Article Directory
Foreword
Performance status prior to the state of mind, habits prior to determination, focus first on preferences.
rfc2818
Official documents address https://www.rfc-editor.org/rfc/pdfrfc/rfc2818.txt.pdf
https:
The current practice is that by TLS layer over HTTP layer
using different ports to provide security services, https protocol uses port 443.
In the practice of history, SSL protocol require the use of special namespace can distinguish between HTTP or HTTPS, such as
80 for HTTP port, https port 443, a similar, snews and ftps adopted a similar strategy.
Traditionally, the server returns 2XX return code indicates that the connection has been established.
3xx redirects
Details of HTTP Over TLS
Client behavior:
Initiation Connection
· as an HTTP client must also be as TLS client, when the client completes the TLS handshake,
the use of TLS "application data" for the first HTTP request
The Closure Connection
· close a HTTP connection before, TLS must initiate a closure alerts
The client must be ahead of the arrival of closed information identified as an error message, because the message may attacker from a false identity.
The client found at the end of a not finished, need an elegant return to normal.
The client should send a closure alert at close before connecting, of course, the client is possible before the end of the closed message service does not receive a simple close the connection.
The server behavior
RFC 2616 allows the client to close the connection at any time, which requires that the server be elegant recovery services. In particular, the server needs to be prepared to accept an incomplete close the message from the client, because often the client to decide when service data is completed. In this scenario, the server more inclined to re-start a TLS session.
The port number
HTTP server expects to receive a first request from a client-Line Production is the Request.
The TLS server desirable that the first message is received in the ClientHello.
Therefore, time is generally used to distinguish the separate port for HTTP / TLS protocol.
when HTTP / TLS protocol is used for a TCP / IP connection, the default port number is 443. the
HTTP / TLS not prevent the use of a different port number .TLS just assume a data flow may depend on the native connection.
URI formality
HTTP / TLS Unlike HTTP URIs, the former uses 'https', which uses the 'http'
Endpoint Identification endpoint definition
hostname: domain name
Server Identity server Identity
In general, HTTP / TLS requests are through a URI generate a result, hostname server is the client knows. If the hostname can be accessed, the server must check whether he meets the definition of the server certificate information, do so in order to prevent middle attack.
Of course, if the client has other ways to authenticate the identity of the server, hostname check this step can be omitted. In this case, in order to prevent the middleman attack, the certificate should be limited as much as possible of the available range. Under special circumstances, may allow the client simply ignore the server authentication is appropriate, but it must be noted that to do so will be connected to active attack.
If the extension subject name DNS name is used, also need to be verified. Otherwise, you should use the certificate subject of the most commonly used name. Despite the presence management using a common name, this approach is still strong opposition, should be used to carry out the certificate DNSNAME certification, which is to be encouraged.
There is a corresponding matching rules, I do not know if the certificate provides a type (more than one dNSNAME, should be qualified can be accepted). * Wildcard name may exist, such as .a.com contain foo.a.com but not contains bar.foo.a.com . another example f .com contain foo.com but does not include bar.com .
In some cases, the URI using the IP address, hostname instead of (domain), in this case, ip subjectAltName address must be included in the certificate, and the precise match of the URI IP.
If the hostname does not match the definition in the certificate, user-oriented client must warn the user (the user can continue browsing or abandon) or use a certificate error pause connection automated client must for error logging, so that in the late inspection, and also need to pause connection (with certificate error as the cause).
automated client may be configured to provide a certificate without having to check, but must provide a scene allows this configuration.
It should be noted that very often URI itself from untrusted sources. The above description of the source does not meet the standards of URI provides protection from attacks.
For example, URI was obtained by clicking on the HTML page, and the HTML page does not use HTTP / TLS, this time could be the middleman replacement URI.
to prevent such attacks, users need to carefully examine the certificate provided by the server to determine whether the certificate meets their expectations.
Client Identity Client Identity
In general, the server does not know the identity of the client should be detected, the server detects the client is not possible. If the server through some channels to know the client needs to be detected (for example, via HTTP or TLS), which the same process customer orders and check the server.