Web and Mobile Development - Secure Sockets Layer
Activity Goals
The goals of this activity are:
- To explain the process underlying SSL and the digital certificate for authentication and encryption
- To create and attach a digital certificate to a RESTful service in node.js
The Activity
Directions
Consider the activity models and answer the questions provided. First reflect on these questions on your own briefly, before discussing and comparing your thoughts with your group. Appoint one member of your group to discuss your findings with the class, and the rest of the group should help that member prepare their response. Answer each question individually from the activity, and compare with your group to prepare for our whole-class discussion. After class, think about the questions in the reflective prompt and respond to those individually in your notebook. Report out on areas of disagreement or items for which you and your group identified alternative approaches. Write down and report out questions you encountered along the way for group discussion.
Model 1: SSL Certificates
const express = require('express')
const https = require('https')
const app = express();
// Usual routes
app.get('/test', (req, res) => {
res.send("Hello World!");
});
const sslOptions = {
key: fs.readFileSync('./private_key.pem'),
cert: fs.readFileSync('./certificate_chain.pem'),
ca: [
fs.readFileSync('./cert_authority.cer') //,
// ...
],
ciphers: [
"ECDHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA256",
"AES128-GCM-SHA256",
"RC4",
"HIGH",
"!MD5",
"!aNULL"
].join(':'),
};
const httpsServer = https.createServer(sslOptions, app);
httpsServer.listen(8443, () => {
console.log("HTTPS Running");
});
// I suggest omitting this, otherwise you have a route that can be invoked in clear text!
const httpServer = http.createServer(app);
httpServer.listen(8080, () => {
console.log("HTTP Running");
});
Questions
- What is an SSL Certificate Chain?
- What is a Certificate Authority?
- Using this command, generate and use your own SSL certificate:
openssl genrsa -out private_key.pem && openssl req -new -key private_key.pem -out csr.pem && openssl x509 -req -days 9999 -in csr.pem -signkey private_key.pem -out certificate_chain.pem. Add these to a node.js program and invoke an endpoint over https.
- Did you get a warning from your browser and, if so, why?
Embedded Code Environment
You can try out some code examples in this embedded development environment! To share this with someone else, first have one member of your group make a small change to the file, then click "Open in Repl.it". Log into your
Repl.it account (or create one if needed), and click the "Share" button at the top right. Note that some embedded Repl.it projects have multiple source files; you can see those by clicking the file icon on the left navigation bar of the embedded code frame. Share the link that opens up with your group members. Remember only to do this for partner/group activities!
Model 2: Signing of a Public Key by a Certificate Authority
Questions
- Although you can self-sign a certificate, why might it be more authoritative to have a trusted third party validate your identity and sign your key to form a certificate?
Model 3: SSL Handshake and Encryption
Questions
- Is the public/private key from the SSL certificate actually used to encrypt data between the client and server? Why or why not? If not, what is used instead?
Submission
I encourage you to submit your answers to the questions (and ask your own questions!) using the Class Activity Questions discussion board. You may also respond to questions or comments made by others, or ask follow-up questions there. Answer any reflective prompt questions in the Reflective Journal section of your OneNote Classroom personal section. You can find the link to the class notebook on the syllabus.
