Subject
- #TLS
Around 2020, with the discontinuation of support for TLS 1.1,
it became necessary to check older servers.
Maintaining TLS 1.1 could cause errors when communicating between cloud services such as AWS and Azure, or
errors during external API communication, such as payments, or potential problems depending on the browser version.
Tomcat
- Versions 6.x and below appear not to support TLS 1.2. It needs to be changed to TLS 1.2 through Java 7 or higher JRE.
Nginx
- Version 1.1.13 appears to support TLS 1.2.
The Principle of TLS
Client Hello: The client sends a connection request to the server. (Includes supported TLS versions and cipher suites)
Server Hello: The server sends the TLS version, cipher suite, and SSL certificate to be used, proving its reliability.
Key Exchange and Session Key Generation: The client and server generate a shared session key through a key exchange algorithm.
Completion Message: The client and server send completion messages encrypted with their respective keys.
Data Transmission: Data is encrypted using the session key and exchanged.
Termination: After data transmission is complete, session termination messages are exchanged, and session key information is deleted.
What's the difference between TLS 1.2 and 1.1?
TLS is a security protocol at the transmission stage and is the basis of HTTPS. It provides authentication, integrity, and encryption.
It is said that 1.2 is superior to 1.1 in terms of security and performance.
- 1.1 uses md5 and sha-1 hash algorithms.
- 1.1 may be exposed to BEAST, Man-in-the-middle, and Cipher Suite attacks.
* BEAST: An attacker intercepts an HTTPS connection to inject malicious content.
* Man-in-the-middle: An attacker intercepts communication to steal data.
- 1.2 uses the sha-256 algorithm. (A stronger security algorithm)
- 1.2 supports GCM (Galois/Counter Mode) cipher suites, performing encryption and authentication simultaneously, thus making it faster.
Cipher Suite
All necessary encryption mechanisms for clients and servers to exchange data, consisting of four parts.
1. Key Exchange Algorithm
- A method for securely exchanging a shared secret key. ex) RSA, Diffie-Hellman
2. Authentication Algorithm
- Verifies the trustworthiness of the server through a certificate. ex) RSA, etc. public key
3. Symmetric Encryption Algorithm
- A method to encrypt data during a session, and the client and server decrypt it with the same session key. ex) AES
4. Message Authentication Code
- Data integrity verification. ex) HMAC-SHA256
Cipher suites are represented by combining the above four elements.
Comments0