SSL/TLS protocol

If we want a communication to be secure in its transmission (no stranger can listen to what we send), we often use SSL (Secure Sockets Layer) or TLS (Transport Layer Security). For example, this is how we protect HTTP traffic by using HTTPS (HTTP Secure). SSL/TLS uses encryption, and since many ciphers today are considered weak (breakable), simply turning on encryption may not adequately secure traffic. In this article we'll look at a bit of theory, divide ciphers into strong and weak, mention common vulnerabilities, and list various options for testing the ciphers used and the security of the SSL protocol in general.

In the last article we looked at how to detect that our web/application server is not configured correctly (is vulnerable) in terms of SSL/TLS. Today we'll look at configuring extended servers to make the SSL/TLS protocol relatively secure. We'll look at Apache HTTP Server, Apache Tomcat, Microsoft Windows and IIS (Internet Information Services), and native Java (JSSE). We'll describe how to disable weak ciphers and protect against some vulnerabilities.

It's been a year since (let's say) the official end of support for the SHA-1 hashing algorithm in certificates. The recommendation is to switch to SHA-2 as soon as possible. If we use Microsoft Certification Authority internally, it is also a good idea to make this change. Fortunately, it's (in most cases) nothing complicated and it's just a few changes to the existing certification infrastructure. There is a lot written about this area on the Internet, but I did not find any summary article, so I bring it here.

A summary of the basics of encryption. Terms, types of cryptographic algorithms (cipher), what algorithms to use, how secure encrypted data is.