S.
LAZAAR
ENSA of Tangier
2024-2025
Practical work on SSL/TLS protocol
Objective
Students will learn the mechanics of the SSL/TLS protocol, explore its implementation in
secure communications, and analyze potential vulnerabilities and mitigations.
Tools and Resources
• OpenSSL
• Wireshark
• SSLstrip: Simulate vulnerabilities
• Apache to setup the server
Guidelines:
OpenSSL installed: sudo apt install openssl
SSLstrip installed: sudo apt install sslstrip
Part 1: SSL/TLS Basics and Setup
1. Tasks:
o Create a virtual network including 3 machines (client, Admin under Kali linux,
server)
o Prepare a website or only a webpage.
o Use OpenSSL to create certificates for your site
o Generate self-signed SSL certificates and configure the server to use them.
o Set up an HTTPS server (using Apache).
o Test the server's configuration using an online SSL testing tool.
1/3
�Part 2: Analyzing SSL/TLS Handshake
1. Tasks:
o Use Wireshark to capture and analyze the SSL/TLS handshake between a
client and the server.
o Identify key elements such as:
▪ ClientHello and ServerHello messages.
▪ Certificate exchange.
▪ Cipher suite negotiation.
Deliverables
• A report detailing:
o Observations from SSL/TLS handshake analysis.
• Wireshark logs and screenshots as evidence.
2/3
�Part 3: Explore SSLstrip for a basic understanding of how HTTPS, SSL/TLS, and MITM
attacks work.
Using SSLstrip alongside OpenSSL can help simulate and understand SSL/TLS vulnerabilities,
particularly those involving man-in-the-middle (MITM) attacks. While OpenSSL provides the
framework for secure communications, SSLstrip can demonstrate how improper
configurations or outdated setups can compromise security.
Intercept and Manipulate Traffic
• With SSLstrip running, use OpenSSL to inspect client-server communication.
• SSLstrip intercepts and downgrades HTTPS traffic to HTTP. Clients believe they are
communicating securely, but the connection is no longer encrypted.
Analyze Results
• Observe the downgraded connection using Wireshark:
o Capture packets and verify that HTTPS traffic is converted to HTTP.
o Inspect plaintext data that should have been encrypted.
3/3
