructions for most of the tasks are here. Note that the instructions refer to an ID - you should replace it with your actual student ID. You do not need to setup the CA - I will act as the CA. See below for how to get a certificate from the CA. The instructions refer to www.myuni.edu - you will use a different domain name.

Obtaining a Certificate

To obtain a certificate you need to first create a Certificate Signing Request. See the OpenSSL commands in the instructions - they can be run either on ICT server or on node3 in your virtual network. It is important to set the correct values in your CSR:

• Country Name: TH
• State or Province: Pathumthani
• Locality: Bangkadi
• Organisation: SIIT
• Unit: your name
• Common Name: your chosen domain
• Email Address: your email address
• A challenge password: (nothing, just press enter)
• Optionaly company: (nothing, just press enter)

The Common Name is important: it must exactly match the domain you will use for the website. Since your web site is in a virtual network, you may choose any domain you wish, as long as it is unique amongst all IT and CS students. (Since you don't know what other students choose, I suggest using your name in the domain, e.g. www.steve.com. Please do not use someone else's name).

To send to the CA, but the CSR file in your directory on ICT server. For example, if your ID is 5012345678:

/home/students/u5012345678/public_html/private/cert-myuni-5012345678.csr

After several minutes, the CA will copy your CSR and generate a certificate. If successful, the certificate will be created in the file:

/home/students/u5012345678/public_html/private/cert-myuni-5012345678.pem

If unsuccessful, then there will be an error message placed in:

/home/students/u5012345678/public_html/private/error-5012345678.txt

or a similar named file.

Once you have the certificate you can copy-and-paste the contents to a file on your nodes in the virtual network. This is easy as it is stored as a simple text file.

Configuring the Web Server for HTTPS

See the instructions for deploying the fake www.myuni.edu website. You should use this website, however you must change the domain. The instructions refer to www.myuni.edu - replace this with your chosen domain. You only need to make changes to the domain in the /etc/hosts file in all nodes and in the /etc/apache2/sites-available/default-ssl file on node3.

To setup HTTPS you will need the CA's certificate: download (right click and "Save link as", otherwise the certificate may be loaded into your browser)

Testing your Website

You must capture packets on the router (node2) and then using the browser (e.g. lynx) on node1, visit the website using HTTPS. You should "login" to the website (e.g. using "5000000000" and "student" as username and password). Copy the capture file to your host computer and view the captured packets in Wireshark. You can filter for ssl to see the HTTPS packets. Study how SSL works. Can you see the username/password sent by the browser?

Submission

Your Certificate Signing Request and Certificate will be automatically copied you when put them on the ICT server. You must also submit the following:

1. answers-ID.txt, based on this template, and including answers to the questions/values in the file. Some notes on the answers:
   • Replace the placeholders such as <integer> with the correct value.
   • Use the exact same format as the template; don't add any other lines.
   • Section on AlgorithmParameters is for CSS322 students only (ITS335 students did not study this, but may answer if they wish).
   • Section on Performance asks for SSLHandshakeResponseTime. That is the time from when the first SSL handshake message is sent until the last one is sent/received. HTTPResponseTime is the time from when the first HTTP message is sent until the last one is sent/received. Give your answer in milliseconds.
   • Section on SSLMessageExchange requires you to draw a message exchange diagram for the SSL messages. I have provided the first time messages in the template. You need to draw the remaining messages.
2. https-ID.cap, a tcpdump capture on the router of at least one HTTPS exchange (i.e. HTTP request and response plus all SSL messages). The capture file you submit should be the file that you used to obtain answers.