rimball wiki

User Tools

Site Tools

Trace: debootstrap
notes:tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
notes:tls [2023/10/10 23:56] davidnotes:tls [2024/04/09 21:33] (current) david
Line 4: Line 4:
  
 [[https://nabla-c0d3.github.io/sslyze/documentation/| SSLyze]] [[https://nabla-c0d3.github.io/sslyze/documentation/| SSLyze]]
 +
 +=== Certificate order ===
 +leaf certificate followed by intermediaries and root, see "certificate_list" in section 7.4.2 below.\\
 +[[https://www.rfc-editor.org/rfc/rfc5246|RFC 5246]]
 +[[https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2 |  7.4.2 Server Certificate ]]
 +
  
  
 [[https://www.rfc-editor.org/rfc/rfc5280| RFC 5280 ]] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile [[https://www.rfc-editor.org/rfc/rfc5280| RFC 5280 ]] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
  
-Choosing an Elliptic Curve in 2022+use the Mozilla SSL Config generator to generate strong SSL configuration 
 +https://ssl-config.mozilla.org/ 
 + 
 +===ECC=== 
 +  * Use NIST SuiteB P-256 or P-384 curves 
 +  * Choosing an Elliptic Curve in 2022 
 https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/ https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/
  
-use the Mozilla SSL Config generator to generate strong SSL configuratoin +https://support.globalsign.com/ssl/ssl-certificates-life-cycle/ecc 
-https://ssl-config.mozilla.org/+ 
 +Guidelines for the Selection,Configuration, and Use of Transport Layer Security (TLS) Implementations 
 + 
 +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf (SP800-186) 
 + 
 + 
 +If the server is configured with an ECDSA signature certificate, either curve P-256 or curve P-384 should be used for the public key in the certificate 
 + 
 + 
 +ECDSA key lengths page 6 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf 
 + 
 + 
 + 
 +==== Certificate management ==== 
 + 
 +https://www.nccoe.nist.gov/tls-server-certificate-management 
 + 
 +NIST SP 800-131A Rev. 2 
 + 
 +Transitioning the Use of Cryptographic Algorithms and Key Lengths 
 + 
 +https://csrc.nist.gov/pubs/sp/800/131/a/r2/final 
 + 
 + 
 +Recommendation for Key Management: \\ 
 +Part 2 - Best Practices for Key Management Organizations \\ 
 +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf 
 + 
 + 
 + 
 +CAB Forum 
 +https://cabforum.org/documents/ 
 + 
 +RFC 9325\\ 
 +Recommendations for Secure Use of Transport Layer\\ 
 +Security (TLS) and Datagram Transport LayerSecurity (DTLS) 
 + 
 +RFC-8446 - The Transport Layer Security (TLS) Protocol Version 1.3  
 + 
 + 
 + 
 + 
 + 
 +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf 
 +Table 2 
 +Acceptable key lengths 
 +>= 224 bits of security strength for ECDSA and EdDSA 
 +RSA >= 2048 
 + 
 + 
 + 
 +NIST Special Publication 800-56A\\ 
 +Revision 3\\ 
 +Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete 
 +Logarithm Cryptography\\ 
 +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
  
 +===== Cipher Suites ====
 +https://ciphersuite.info/
notes/tls.1696996591.txt.gz · Last modified: by david