rimball wiki

User Tools

Site Tools

Trace: tls
notes:tls

SSL Labs

https://testssl.sh

SSLyze

Certificate order

leaf certificate followed by intermediaries and root, see “certificate_list” in section 7.4.2 below.
RFC 5246 7.4.2 Server Certificate

RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

use the Mozilla SSL Config generator to generate strong SSL configuration https://ssl-config.mozilla.org/

ECC

  • Use NIST SuiteB P-256 or P-384 curves
  • Choosing an Elliptic Curve in 2022

https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/

https://support.globalsign.com/ssl/ssl-certificates-life-cycle/ecc

Guidelines for the Selection,Configuration, and Use of Transport Layer Security (TLS) Implementations

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf (SP800-186)

If the server is configured with an ECDSA signature certificate, either curve P-256 or curve P-384 should be used for the public key in the certificate

ECDSA key lengths page 6 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf

Certificate management

https://www.nccoe.nist.gov/tls-server-certificate-management

NIST SP 800-131A Rev. 2

Transitioning the Use of Cryptographic Algorithms and Key Lengths

https://csrc.nist.gov/pubs/sp/800/131/a/r2/final

Recommendation for Key Management:
Part 2 - Best Practices for Key Management Organizations
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf

CAB Forum https://cabforum.org/documents/

RFC 9325
Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport LayerSecurity (DTLS)

RFC-8446 - The Transport Layer Security (TLS) Protocol Version 1.3

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf Table 2 Acceptable key lengths

= 224 bits of security strength for ECDSA and EdDSA

RSA >= 2048

NIST Special Publication 800-56A
Revision 3
Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf

Cipher Suites

https://ciphersuite.info/

notes/tls.txt · Last modified: by david