SSL/TLS
Secure Sockets Layer and Transport Layer Security
SSL/TLS
SSL/TLS provides encryption and security for network communications.
What is SSL/TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols for:
- Encrypting data in transit
- Authenticating servers
- Ensuring data integrity
- Preventing eavesdropping
SSL vs TLS
- SSL 3.0: Deprecated, security issues
- TLS 1.0: Legacy, some vulnerabilities
- TLS 1.1: Legacy, still supported
- TLS 1.2: Current standard
- TLS 1.3: Latest, recommended
How TLS Works
TLS Handshake
1. ClientHello: Client sends supported versions, ciphers
2. ServerHello: Server selects version, cipher
3. Certificate: Server sends certificate
4. ServerKeyExchange: Server sends key exchange params
5. ServerHelloDone: Server done
6. ClientKeyExchange: Client sends key exchange params
7. ChangeCipherSpec: Switch to encryption
8. Finished: Verification messageCertificates
Self-Signed Certificate
# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem \
-out cert.pem -days 365 -nodesCA-Signed Certificate
- Issued by trusted Certificate Authority
- Browser recognizes automatically
- Required for production
Certificate Files
# View certificate
openssl x509 -in cert.pem -text -noout
# Check certificate validity
openssl x509 -in cert.pem -noout -dates
# Combine cert and key
cat cert.pem key.pem > combined.pemCommon Tools
OpenSSL
# Generate private key
openssl genrsa -out private.key 2048
# Generate CSR (Certificate Signing Request)
openssl req -new -key private.key -out request.csr
# Check certificate
openssl x509 -in certificate.crt -text -noout
# Verify certificate chain
openssl verify -CAfile ca.crt certificate.crt
# Test HTTPS connection
openssl s_client -connect example.com:443curl
# HTTPS request
curl https://example.com
# Ignore certificate verification (NOT recommended)
curl -k https://example.com
# Show certificate info
curl -v https://example.com
# Use specific certificate
curl --cert client.crt --key client.key https://example.comNginx HTTPS Configuration
server {
listen 443 ssl http2;
server_name example.com;
# Certificate files
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
# TLS version
ssl_protocols TLSv1.2 TLSv1.3;
# Ciphers
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}Let's Encrypt
Free SSL/TLS certificates
# Install Certbot
sudo apt install certbot python3-certbot-nginx
# Get certificate
sudo certbot certonly --nginx -d example.com
# Renew certificate
sudo certbot renew
# Auto-renewal
sudo systemctl enable certbot.timerSecurity Best Practices
- Use TLS 1.2 minimum
- Disable weak ciphers
- Keep certificates updated
- Use strong key sizes (2048+ bits)
- Monitor certificate expiration
- Implement HSTS
- Enable SSL session caching
- Keep OpenSSL updated
- Use Certificate Transparency
- Monitor certificate chain
Common Issues
Expired Certificate
openssl x509 -in cert.pem -noout -datesCertificate Mismatch
- Certificate domain doesn't match URL
- Check certificate CN and SAN
Self-Signed Certificate
- Browser will warn
- Use for testing only
- Not for production