TLS / SSL

From Things and Stuff Wiki
Jump to: navigation, search

Things and Stuff Wiki - An organically evolving personal wiki knowledge base with an on-the-fly taxonomy containing topic outlines, descriptions, notes and breadcrumbs, with links to sites, systems, software, manuals, organisations, people, articles, guides, slides, papers, books, comments, videos, screencasts, webcasts, scratchpads and more. Quality varies drastically. Use the Table of Contents to navigate long pages, use the Small-ToC and Tiny-ToC header links on longer pages. Not that mobile friendly atm. #tnswiki on freenode IRC for feedback chat, or see About for login and further information. / et / em

General

See also HTTP#SSL

  • Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. They use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

In the TCP/IP model view, TLS and SSL encrypt the data of network connections at a lower sublayer of its application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (the session layer) then works at layer 6 (the presentation layer): first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.


  • AboutSSL.org - Explore SSL Types, Brands, Reviews, Comparison and More.


Specs

some rfcs..


Guides

Software

Gnutils

OpenSSL

openssl ciphers -v
openssl verify -CAfile /etc/nginx/ca.pem certs/client.crt

Other

  • PolarSSL makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) products, facilitating this functionality with a minimal coding footprint.




  • https://github.com/OpenVPN/easy-rsa - a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including sub-CAs and certificate revocation lists (CRL).

HTTPS

See HTTP#SSL

CSP

Tools

  • SSL Server Test - This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
  • Why No Padlock? - This web based tool will check a secure (https://) URL for the following items: Valid SSL Certificate (checks expiration date, properly installed intermediate certificate, URL matches the certificate domain, and displays the SSL Issuing company. All image, css, and javascript calls on the page are done so securely. Checks each linked css file to make sure any image calls are also secure. Outputs any insecure calls, along with the file (referrer) that made the insecure call. Verifies all third party SSL calls also have a valid and properly installed SSL certificate.
  • sslScanner - Scan SSL based TCP services, ips, ports and network ranges to obtain certificate expiry data. Get automated alerts about certificates expiring
  • SSL Converter - convert SSL certificates to and from different formats such as pem, der, p7b, and pfx
  • Certificate Depot - Create your self-signed SSL certificate instantly and for free.

Certificates

See also HTTP#SSL


Certificate signing request

  • .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Key formats

  • .pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on.
  • .key This is a PEM formatted file containing just the private-key of a specific certificate. In Apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.
  • .pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

SAN

Wildcard

Domain Validation

Organisational Validation

involving better/slower background checks for the Organisation Name field

Extended Validation

Self-signed

Vulnerable to MITM as cracker can generate their own, OK if you control both ends.

Lets Encrypt / ACME





./letsencrypt-auto certonly -d example.com -d www.example.com --agree-tos --renew-by-default -a webroot --webroot-path=/tmp/letsencrypt-auto

CAs

Services

Comodo

VeriSign

GlobalSign

StartCom

Free certs, one cert per domain, 1 year. One only pays for acions that require human intervention, i.e., validation.


Cacert.org

Community group providing certs. Web of trust based assurance point system. Not carried by major browsers, just Linux distros.

Other

  • SSLMate - Buy SSL certs from the command line.
  • CertSimple - The fastest way to prove your company's identity online. EV Certificates are £149 a year. Multiple servers from £249 a year for 3 server names.

PFS

CRL

DNSSEC

DANE

HPKP

Future

  • TACK, a proposal for a dynamically activated public key pinning framework that provides a layer of indirection away from Certificate Authorities, but is fully backwards compatible with existing CA certificates, and doesn't require sites to modify their existing certificate chains.

Other