Learn SSL

SSL is one of those weird niche subjects that no one learns until they run into a problem. It's confusing because there's a lot of moving parts, file formats, and terminology. For example, SSL (Secure Socket Layer) is also called TLS (Transport Layer Security). In this blog post the I'll probably switch between the acronyms unconsciously as I write. In addition, a lot of the tools used to work with SSL suck. I've been debugging basic SSL issues for a while at work now, and I've learned quite a bit about it (definitely not close to everything).

So here's a link dump. I would recommend reading the "General Working Knowledge" links and skimming the others for something that looks interesting.

General Working Knowledge

Note that some of these articles cover the same material.

Start with Dissecting an SSL certificate for a quick (like two page) summary about how how certificates work.

Next, dive in with Everything you should know about certificates and PKI but are too afraid to ask.

Transport Layer Security (TLS) is part of O'Reilly's High Performance Browser Networking free online book and contains a really great list of topics about SSL, including Server Name Indication (SNI) and Optimizing for TLS

Automated Certificate Management Environment (ACME) Explained explains how to prove you own a domain to most (all?) public Certificate Authorities so they will issue you a certificate.

More Specialized Knowledge

The Illustrated TLS Connection is a super interesting breakdown of the byte-level communications between a client and a server. I haven't needed to use WireShark for analyzing TLS connections, but if I do, I'm headed here first.

Ulfheim's Certificate Analysis is a companion site that breaks down a certificate at the byte level.

TLS, byte by byte livestreams a TLS connection with explanations.

SSL/TLS and PKI History is a timeline of TLS innovations and attacks. It really helps explain some of the quirks in the protocol. This is so enlightening I might put it in the "General Working Knowledge" section. I highly recommend.

A Readable Specification of TLS 1.3 is exactly what it says on the tin - explains all details of RFC 8446 in a more readable way. This could be useful to write a TLS implementation but is probably too much information for most of your needs.

Security

RedHat explains some options to protect against SSL's vulnerability to rogue CAs.

Certificate Search is a portal to search public Certificate Transparency logs.

Certificate Transparency: The Gift That Keeps Giving demonstrates how hackers can incorporate public Certificate Transparency logs into their attacks.

Caveats and pitfalls of cookie domains is not directly related to TLS, but covers how cookies (potentially login cookies) interact with domains. Check your how your site configures cookies before setting up domains and issuing TLS certificates for them.

Tools to work with SSL

Azure Key Vault - Azure's solution for storing TLS certificates. It's nice, but has some rough edges I should probably blog about in more detail.

certigo shows information about a certificate, from a file or by connecting to a server. Like my easyssl.py script below but not a total hack :)

smallstep/cli is a toolkit for working PKI - it actually works with several crytographical technologies, such as JWTS, OAuth, and SSH certificates. See here to set up a CA on a Raspberry Pi and a YubiKey with smallstep's tools.

Certificate Authorities

LetsEncrypt is a nonprofit and opensource Certificate Authority that provides FREE SSL certificates.

CFSSL is CloudFlare's tool for their internal PKI infrastructure - bundling certs and acting as a certificate authority.

smallstep/certificates is a private certificate authority.

Local Certificate Authorities

Useful for developing with HTTPS locally.

OpenSSL

The Most Common OpenSSL Commands also contains useful OpenSSL commands.

Using the OpenSSL toolkit with Bash contains useful OpensSSL commands.

LetsEncrypt also has an OpenSSL oneliner to create a self-signed cert that also includes SANs at their docs

easyssl.py is a small script I wrote to generate longer OpensSSL (actually LibreSSL cause I'm on MacOS) commands I need most. For example, getting the list of SANs. It prints out the generated command before running it for easy sharing.

Creating an OpenSSL CSR is a blog post I just wrote explaining how to create a CSR to request a certicate from a Certificate Authority. This method has been tested with DigiCert.

Miscellaneous

Google Chrome's docs on Certificate Transparency

Libraries to work with SSL

Citing note: I'm copying most of these descriptions from the preceding links :)

  • Multi-language: certifi - A carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. google/tink appears to offer crypto primittives, but I haven't tried it.
  • Python: cryptography - cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions.
  • Go: crypto/tls - Go's standard library actually has some really good functionality for TLS
  • Java: bouncycastle - I haven't personally used this one, but a colleague found it and it seems to work for them.
  • Rust: ctz/rustls - One of these days I'll learn Rust, and when I do, I'll use rustls for the TLS.