function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Avinash Kumar 90Avinash Kumar 90 

Server certificate verification in one way SSL

Hi All,
In a one way ssl scenario, where salesforce is client and is making a ssl callout how does salesforce verify server certificate? 
 As per documentation, in one way SSL only server certificate is checked. I would like to understand how does salesforce checks server certificate.
 P.S.: Am a salesforce newbie and hence this basic question.

-Avinash 
NagendraNagendra (Salesforce Developers) 
Hi Avinash,


Authentication with SSL:
SSL is the standard security technology for establishing an encrypted link between a web server and a browser. Normally when a browser (the client) establishes an SSL connection to a secure web site, only the server certificate is checked. The browser either relies on itself or the operating system providing a list of certs that have been designated as root certificates and to be trusted as CAs.


One-way SSL authentication (server -> client):
Client and server use 9 handshake messages to establish the encrypted channel prior to message exchanging:
 
  1. Client sends ClientHello message proposing SSL options.
  2. Server responds with ServerHello message selecting the SSL options.
  3. Server sends Certificate message, which contains the server’s certificate.
  4. Server concludes its part of the negotiation with ServerHelloDone message.
  5. Client sends session key information (encrypted with server’s public key) in ClientKeyExchange message.
  6. Client sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
  7. Client sends Finished message to let the server check the newly activated options.
  8. Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
  9. Server sends Finished message to let the client check the newly activated options.
Please mark this as solved if the information helps.

Regards,
Nagendra.