What is the correct way to implement SSL?

Question

I have a flask application(client) from where I need to send some data to a server(another flask application as of now) and get some corresponding data. I need to use REST because the server can be anything later(the current flask app is a dummy server for testing). I need to have SSL connection between client and server. I see that SSL works in several steps:

1. Client requests for an encrypted connection.
2. Server responds with an SSL Certificate which will have a public key.
3. Client verifies the SSL Certificate
4. Client creates a private key
5. Client encrypts the private key with the public key and sends it to the server.
6. Server decrypts it and gets the private key.
7. Thus an encrypted connection is established between client and server. Further exchange of data between client and server happens by encrypting the data with the private key.

This is what I am trying to achieve. Please correct me if I got the SSL concept wrong.

I have seen below implementation and works perfectly for me.

Client side uses requests.get() with verify=<path to server SSL certificate>. I have generated SSL certificate for server using openssl as follows.

openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

But I don't think all the above 7 steps are being covered here. What is the actual way of implementing SSL? Any help would be appreciated.

Answer 1

1. Client requests for an encrypted connection.

Correct.

2. Server responds with an SSL Certificate which will have a public key.

Correct.

3. Client verifies the SSL Certificate

Correct.

4. Client creates a private key

Incorrect. It is already far too late for this to occur.

5. Client encrypts the private key with the public key and sends it to the server.

Incorrect. There is no such step. See RFC 2246 and successors.

6. Server decrypts it and gets the private key.

Incorrect, ditto.

7. Thus an encrypted connection is established between client and server.

Incorrect, ditto.

Further exchange of data between client and server happens by encrypting the data with the private key.

Incorrect, ditto. TLS works by (1) establishing trust via the server certificate and PKI; (2) optionally establishing trust via the client certificate; and (3) establishing a symmetric session key via a process of key negotiation, in which the actual session key is never transmitted.

This is what I am trying to achieve.

No it isn't. You are trying to establish a TLS connection. What it does is really very little concern of yours.

Please correct me if I got the SSL concept wrong.

You got it totally wrong.

I have generated SSL certificate for server using openssl as follows.

No you haven't. You have created a Certificate Signing Request (CSR). This is useless until you get it signed by a Certificate Authority (CA). It isn't an SSL certificate.

In the above method of implementation, client verifies the server's certificate for every rest call but I dont want to do this. I want to create an encrypted connection between client and server and then the further exchange of data should be encrypted. So, I think the initial creation of enrypted connection between client and server is missing. Also, the private key generation from client side is missing. I want to implement SSL and I think TLS is different from SSL. Correct me if I am wrong.

You are wrong. TLS supports session resumption, which allows for abbreviated handshakes, which eliminates the certificate exchange steps. The 'private key generation from client side' step is missing because it doesn't necessarily exist. You're guessing.