Transport Layer Security Interview Questions & Answers

  1. Question 1. Why Does Mod Ssl Stop With The Error “failed To Generate Temporary 512 Bit Rsa Private Key” When I Start Apache?

    Answer :

    Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a “randomness device” that serves this purpose (usually named /dev/random). On other systems, applications have to seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with appropriate data before generating keys or performing public key encryption. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the PRNG has not been seeded with at least 128 bits of randomness.

    To prevent this error, MOD SSL has to provide enough entropy to the PRNG to allow it to work correctly. This can be done via the SSLRANDOMSEED directive. 

  2. Question 2. Is It Possible To Provide Http And Https From The Same Server?

    Answer :

    Yes. HTTP and HTTPS use different server ports (HTTP binds to port 80, HTTPS to port 443), so there is no direct conflict between them. You can either run two separate server instances bound to these ports, or use Apache’s elegant virtual hosting facility to create two virtual servers, both served by the same instance of Apache – one responding over HTTP to requests on port 80, and the other responding over HTTPS to requests on port 443.

  3. Networking Interview Questions

  4. Question 3. Which Port Does Https Use?

    Answer :

    You can run HTTPS on any port, but the standards specify port 443, which is where any HTTPS compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL.

  5. Question 4. Why Do I Get “connection Refused” Messages, When Trying To Access My Newly Installed Apache+mod Ssl Server Via Https?

    Answer :

    This error can be caused by an incorrect configuration. Please make sure that your LISTEN directives match your directives. If all else fails, please start afresh, using the default configuration provided by MOD SSL.

  6. Networking Tutorial

  7. Question 5. Why Are The Ssl Xxx Variables Not Available To My Cgi & Ssi Scripts?

    Answer :

    Please make sure you have “SSLOptions +StdEnvVars” enabled for the context of your CGI/SSI requests.

  8. Management Information systems Interview Questions

  9. Question 6. What Are Rsa Private Keys, Csrs And Certificates?

    Answer :

    An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.

    A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.

    A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA.

    Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

  10. Question 7. Is There A Difference On Startup Between A Non-ssl-aware Apache And An Ssl-aware Apache?

    Answer :

    Yes. In general, starting Apache with MOD SSL built-in is just like starting Apache without it. However, if you have a passphrase on your SSL private key file, a startup dialog will pop up which asks you to enter the pass phrase.

    Having to manually enter the passphrase when starting the server can be problematic – for example, when starting the server from the system boot scripts. In this case, you can follow the steps below to remove the passphrase from your private key. Bear in mind that doing so brings additional security risks – proceed with caution!

  11. Management Information systems Tutorial
    Internet Security Interview Questions

  12. Question 8. How Can I Change The Pass-phrase On My Private Key File?

    Answer :

    You simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase.

    You can accomplish this with the following commands:

    $ openssl rsa -des3 -in server.key -out
    $ mv server.key

    The first time you’re asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you’ll be asked again to enter a pass-phrase – this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you’ll need to enter the new pass-phrase a second time.

  13. Question 9. How Can I Get Rid Of The Pass-phrase Dialog At Apache Startup Time?

    Answer :

    The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server – proceed with caution!

    1. Remove the encryption from the RSA private key (while keeping a backup copy of the original file):

    $ cp server.key
    $ openssl rsa -in -out server.key

    2. Make sure the server.key file is only readable by root:

    $ chmod 400 server.key

    Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).

    As an alternative approach you can use the “SSLPassPhraseDialog exec:/path/to/program” facility. Bear in mind that this is neither more nor less secure, of course.

  14. Computer Network Security Interview Questions

  15. Question 10. Why Do I Get Lots Of Random Ssl Protocol Errors Under Heavy Server Load?

    Answer :

    There can be a number of reasons for this, but the main one is problems with the SSL session Cache specified by the SSLSESSIONCACHE directive. The DBM session cache is the most likely source of the problem, so using the SHM session cache (or no cache at all) may help.

  16. Internet Security Tutorial

  17. Question 11. Why Does My Webserver Have A Higher Load, Now That It Serves Ssl Encrypted Traffic?

    Answer :

    SSL uses strong cryptographic encryption, which necessitates a lot of number crunching. When you request a webpage via HTTPS, everything (even the images) is encrypted before it is transferred. So increased HTTPS traffic leads to load increases.

  18. Routing Protcol Interview Questions

  19. Question 12. Why Do Https Connections To My Server Sometimes Take Up To 30 Seconds To Establish A Connection?

    Answer :

    This is usually caused by a /dev/random device for SSLRANDOMSEED which blocks the read(2) call until enough entropy is available to service the request. More information is available in the reference manual for the SSLRANDOMSEED directive.

