Cisco Cisco Web Security Appliance S170 사용자 가이드
A-4
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Appendix A HTTPS Reference
Overview of HTTPS
Figure A-1
HTTPS and HTTP OSI Layers
The URL typically determines whether the client application should use HTTP or HTTPS to contact a
server:
server:
•
http://servername. The client application opens a connection to the server on port 80 by default and
sends HTTP commands in plaintext.
sends HTTP commands in plaintext.
•
https://servername. The client application opens a connection to the server on port 443 by default
and starts to engage in the SSL “handshake” to establish a secure connection between the client and
server. Once the secure connection is established, the client application sends encrypted HTTP
commands. For more information about the SSL handshake, see
and starts to engage in the SSL “handshake” to establish a secure connection between the client and
server. Once the secure connection is established, the client application sends encrypted HTTP
commands. For more information about the SSL handshake, see
.
SSL Handshake
The SSL “handshake” is a set of steps a client and server engage in using the SSL protocol to establish
a secure connection between them. The client and server must complete the following steps before they
can send and receive encrypted HTTP messages:
a secure connection between them. The client and server must complete the following steps before they
can send and receive encrypted HTTP messages:
1.
Exchange protocol version numbers. Both sides must verify they can communicate with
compatible versions of SSL or TLS.
compatible versions of SSL or TLS.
2.
Choose a cipher that each side knows. First, the client advertises which ciphers it supports and
requests the server to send its certificate. Then, the server chooses the strongest cipher from the list
and sends the client the chosen cipher and its digital certificate.
requests the server to send its certificate. Then, the server chooses the strongest cipher from the list
and sends the client the chosen cipher and its digital certificate.
3.
Authenticate the identity of each side. Typically, only the server gets authenticated while the client
remains unauthenticated. The client validates the server certificate. For more information about
certificates and using them to authenticate servers, see
remains unauthenticated. The client validates the server certificate. For more information about
certificates and using them to authenticate servers, see
.
4.
Generate temporary symmetric keys to encrypt the channel for this session. The client
generates a session key (usually a random number), encrypts it with the server’s public key, and
sends it to the server. The server decrypts the session key with its private key. Both sides compute a
common master secret key that will be used for all future encryption and decryption until the
connection closes.
generates a session key (usually a random number), encrypts it with the server’s public key, and
sends it to the server. The server decrypts the session key with its private key. Both sides compute a
common master secret key that will be used for all future encryption and decryption until the
connection closes.
Network interfaces
IP
TCP
SSL or TLS
HTTP
Application layer
Security layer
Transport layer
Network layer
Data link layer
Network interfaces
IP
TCP
HTTP
Application layer
Transport layer
Network layer
Data link layer
HTTP
HTTPS