?? ssl-talk-faq.txt
字號:
From: Christopher Allen <ChristopherA@consensus.com>
Subject: [SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.0.1
Date: Wed Sep 18 12:00:00 PDT 1996
Followup-To: poster
Approved: news-answers-request@MIT.EDU
Organization: Consensus Development Corporation, Berkeley, CA, US <http://www.consensus.com/>
Newsgroups: alt.security,comp.security.misc,comp.protocols,sci.crypt,comp.infosystems.www.misc,alt.answers,comp.answers,news.answers,sci.answers
Distribution: world
Lines: 1281
X-Last-Updated: 1996/09/18
Summary: This document is a summary of FAQ (Frequently Asked
Questions) found on the SSL-Talk discussion list regarding technical
implemenation issues of the Secure Sockets Layer protocol, a
transport level security protocol used for securing web servers and
clients (such as Netscape Navigator) and other internet
applications.
Content-type: text/x-usenet-FAQ;
version=1.0.1;
title="[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.0.1"
Archive-name: computer-security/ssl-talk-faq
Posting-Frequency: monthly
Last-modified: Wed Sep 18 12:00:00 PDT 1996
Version: 1.0.1 (text) Wed Sep 18 12:00:00 PDT 1996
URL: http://www.consensus.com/security/ssl-talk-faq.html
Copyright-Notice: (c) Copyright 1996 by Consensus Development Corporation -- All Rights Reserved
SSL-Talk FAQ
Secure Sockets Layer Discussion List FAQ v1.0.1
Wed Sep 18 12:00:00 PDT 1996
FAQ Maintained by:
Christopher Allen <Christopher@consensus.com>
Consensus Development Corporation
<http://www.consensus.com/>
The latest edition of this FAQ can always be found at:
<http://www.consensus.com/security/ssl-talk-faq.html>
<http://www.consensus.com/security/ssl-talk-faq.txt>
<ftp://ftp.consensus.com/pub/security/ssl-talk-faq.txt>
(c) 1996 Consensus Development Corporation - All Rights Reserved
All information contained in this work is provided "as is." All
warranties, expressed, implied or statutory, concerning the accuracy
of the information of the suitability for any particular use are
hereby specifically disclaimed. While every effort has been taken to
ensure the accuracy of the information contained in this work,
the authors assume(s) no responsibility for errors or omissions, or
for damages resulting from the use of the information contained
herein.
This work may be copied in any printed or electronic form for
non-commercial, personal, or educational purposes if the work is not
modified in any way, that the copyright notice, the notices of any
other author included in this work, and this copyright agreement
appear on all copies.
Consensus Development Corporation also grants permission to
distribute this work in electronic form over computer networks for
other purposes, provided that, in addition to the terms and
restrictions set forth above, Consensus Development Corporation
and/or other cited authors are notified and that no fees are charged
for access to the information in excess of normal online charges
that are required for such distribution.
This work may also be mentioned, cited, referred to or described
(but not copied or distributed, except as authorized above) in
printed publications, on-line services, other electronic
communications media, and otherwise, provided that Consensus
Development Corporation and any other cited author recieves
appropriate attribution.
Comments about, suggestions about or corrections to this document
are welcomed. If you would like to ask us to change this document
in some way, the method we appreciate most is for you to actually
make the desired modifications to a copy of the posting, and then to
send us the modified document, or a context diff between the posted
version and your modified version (if you do the latter, make sure
to include in your mail the "Version:" line from the posted
version). Submitting changes in this way makes dealing with them
easier for us and helps to avoid misunderstandings about what you
are suggesting.
Many people have in the past provided feedback and corrections; we
thank them for their input.
In particular, many thanks to:
Tim Dierks <TimD@consensus.com>
Charles Neerdaels <chuckn@netscape.com>
Eric Greenberg <ericg@netscape.com>
Tom Weinstein <tomw@netscape.com>
Jonathan Zamick <JonathanZ@consensus.com>
Remaining ambiguities, errors, and difficult-to-read passages are
not their fault. :)
------------------------------
CONTENTS
1) THE SSL-TALK LIST
2) GENERAL SSL QUESTIONS
3) USING PROXIES, GATEWAYS AND FIREWALLS WITH SSL
4) SSL PROTOCOL QUESTIONS
5) CERTIFICATE RELATED QUESTIONS
6) SSL IMPLEMENTATION QUESTIONS
6.1) NETSCAPE QUESTIONS
6.2) MICROSOFT QUESTIONS
7) SSL TOOLKIT QUESTIONS
7.1) SSLREF QUESTIONS
7.2) SSL PLUS QUESTIONS
7.3) SSLEAY QUESTIONS
------------------------------
1) THE SSL-TALK LIST
This section contains information about the SSL-Talk list.
1.1) What is the SSL-Talk List?
The SSL-Talk List is an email list intended for discussion of the
technical points of the SSL protocol and its implementation.
1.2) What is SSL?
SSL is the Secure Sockets Layer protocol. Version 2.0 originated by
Netscape Development Corporation, and version 3.0 was designed with
public review and input from industry, and is defined at
<http://home.netscape.com/eng/ssl3/index.html>
1.3) How do I subscribe to SSL-Talk?
Send mail to the email address <ssl-talk-request@netscape.com>
with the *subject* being the single word SUBSCRIBE. You need not
put any text in the body of your message.
Please do not send requests to the SSL-Talk list.
1.4) Once I am subscribed, how to I send mail to SSL-Talk?
Any mail addressed to <ssl-talk@netscape.com> will be sent to *all*
members of the SSL-Talk mailing list.
