Contents

Ø     SSLChat Sample Application

Ø     Sample Certificates

Ø     Security Considerations

Ø      Install Certificates

Ø      Testing SSLChat

 

SSLChat Sample Application

The SSLChat sample application requires that a certificate, signed for use as a server, is installed and used for the server in the communication.  Additionally, if mutual authentication is required, and the client wants to present a certificate as its identity, then there must also be a certificate installed on the client system.  Finally, all certificates used in the chat-transaction are signed by a Certificate Authority (CA).  The CA’s that sign the certificates have a public certificate which must be a root authority on both systems involved in the chat-communication.

 

The text of Programming Server-Side Applications for Microsoft Windows 2000 includes some discussion on how to obtain certificates for use in your SSL code.  However, for the sake of simplifying your usage of the samples included on with this book, three “test” certificates have been included on the CD.  A certificate for client, server, and peer-to-peer authentication has been included.

 

Sample Certificates

The sample certificates included on the CD-ROM are stored in the “.pfx” file format.  This includes all of the certificate information as well as the matching private key.  Finally, the public key information for the signing CA is also included in the .pfx file.

 

You can install each certificate by using the “Certificates” snap-in for the MMC.  You can also double click on a “.pfx” file to automatically launch the wizard to install a certificate on your system.  Finally, you can use the SSLChat sample application to run the installation wizards for all three certificates.  Here are the certificate files included on the CD-ROM:

 

 

All .pfx files are encrypted using the hash of a password provided at the time that the private key was exported.  To install the certificates, you will need to provide the password needed to decrypt the .pfx file.  The password for each .pfx file included on this CD-ROM is as follows:  ProgServ

 

Security Considerations

For an installed certificate to be useful, you must also allow the installation wizard to add the certificates signing CA to your trusted root authorities.  However, idly adding a CA to your root authorities can be dangerous.  Any CA in your root effectively has the right to create server and client certificates that will be trusted by your system.

 

All of the certificates included on the sample CD-ROM were created and signed by the following CA:  Programming Server-Side Applications Test CA.  In general, once this CA has been added to your root authorities, any certificate that it creates will be trustable by your system.  The CA that created these certificates (and its private key) has since been deleted.  However, this does not guarantee that the private key of the CA cannot be derived from the public key using brute force methods.

 

Normally, brute-force methods are unreasonable because of the relatively short lifespan of certificates (including root certificates).  However, the certificates in this book have a lifespan of 19 years, and the certificate for the Programming Server-Side Applications Test CA has a lifespan of 20 years.  The certificate for the sample root CA does not expire until the year 2020!

 

To assure that no malicious activity is performed because of the security risks of using these test certificates, here are the steps you should take.

  1. Install and use these test certificates on an isolated system, or an isolated domain used for testing.  This way, any harm done is not detrimental to sensitive data on your systems.  Or…
  2. Only allow the certificate for the Programming Server-Side Applications Test CA to remain in your systems trusted root CA’s for the duration of your testing.  In this time, do not browse the web.

 

If your system contains sensitive data, or it is networked with systems that contain sensitive data, you should not browse the general internet while the certificate for the Programming Server-Side Applications Test CA is included in your systems trusted root CA’s!

 

Install Certificates

Install the client certificate now.

Install the server certificate now.

Install the peer-to-peer certificate now.

 

Testing SSLChat

The instructions below briefly describe possible ways to set up and test the SSLChat sample. It is necessary to have two networked computers that support TCP/IP.

 

  1. On the server computer, start SSLChat and select the following options:
    1. Select the Server option.
    2. From the Select Certificate From Personal Store drop-down list, select TestServer or TestPeerToPeer.
  1. Click the Connect button.  The server is now waiting for a client to connect.
  2. On the client computer, start SSLChat and select the following options:

a.       Select the Client option.

b.      In the Connect To box, identify the server computer. This can be an Internet address (www.northwind.microsoft.com), an IP address (xxx.xxx.xxx.xxx), or a server name (SERVER1).

c.       From the Select Certificate From Personal Store drop-down list, select TestClient or TestPeerToPeer.

d.      In the Server Certificate Name box, type the servers certificate name ("TestServer" for example).

  1. Click the Connect button.
  2. At this point, you should have a connection and you can use the chat box to send text between the client and server.