TLS (Transport Layer Security) is a cryptographic protocol that provides secure communications on computer networks, being the evolution of SSL (Secure Sockets Layer).

What is TLS/SSL?

TLS is a protocol that operates at the transport layer of the OSI model, providing encryption, authentication, and integrity for network communications.

History and Versions

SSL (Secure Sockets Layer)

• SSL 1.0: Never published (vulnerabilities)
• SSL 2.0: 1995, obsolete
• SSL 3.0: 1996, obsolete (POODLE)

TLS (Transport Layer Security)

• TLS 1.0: 1999, obsolete
• TLS 1.1: 2006, obsolete
• TLS 1.2: 2008, widely used ✅
• TLS 1.3: 2018, most recent ✅ Recommended

Main Characteristics

Security

• Encryption: Data encrypted in transit
• Authentication: Verify server identity
• Integrity: Detect modifications
• Non-repudiation: Communication proof

Performance

• Handshake: Connection establishment
• Symmetric encryption: Data encrypted efficiently
• Compression: Optional compression
• Session resumption: Session reuse

Protocol Architecture

TLS Layers

Application Data
├── TLS Record Protocol
│   ├── Handshake Protocol
│   ├── Change Cipher Spec Protocol
│   ├── Alert Protocol
│   └── Application Data Protocol
└── TCP/IP

TLS 1.2 Handshake

1. Client Hello: Client initiates connection
2. Server Hello: Server responds
3. Certificate: Server sends certificate
4. Server Key Exchange: Key exchange
5. Server Hello Done: Server finishes
6. Client Key Exchange: Client sends key
7. Change Cipher Spec: Change to encryption
8. Finished: Mutual verification

TLS 1.3 Handshake (Simplified)

1. Client Hello: Client initiates with keys
2. Server Hello: Server responds with keys
3. Certificate: Server sends certificate
4. Finished: Mutual verification

Cryptographic Algorithms

Symmetric Encryption

• AES: Advanced Encryption Standard
• ChaCha20: Stream cipher
• Camellia: AES alternative
• 3DES: Triple DES (obsolete)

Asymmetric Encryption

• RSA: Rivest-Shamir-Adleman
• ECDHE: Elliptic Curve Diffie-Hellman
• DHE: Diffie-Hellman Ephemeral
• ECDSA: Elliptic Curve Digital Signature

Hash Functions

• SHA-256: Secure Hash Algorithm
• SHA-384: SHA with 384 bits
• SHA-512: SHA with 512 bits
• MD5: Obsolete, not secure

Encryption Modes

• CBC: Cipher Block Chaining
• GCM: Galois/Counter Mode ✅ Recommended
• CCM: Counter with CBC-MAC
• Poly1305: Authentication with ChaCha20

Server Configuration

Apache

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# TLS configuration in Apache
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html
    
    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
    SSLCertificateChainFile /path/to/chain.crt
    
    # Security configuration
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder on
    SSLSessionTickets off
</VirtualHost>

Nginx

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# TLS configuration in Nginx
server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_trusted_certificate /path/to/chain.crt;
    
    # Security configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_tickets off;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
}

OpenSSL

1
2
3
4
5
6
7
8

# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Verify certificate
openssl x509 -in cert.pem -text -noout

# Test TLS connection
openssl s_client -connect example.com:443 -servername example.com

Digital Certificates

Certificate Types

• DV (Domain Validated): Domain validation
• OV (Organization Validated): Organization validation
• EV (Extended Validated): Extended validation
• Wildcard: For subdomains
• Multi-Domain: Multiple domains

Certificate Authorities

• Let’s Encrypt: Free, automated
• DigiCert: Commercial, wide acceptance
• Sectigo: Commercial, multiple options
• GlobalSign: Commercial, international

Automatic Renewal

1
2
3
4
5
6
7
8

# Certbot for Let's Encrypt
certbot --apache -d example.com

# Automatic renewal
certbot renew --dry-run

# Configure cron for renewal
0 12 * * * /usr/bin/certbot renew --quiet

Security and Best Practices

Secure Configuration

• Protocols: Use only TLS 1.2 and 1.3
• Ciphers: Prefer strong ciphers
• Perfect Forward Secrecy: Use DHE/ECDHE
• HSTS: HTTP Strict Transport Security

Monitoring

• Expiration: Monitor certificates
• Renewal: Automate renewal
• Vulnerabilities: Scan vulnerabilities
• Compliance: Verify compliance

Analysis Tools

• SSL Labs: Configuration analysis
• Mozilla SSL Config: Recommended configurations
• OWASP: Security guides
• NIST: Security standards

Applications

Web Security

• HTTPS: Secure websites
• E-commerce: Secure transactions
• Banking: Online banking
• Government: Government services

Email Security

• SMTPS: SMTP over TLS
• IMAPS: IMAP over TLS
• POP3S: POP3 over TLS
• S/MIME: Secure email

VPN and Tunnel

• OpenVPN: Open source VPN
• IPsec: Network-level security
• WireGuard: Modern VPN
• Tunneling: Secure tunnels

API Security

• REST APIs: Secure REST APIs
• GraphQL: GraphQL over TLS
• WebSockets: Secure WebSockets
• gRPC: gRPC over TLS

Common Vulnerabilities

Known Attacks

• POODLE: Padding Oracle On Downgraded Legacy Encryption
• BEAST: Browser Exploit Against SSL/TLS
• CRIME: Compression Ratio Info-leak Made Easy
• BREACH: Browser Reconnaissance and Exfiltration via Adaptive Compression

Protections

• Update: Keep versions updated
• Configuration: Secure configuration
• Monitoring: Continuous monitoring
• Testing: Penetration testing

Testing Tools

Configuration Analysis

1
2
3
4
5
6
7
8

# SSL Labs API
curl -s "https://api.ssllabs.com/api/v3/analyze?host=example.com"

# TestSSL.sh
./testssl.sh example.com

# Nmap SSL scripts
nmap --script ssl-enum-ciphers -p 443 example.com

Certificate Verification

1
2
3
4
5
6
7
8

# Verify certificate chain
openssl s_client -connect example.com:443 -showcerts

# Verify expiration date
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Verify signature
openssl verify -CAfile ca-bundle.crt certificate.crt

Related Concepts

• AES - Symmetric encryption algorithm used in TLS
• RSA - Public key algorithm used in TLS
• PKI - Infrastructure that manages TLS certificates
• Hash Functions - Integrity algorithms in TLS
• CISO - Role that oversees TLS implementation
• General Cybersecurity - Discipline that includes TLS
• Security Breaches - Incidents that affect TLS
• Attack Vectors - Attacks against TLS
• Incident Response - Process that includes TLS
• SIEM - System that monitors TLS
• SOAR - Automation that manages TLS
• EDR - Tool that protects TLS
• Firewall - Device that inspects TLS
• VPN - Connection that uses TLS
• Dashboards - Visualization of TLS metrics
• Logs - TLS connection logs

References

• RFC 8446 - TLS 1.3
• RFC 5246 - TLS 1.2
• Mozilla SSL Configuration Generator
• SSL Labs SSL Test
• OWASP Transport Layer Protection