1.5) How do I unsubscribe from SSL-Talk?
To remove your name from the ssl-talk list send mail to the address
<ssl-talk-request@netscape.com> with the *subject* being the single
word UNSUBSCRIBE. You need not put any text in the body of your
message.
Please do not send requests to the SSL-Talk list.
1.6) I've tried unsubscribing several times from SSL-Talk but it doesn't
seem to work -- what can I do?
The most common problem is that you are attempting to unsubscribe
using an email address different than that with which you subscribed
Check with your mail administrator and make sure that you don't have
an alias or ".forward" file sending mail to you from another
address.
Another common problem is that the subdomain of your mailer has
changed, for example, "mail.consensus.com" has been renamed
"server.consensus.com".
In either case, sending mail with the "From:" line matching the
account you subscribed with should unsubscribe you from the list.
If this still doesn't work, send mail to <sslref@netscape.com>
describing your problems unsubscribing, what email addresses you
think you may have subscribed with, and if you think you may have a
different mail address subscribed.
Please don't send mail to the general SSL-Talk list to unsubscribe;
it will only frustrate you and the rest of the recipients.
1.7) Where is SSL-Talk archived?
There is a hypertext archive of the list at
<http://coho.stanford.edu/~hassan/hymail/ssl/current/>
In some cases we have found that this archive occasionally is
missing some messages -- if you know of any alternative archive
sites, please let us know.
We are not aware of any text archives of the list.
------------------------------
2) GENERAL SSL QUESTIONS
This section contains general information on SSL and the SSL
protocol.
2.1) What is the current version of the SSL protocol?
The previous version of SSL, version 2.0 is documented at
<http://home.netscape.com/newsref/std/SSL_old.html>
The current version is 3.0, as documented at
<http://home.netscape.com/eng/ssl3/index.html>
Errata to the SSL 3.0 Specification is periodically posted on
the SSL discussion list, and is available at
<http://home.netscape.com/eng/ssl3/ssl-errata.html>
2.2) Where can I get a "management overview" of SSL and web security?
There is a brief overview and FAQ on Netscape security called
"On Internet Security", available at
<http://home.netscape.com/info/security-doc.html>
There is a brief introduction on how Netscape uses public key
cryptography in the SSL protocol called "Using Public Key
Cryptography" at
<http://home.netscape.com/newsref/ref/rsa.html>
An overview on certificates and VeriSign's Digital IDs is at
<http://digitalid.verisign.com/crp_intr.htm>.
2.3) Where can I get a more in-depth look at SSL and web security?
The online version of the technical specifications for the SSL 3.0
protocol is at
<http://home.netscape.com/eng/ssl3/ssl-toc.html>
A PostScript version is also available at
<http://home.netscape.com/eng/ssl3/index.html>
A FAQ for SSLeay, a freeware implementation of the SSL 2.0 protocol
is available at
<http://www.psy.uq.oz.au/~ftp/Crypto/>
A rather broad list of public key related documents, with a focus on
certificates and standards can be found at
<http://www.zoo.net/~marcnarc/PKI/References.htm>
2.4) What software supports SSL 2.0 and SSL 3.0?
WebCompare offers a list of security features supported by over 100
different servers and clients at
<http://webcompare.iworld.com/compare/security.shtml>
Currently it is not very accurate. If you know of changes please
contact David Strom <david@strom.com>.
2.5) I'm confused by all the different laws that different countries
have on export and import of cryptographic applications. Is there
one place I can go to find out?
There is an impressive "International Law Crypto Survey" of
cryptographic laws and regulations throughout the world at
<http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm>
RSA Data Security, Inc. offers an Acrobat version of their
"Frequently Asked Questions: Export" at
<http://www.rsa.com/PUBS/exp_faq.pdf>
Other information on US export issues can be found at
the Electronic Frontier Foundation's web site at
<http://www.eff.org/>
------------------------------
3) USING PROXIES, GATEWAYS AND FIREWALLS WITH SSL
This section contains information on how the SSL protocol interacts
with proxy servers, security gateways, and firewalls.
3.1) What exactly is the meaning of "proxy" mentioned in the
Netscape Navigator "Network Preferences" menus?
A proxy server is a computer program that resides on your firewall
and acts as a conduit between your computer and the broader
Internet. In addition to acting as network guardian and logging
traffic, a proxy server can also provide an enterprise cache for
files as well as replication and site-filtering services.
Any application which needs to communicate through a proxy has to
negotiate with the proxy first before continuing through the
firewall. Netscape Navigator works with many different types of
proxies (such as the CERN proxy server and their own Netscape Proxy
Server) and gateways that use the SOCKS protocol.
One problem with SSL-based traffic is that it does not work with
caching and replication with proxy servers. For a proxy server to
support SSL it must either support SOCKS, or use a special SSL
Tunneling protocol. The Netscape Proxy Server supports both
SOCKS and the SSL Tunnneling protocol.
3.2) How does SSL work through (application level) firewalls,
gateways and proxy servers?
SSL was specifically designed for security between client and
server and to avoid any kind of 3-way man-in-the-middle attack.
Thus SSL cannot be proxied through traditional application level
firewalls (such as the CERN proxy server) as SSL considers these
proxy servers as such a middle-man.
The simplest solution to this is to use a packet filtering firewall.
You set it up to open up a reserved and trusted port for the
SSL+HTTP or SSL+NNTP services (443 or 563 respectively) allowing all
traffic on those ports to be passed through unrestricted. The risk
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -