Last update: March 2016
Language: English (94 pages)
Formats: PDF, EPUB, Kindle, Online
features and commands, by Ivan Ristić
- Provides OpenSSL documentation that covers installation, configuration,
and key and certificate management - Includes SSL/TLS Deployment Best Practices, a design and deployment guide
- Written by the author of SSL Labs and the SSL/TLS configuration assessment tool
- Available in a variety of digital formats (PDF, EPUB, Mobi/Kindle); no DRM
OpenSSL Cookbook
is a free ebook built around two OpenSSL chapters from Bulletproof SSL and TLS,
a larger work that teaches how to deploy secure servers and web applications.
PrefaceChapter 1. OpenSSLGetting Started Determine OpenSSL Version and Configuration Building OpenSSL Examine Available Commands Building a Trust Store Key and Certificate Management Key Generation Creating Certificate Signing Requests Creating CSRs from Existing Certificates Unattended CSR Generation Signing Your Own Certificates Creating Certificates Valid for Multiple Hostnames Examining Certificates Key and Certificate Conversion Configuration Cipher suite selection Performance Creating a Private Certification Authority Features and Limitations Creating a Root CA Creating a Subordinate CAChapter 2. Testing with OpenSSLConnecting to SSL Services Testing Protocols that Upgrade to SSL Using Different Handshake Formats Extracting Remote Certificates Testing Protocol Support Testing Cipher Suite Support Testing Servers that Require SNI Testing Session Reuse Checking OCSP Revocation Testing Renegotiation Testing for the BEAST Vulnerability Testing for HeartbleedAppendix A: SSL/TLS Deployment Best PracticesIntroduction 1. Private Key and Certificate 1.1. Use 2048-bit Private Keys 1.2. Protect Private Keys 1.3. Ensure Sufficient Hostname Coverage 1.4. Obtain Certificates from a Reliable CA 1.5. Use Strong Certificate Signature Algorithms 2. Configuration 2.1. Deploy with Valid Certificate Chains 2.2. Use Secure Protocols 2.3. Use Secure Cipher Suites 2.4. Control Cipher Suite Selection 2.5. Support Forward Secrecy 2.6. Disable Client-Initiated Renegotiation 2.7. Mitigate Known Problems 3. Performance 3.1. Do Not Use Too Much Security 3.2. Ensure That Session Resumption Works Correctly 3.3. Use Persistent Connections (HTTP) 3.4. Enable Caching of Public Resources (HTTP) 3.5. Use OCSP Stapling 4. Application Design (HTTP) 4.1. Encrypt 100% of Your Web Site 4.2. Avoid Mixed Content 4.3. Understand and Acknowledge Third-Party Trust 4.4. Secure Cookies 4.5. Deploy HTTP Strict Transport Security 4.6. Disable Caching of Sensitive Content 4.7. Ensure That There Are No Other Vulnerabilities 5. Validation 6. Advanced Topics
About the Author
 
|
Ivan Ristić is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs web site. He is the author of two books, Apache Security and ModSecurity Handbook, which he publishes via Feisty Duck, his own platform for continuous writing and publishing. Ivan is an active participant in the security community and you'll often find him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. He's currently Director of Application Security Research at Qualys. |
Ivan's SSL Work
Below are links to some of Ivan's SSL work:
Available now: The Best TLS Training in The World
If you're developer or a system administrator I'll teach you everything you need to know for your day-to-day work. The next training will be held in London on December 14th. Join me for a day full of fun practical work!