rimball wiki

User Tools

Site Tools

Trace: rsyslog tls
notes:tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
notes:tls [2023/10/10 22:50] davidnotes:tls [2024/04/09 21:33] (current) david
Line 5: Line 5:
 [[https://nabla-c0d3.github.io/sslyze/documentation/| SSLyze]] [[https://nabla-c0d3.github.io/sslyze/documentation/| SSLyze]]
  
 +=== Certificate order ===
 +leaf certificate followed by intermediaries and root, see "certificate_list" in section 7.4.2 below.\\
 +[[https://www.rfc-editor.org/rfc/rfc5246|RFC 5246]]
 +[[https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2 |  7.4.2 Server Certificate ]]
  
-[[https://www.rfc-editor.org/rfc/rfc5280| RFC 5280 ]] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 
  
  
-use the Mozilla SSL Config generator to generate strong SSL configuratoin+[[https://www.rfc-editor.org/rfc/rfc5280| RFC 5280 ]] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 
 + 
 +use the Mozilla SSL Config generator to generate strong SSL configuration
 https://ssl-config.mozilla.org/ https://ssl-config.mozilla.org/
 +
 +===ECC===
 +  * Use NIST SuiteB P-256 or P-384 curves
 +  * Choosing an Elliptic Curve in 2022
 +
 +https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/
 +
 +https://support.globalsign.com/ssl/ssl-certificates-life-cycle/ecc
 +
 +Guidelines for the Selection,Configuration, and Use of Transport Layer Security (TLS) Implementations
 +
 +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf (SP800-186)
 +
 +
 +If the server is configured with an ECDSA signature certificate, either curve P-256 or curve P-384 should be used for the public key in the certificate
 +
 +
 +ECDSA key lengths page 6 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
 +
 +
 +
 +==== Certificate management ====
 +
 +https://www.nccoe.nist.gov/tls-server-certificate-management
 +
 +NIST SP 800-131A Rev. 2
 +
 +Transitioning the Use of Cryptographic Algorithms and Key Lengths
 +
 +https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
 +
 +
 +Recommendation for Key Management: \\
 +Part 2 - Best Practices for Key Management Organizations \\
 +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf
 +
 +
 +
 +CAB Forum
 +https://cabforum.org/documents/
 +
 +RFC 9325\\
 +Recommendations for Secure Use of Transport Layer\\
 +Security (TLS) and Datagram Transport LayerSecurity (DTLS)
 +
 +RFC-8446 - The Transport Layer Security (TLS) Protocol Version 1.3 
 +
 +
 +
 +
 +
 +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
 +Table 2
 +Acceptable key lengths
 +>= 224 bits of security strength for ECDSA and EdDSA
 +RSA >= 2048
 +
 +
 +
 +NIST Special Publication 800-56A\\
 +Revision 3\\
 +Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete
 +Logarithm Cryptography\\
 +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
 +
 +===== Cipher Suites ====
 +https://ciphersuite.info/
notes/tls.1696992652.txt.gz · Last modified: by david