Web and Mobile Development - Secure Sockets Layer
Activity Goals
The goals of this activity are:
- To explain the process underlying SSL and the digital certificate for authentication and encryption
- To create and attach a digital certificate to a RESTful service in node.js
The Activity
Directions
Consider the activity models and answer the questions provided. First reflect on these questions on your own briefly, before discussing and comparing your thoughts with your group. Appoint one member of your group to take notes for the group, and appoint another member to discuss your findings with the class. After class, think about the questions in the reflective prompt and respond to those individually. Report out on areas of disagreement or items for which you and your group identified alternative approaches. Write down and report out questions you encountered along the way for group discussion.
Model 1: SSL Certificates
const express = require('express')
const https = require('https')
const app = express();
// Usual routes
app.get('/test', (req, res) => {
res.send("Hello World!");
});
const sslOptions = {
key: fs.readFileSync('./private_key.pem'),
cert: fs.readFileSync('./certificate_chain.pem'),
ca: [
fs.readFileSync('./cert_authority.cer') //,
// ...
],
ciphers: [
"ECDHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA256",
"AES128-GCM-SHA256",
"RC4",
"HIGH",
"!MD5",
"!aNULL"
].join(':'),
};
const httpsServer = https.createServer(sslOptions, app);
httpsServer.listen(8443, () => {
console.log("HTTPS Running");
});
// I suggest omitting this, otherwise you have a route that can be invoked in clear text!
const httpServer = http.createServer(app);
httpServer.listen(8080, () => {
console.log("HTTP Running");
});
Questions
- What is an SSL Certificate Chain?
- What is a Certificate Authority?
- Using this command, generate and use your own SSL certificate:
openssl genrsa -out private_key.pem && openssl req -new -key private_key.pem -out csr.pem && openssl x509 -req -days 9999 -in csr.pem -signkey private_key.pem -out certificate_chain.pem. Add these to a node.js program and invoke an endpoint over https.
- Did you get a warning from your browser and, if so, why?
Embedded Code Environment
You can try out some code examples in this embedded development environment! To share this with someone else, first have one member of your group make a small change to the file, then click "Open in Repl.it". Log into your
Repl.it account (or create one if needed), and click the "Share" button at the top right. Note that some embedded Repl.it projects have multiple source files; you can see those by clicking the file icon on the left navigation bar of the embedded code frame. Share the link that opens up with your group members. Remember only to do this for partner/group activities!
Model 2: Signing of a Public Key by a Certificate Authority
Questions
- Although you can self-sign a certificate, why might it be more authoritative to have a trusted third party validate your identity and sign your key to form a certificate?
Model 3: SSL Handshake and Encryption
Questions
- Is the public/private key from the SSL certificate actually used to encrypt data between the client and server? Why or why not? If not, what is used instead?
Submission
Submit your answers to the questions using the Collaborative Spaces section of OneNote. You can add a page with your name and your group members' names, and today's date, as the title. Under the appropriate section (i.e., "Class Notes", "Collaborative Spaces", "Reflective Prompts") that you can select on the left side of the screen, you can click "Add Page" on the right side. You can answer any reflective prompt questions in the Reflective Journal section of your OneNote Classroom personal section.