  20. Networking Interview Questions

  21. Question 13. What Ssl Ciphers Are Supported By Mod Ssl?

    Answer :

    Usually, any SSL ciphers supported by the version of OpenSSL in use, are also supported by MOD SSL. Which ciphers are available can depend on the way you built OpenSSL.

    Typically, at least the following ciphers are supported: 

    1. RC4 with SHA1
    2. AES with SHA1
    3. Triple-DES with SHA1 

    To determine the actual list of ciphers available, you should run the following:

    $ openssl ciphers -v

  22. Computer Security Tutorial

  23. Question 14. Why Do I Get “no Shared Cipher” Errors, When Trying To Use Anonymous Diffie-hellman (adh) Ciphers?

    Answer :

    By default, OpenSSL does not allow ADH ciphers, for security reasons. Please be sure you are aware of the potential side-effects if you choose to enable these ciphers.

    In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must build OpenSSL with “-DSSL ALLOW ADH”, and then add “ADH” into your SSLCIPHERSUITE.

  24. Question 15. Why Do I Get A ’no Shared Ciphers’ Error When Connecting To My Newly Installed Server?

    Answer :

    Either you have made a mistake with your SSLCIPHERSUITE directive (compare it with the pre-configured example in extra/httpd-ssl.conf) or you chose to use DSA/DH algorithms instead of RSA when you generated your private key and ignored or overlooked the warnings. If you have chosen DSA/DH, then your server cannot communicate using RSA-based SSL ciphers (at least until you configure an additional RSA-based certificate/key pair). Modern browsers like NS or IE can only communicate over SSL using RSA ciphers. The result is the “no shared ciphers” error. To fix this, regenerate your server certificate/key pair, using the RSA algorithm.

  25. Simple Mail Transfer Protocol (SMTP) Interview Questions

  26. Question 16. Why Can’t I Use Ssl With Name-based/non-ip-based Virtual Hosts?

    Answer :

    The reason is very technical, and a somewhat “chicken and egg” problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod ssl has to negotiate the SSL protocol parameters with the client. For this, mod ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. See the next question for how to circumvent this issue.

    Note that if you have a wildcard SSL certificate, or a certificate that has multiple hostnames on it using subjectAltName fields, you can use SSL on name-based virtual hosts without further workarounds.

  27. Cryptography Tutorial

  28. Question 17. How Do I Get Ssl Compression Working?

    Answer :

    Although SSL compression negotiation was defined in the specification of SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as a negotiable standard compression method.

    OpenSSL 0.9.8 started to support this by default when compiled with the zlib option. If both the client and the server support compression, it will be used. However, most clients still try to initially connect with an SSLv2 Hello.

    As SSLv2 did not include an array of preferred compression algorithms in its handshake, compression cannot be negotiated with these clients. If the client disables support for SSLv2, either an SSLv3 or TLS Hello may be sent, depending on which SSL library is used, and compression may be set up. You can verify whether clients make use of SSL compression by logging the %{SSL COMPRESS METHOD}x variable.

  29. Computer Security Interview Questions

  30. Question 18. When I Use Basic Authentication Over Https The Lock Icon In Netscape Browsers Stays Unlocked When The Dialog Pops Up. Does This Mean The Username/password Is Being Sent Unencrypted?

    Answer :

    No, the username/password is transmitted encrypted. The icon in Netscape browsers is not actually synchronized with the SSL/TLS layer. It only toggles to the locked state when the first part of the actual webpage data is transferred, which may confuse people. The Basic Authentication facility is part of the HTTP layer, which is above the SSL/TLS layer in HTTPS. Before any HTTP data communication takes place in HTTPS, the SSL/TLS layer has already completed its handshake phase, and switched to encrypted communication. So don’t be confused by this icon.

  31. Management Information systems Interview Questions

  32. Question 19. How Do I Enable Tls-srp?

    Answer :

    TLS-SRP (Secure Remote Password key exchange for TLS, specified in RFC 5054) can supplement or replace certifi- cates in authenticating an SSL connection. To use TLS-SRP, set the SSLSRPVERIFIERFILE directive to point to an OpenSSL SRP verifier file.

    To create the verifier file, use the openssl tool:

    • openssl srp -srpvfile passwd.srpv -add username
    • After creating this file, specify it in the SSL server configuration:
    • SSLSRPVerifierFile /path/to/passwd.srpv
    • To force clients to use non-certificate TLS-SRP cipher suites, use the following directive:
    • SSLCipherSuite “!DSS:!aRSA:SRP”