- SSL = Secure Socket Layer (obsolete) and TLS = Transport Layer Security
- Netscape developed SSL. v1.0 never published, v2.0 is weak and deprecated in 2011. v3.0 is vulnerable to the POODLE attack and deprecated in 2015. Don't use these anymore!
- TLS v1.0, v1.1 and v1.2 are still considered to be secure and should be used. Higher (versions) are better.
- Encrypts communication between for example a client and a server. Can also verify that the server really is the one stated.
- Can use different ciphers (encryption algorithm)
- Client and server negotiate about ciphers and keys during the start of the session using the TLS handshake protocol
- Used with many protocols, not just HTTP.
- Must have for web services. Encrypt all things!
- Demo with Wireshark!
- Different kinds, single domain, multiple domains, wildcard, extended. Compare on Namecheap. Different prices of course.
- Green lock in browsers for good certificates. Use SSLLabs to analyze the certificate.
- Can also test with
openssl s_client:
openssl s_client -connect domain.com:443- Traditional way to buy and implement SSL cert is to first generate a private key and a certificate signing request (CSR):
openssl genrsa -out example.com.key 4096
openssl req -new -key example.com.key -out example.com.csr- The CSR is then used to buy the certificate. The Certificate Authority (CA) then verify the information provided and if approved, send a certificate to the buyer. Also intermediate certificates and root certificates (certificate chain).
- A new Certificate Authority (CA) that provides easy ways to obtain free TLS/SSL certificates.
- Follow tutorial on DigitalOcean