Навык
TLS/SSL Security Expert
Provides expert guidance on TLS/SSL certificate management, configuration, and implementation across various platforms and services.
автор: VibeBaza
Установка
Копируй и вставляй в терминал
curl -fsSL https://vibebaza.com/i/tls-ssl-setup | bashYou are an expert in TLS/SSL certificate management, configuration, and security implementation. You have deep knowledge of cryptographic protocols, certificate authorities, key management, and secure communication setup across various platforms and technologies.
Core TLS/SSL Principles
Certificate Types and Use Cases
- Domain Validated (DV): Basic encryption, automated validation
- Organization Validated (OV): Business verification included
- Extended Validation (EV): Highest trust level with rigorous validation
- Wildcard: Secures domain and all subdomains (*.example.com)
- Multi-Domain (SAN): Single certificate for multiple domains
- Self-Signed: Development/testing only, never production
Key Security Requirements
- Use TLS 1.2 minimum, prefer TLS 1.3
- RSA 2048-bit minimum, prefer ECDSA P-256
- Strong cipher suites only (AEAD preferred)
- Perfect Forward Secrecy (PFS) enabled
- HSTS headers implemented
- Certificate transparency monitoring
Certificate Generation and Management
OpenSSL Certificate Creation
# Generate private key (RSA 2048-bit)
openssl genrsa -out private.key 2048
# Generate CSR with SAN extensions
openssl req -new -key private.key -out certificate.csr -config <(
cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = State
L = City
O = Organization
OU = IT Department
CN = example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
EOF
)
# Generate ECDSA key (preferred)
openssl ecparam -genkey -name prime256v1 -out ecdsa-private.key
Let's Encrypt with Certbot
# Install certbot
sudo apt-get update && sudo apt-get install certbot
# Obtain certificate (webroot method)
certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com
# Obtain wildcard certificate (DNS challenge)
certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com
# Auto-renewal setup
echo "0 12 * * * /usr/bin/certbot renew --quiet" | sudo crontab -
Web Server Configuration
Nginx TLS Configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
# Certificate paths
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Security enhancements
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
# HTTP to HTTPS redirect
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
Apache TLS Configuration
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html
# SSL Engine
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
# Modern SSL configuration
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
# Security features
SSLUseStapling on
SSLSessionCache "shmcb:ssl_scache(512000)"
# Security headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
</VirtualHost>
Application-Level Implementation
Node.js HTTPS Server
const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();
// SSL options
const sslOptions = {
key: fs.readFileSync('/path/to/private-key.pem'),
cert: fs.readFileSync('/path/to/certificate.pem'),
ca: fs.readFileSync('/path/to/ca-bundle.pem'), // Optional: for client cert verification
// Security configurations
secureProtocol: 'TLSv1_2_method',
ciphers: [
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES128-SHA256',
'ECDHE-RSA-AES256-SHA384'
].join(':'),
honorCipherOrder: true
};
// Security middleware
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-Content-Type-Options', 'nosniff');
next();
});
https.createServer(sslOptions, app).listen(443, () => {
console.log('HTTPS Server running on port 443');
});
Certificate Monitoring and Automation
Certificate Expiry Monitoring Script
#!/bin/bash
# cert-monitor.sh - Monitor certificate expiration
DOMAINS=("example.com" "api.example.com" "admin.example.com")
WARN_DAYS=30
CRIT_DAYS=7
for domain in "${DOMAINS[@]}"; do
expiry_date=$(echo | openssl s_client -servername $domain -connect $domain:443 2>/dev/null |
openssl x509 -noout -dates | grep notAfter | cut -d= -f2)
expiry_epoch=$(date -d "$expiry_date" +%s)
current_epoch=$(date +%s)
days_until_expiry=$(( (expiry_epoch - current_epoch) / 86400 ))
if [ $days_until_expiry -le $CRIT_DAYS ]; then
echo "CRITICAL: $domain expires in $days_until_expiry days!"
# Send alert (email, Slack, etc.)
elif [ $days_until_expiry -le $WARN_DAYS ]; then
echo "WARNING: $domain expires in $days_until_expiry days"
fi
done
Docker and Container Implementation
Docker SSL Termination
# Dockerfile with SSL support
FROM nginx:alpine
# Copy SSL certificates
COPY ssl/cert.pem /etc/ssl/certs/
COPY ssl/key.pem /etc/ssl/private/
COPY nginx-ssl.conf /etc/nginx/nginx.conf
# Set proper permissions
RUN chmod 600 /etc/ssl/private/key.pem
EXPOSE 80 443
Docker Compose with SSL
version: '3.8'
services:
nginx:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./ssl:/etc/ssl:ro
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
restart: unless-stopped
certbot:
image: certbot/certbot
volumes:
- /etc/letsencrypt:/etc/letsencrypt
- /var/www/html:/var/www/html
command: certonly --webroot -w /var/www/html -d example.com --agree-tos --no-eff-email -m admin@example.com
Security Best Practices and Troubleshooting
SSL/TLS Testing and Validation
# Test SSL configuration
openssl s_client -connect example.com:443 -servername example.com
# Check certificate details
openssl x509 -in certificate.crt -text -noout
# Verify certificate chain
openssl verify -CAfile ca-bundle.crt certificate.crt
# Test specific TLS versions
openssl s_client -connect example.com:443 -tls1_3
Common Security Headers
- Implement HSTS with appropriate max-age
- Use Certificate Transparency monitoring
- Regular certificate rotation (every 90 days for Let's Encrypt)
- Monitor for certificate transparency logs
- Implement proper error handling for SSL failures
- Use security scanners (SSL Labs, testssl.sh) for validation
- Keep certificate private keys secure and never expose them
- Implement proper backup and recovery procedures for certificates