Overview of SSL
SSL is a protocol used to send traffic securely over the Internet. Traffic is encrypted using a key agreed between the server and client machines.
SSL provides several advantages:
•Server authentication
•Client authentication
•Encrypted data transfer
SSL can be used with almost any TCP/IP protocol, but is most commonly used to secure HTTP (Web) traffic, forming the HTTPS protocol.
Server Authentication
A server identifies itself for SSL communications using an “SSL certificate”. This certificate contains the name and location of the organization and its DNS name, and gives the client assurance that they are accessing the correct site.
An SSL certificate can be “self-signed” by the organization that owns it. However, without independent verification, the certificate is not automatically trusted by a client. To be trusted, the certificate must be signed by a recognized, independent Certificate Authority (CA) such as Symantec or Thawte. The organization sends a Certificate Signing Request (CSR) to the CA, which carries out thorough checks on the details in the certificate. Note that certificate authorities might charge for this service.
The CA might be responsible for checking that keys present in certificates it issues have been generated correctly and have sufficient cryptographic strength.
The client might try to find out whether the server certificate is revoked using the Online Certificate Status Protocol (OCSP). Using the TLS "status_request" extension, you can include this check inside the TLS handshake (known as “OCSP Stapling”), so that a separate connection from the client to an OCSP responder is not needed. To enable OCSP stapling, see Configuring OCSP.
What is OCSP?
OCSP is an Internet protocol used for obtaining the current validity of an SSL certificate at the point of use. It was created as an alternative to Certificate Revocation Lists (CRLs) (see CRLs in Client Authentication) to address some of the inherent shortcomings of that method, such as the limitation that updates must be frequently downloaded to keep the list current.
When users attempt to access a secure service, they send an HTTP request to an OCSP server (known as a Responder) for the certificate’s status information. This request is packaged in the form of an ASN.1 message, optionally signed with a certificate, and sent to the responder. In return, the responder sends back a response of "good," "revoked," or "unknown".
For further information on OCSP, see http://tools.ietf.org/html/rfc6960.
Client Authentication
In some cases, you might want to only allow certain approved people to access your service: for instance, a company Intranet or Extranet. To achieve this, you can require the client to provide an SSL certificate signed by a trusted certificate authority.
The Traffic Manager uses CRLs and OCSP to ensure the validity of these certificates.
CRLs in Client Authentication
Within the Traffic Manager your trusted certificate authorities are held in a catalog. Each certificate authority can distribute certificate revocation lists (CRLs), which are also held in this catalog. Certificates usually have a fixed validity period, such as 12 months, but sometimes a certificate is canceled before it expires. In this case the certificate authority adds it to a certificate revocation list, so that it will no longer be trusted.
OCSP in Client Authentication
You can use OCSP to check the current status of a client certificate. Unless the certificate is reported as being good, the SSL connection is terminated. To configure OCSP for your secure services, see Configuring OCSP.
Encrypted Data Transfer
After the server and the client are satisfied with each other's identity, they agree on an encryption key to use for data transfer. This is different from their identification keys for reasons of efficiency. Data is encrypted before transfer so that a third party cannot read it. In addition, SSL has reliability features that ensure that any disruption to the data stream is detected. These features give client and server confidence that their communication is private, and has not been corrupted.