Cisco Cisco Web Security Appliance S170 사용자 가이드
12-6
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
HTTPS Basics
Figure 12-1
HTTPS and HTTP OSI Layers
The URL typically determines whether the client application should use HTTP or HTTPS to contact a
server:
server:
•
http://servername. The client application opens a connection to the server on port 80 by default and
sends HTTP commands in plaintext.
sends HTTP commands in plaintext.
•
https://servername. The client application opens a connection to the server on port 443 by default
and starts to engage in the SSL “handshake” to establish a secure connection between the client and
server. Once the secure connection is established, the client application sends encrypted HTTP
commands. For more information about the SSL handshake, see
and starts to engage in the SSL “handshake” to establish a secure connection between the client and
server. Once the secure connection is established, the client application sends encrypted HTTP
commands. For more information about the SSL handshake, see
SSL Handshake
The SSL “handshake” is a set of steps a client and server engage in using the SSL protocol to establish
a secure connection between them. The client and server must complete the following steps before they
can send and receive encrypted HTTP messages:
a secure connection between them. The client and server must complete the following steps before they
can send and receive encrypted HTTP messages:
Step 1
Exchange protocol version numbers. Both sides must verify they can communicate with compatible
versions of SSL or TLS.
versions of SSL or TLS.
Step 2
Choose a cipher that each side knows. First, the client advertises which ciphers it supports and requests
the server to send its certificate. Then, the server chooses the strongest cipher from the list and sends the
client the chosen cipher and its digital certificate.
the server to send its certificate. Then, the server chooses the strongest cipher from the list and sends the
client the chosen cipher and its digital certificate.
Step 3
Authenticate the identity of each side. Typically, only the server gets authenticated while the client
remains unauthenticated. The client validates the server certificate. For more information about
certificates and using them to authenticate servers, see
remains unauthenticated. The client validates the server certificate. For more information about
certificates and using them to authenticate servers, see
.
Step 4
Generate temporary symmetric keys to encrypt the channel for this session. The client generates a
session key (usually a random number), encrypts it with the server’s public key, and sends it to the server.
The server decrypts the session key with its private key. Both sides compute a common master secret key
that will be used for all future encryption and decryption until the connection closes.
session key (usually a random number), encrypts it with the server’s public key, and sends it to the server.
The server decrypts the session key with its private key. Both sides compute a common master secret key
that will be used for all future encryption and decryption until the connection closes.
Network interfaces
IP
TCP
SSL or TLS
HTTP
Application layer
Security layer
Transport layer
Network layer
Data link layer
Network interfaces
IP
TCP
HTTP
Application layer
Transport layer
Network layer
Data link layer
HTTP
HTTPS