How does SSL use symmetric and asymmetric encryption? And how do I manage certificated for multiple sites on one host? [duplicate]

Answer 1

The SSL client sends the random byte string that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server's public key(Asymmetric).

SSL uses both Asymmetric and symmetric keys.

Answer 2

The case where the session key is independently computed by the client and server without the key ever being transmitted is Diffie-Hellman key exchange: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange --- see the nice paint illustration PKI will exchange the encrypted session key between the client and server.

Answer 3

.

The answer is both. You will find a nice explanation in 4 steps from digicert.com below:

.

• Server sends a copy of its asymmetric public key.
• Browser creates a symmetric session key and encrypts it with the server's asymmetric public key. Then sends it to the server.
• Server decrypts the encrypted session key using its asymmetric private key to get the symmetric session key.
• Server and Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because only the browser and the server know the symmetric session key, and the session key is only used for that session. If the browser was to connect to the same server the next day, a new session key would be created.

https://www.digicert.com/ssl-cryptography.htm

Answer 4

Yes, that's right. Asymmetric encryption is necessary to verify the others identity and then symmetric encryption gets used because it's faster.

Answer 5

You're wrong at points 4 and 5. The server and client independently compute the same session key. It is never actually transmitted at all.

Answer 6

You can only have a single SSL cert per listening port on the server. This is because the very first thing that is sent is the server certificate (as in your timeline). This is before the HTTP request so if you try to host two domains on a single server (say foo.com and bar.com) there is no way for the server to know which certificate to send to the client.

There are a few different ways to solve this problem:

1. Host different domains on different servers
2. Host different domains on different ports (eg. foo.com is serverd from 443 and bar.com is served from 8443). If you put your host behind multiple load-balancers, you can have them service all the sites on 443.
3. If the different domains are all sub-domains of a single parent domain, you can get a wildcard certificate. (e.g. domains www.foo.com, bar.foo.com, and baz.foo.com can all use a certificate for *.foo.com)
4. Get a single certificate for one of the domains and have the other domains listed as AltNames. (e.g. both foo.com and bar.com can use a foo.com certificate with a bar.com AltName)