Differences

This shows you the differences between two versions of the page.

--- notes:tls [2023/12/04 21:11] – david
+++ notes:tls [2024/04/09 21:33] (current) – david
@@ Line 5: / Line 5: @@
 [[https://nabla-c0d3.github.io/sslyze/documentation/| SSLyze]]
+=== Certificate order ===
+leaf certificate followed by intermediaries and root, see "certificate_list" in section 7.4.2 below.\\
+[[https://www.rfc-editor.org/rfc/rfc5246|RFC 5246]]
+[[https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2 |  7.4.2 Server Certificate ]]
-[[https://www.rfc-editor.org/rfc/rfc5280| RFC 5280 ]] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
-Choosing an Elliptic Curve in 2022
-https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/
+[[https://www.rfc-editor.org/rfc/rfc5280| RFC 5280 ]] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
 use the Mozilla SSL Config generator to generate strong SSL configuration
 https://ssl-config.mozilla.org/
+===ECC===
+  * Use NIST SuiteB P-256 or P-384 curves
+  * Choosing an Elliptic Curve in 2022
+https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/
+https://support.globalsign.com/ssl/ssl-certificates-life-cycle/ecc
+Guidelines for the Selection,Configuration, and Use of Transport Layer Security (TLS) Implementations
+https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf (SP800-186)
+If the server is configured with an ECDSA signature certificate, either curve P-256 or curve P-384 should be used for the public key in the certificate
+ECDSA key lengths page 6 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
+==== Certificate management ====
 https://www.nccoe.nist.gov/tls-server-certificate-management
 NIST SP 800-131A Rev. 2
 Transitioning the Use of Cryptographic Algorithms and Key Lengths
 https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
-Recommendation for
+Recommendation for Key Management: \\
-Key Management:
+Part 2 - Best Practices for Key Management Organizations \\
-Part 2 - Best Practices for
-Key Management Organizations
 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf
@@ Line 33: / Line 57: @@
 https://cabforum.org/documents/
-RFC 9325
+RFC 9325\\
-Recommendations for Secure Use of Transport Layer
+Recommendations for Secure Use of Transport Layer\\
-Security (TLS) and Datagram Transport Layer
+Security (TLS) and Datagram Transport LayerSecurity (DTLS)
-Security (DTLS
 RFC-8446 - The Transport Layer Security (TLS) Protocol Version 1.3
@@ Line 42: / Line 65: @@
-Guidelines for the Selection,
-Configuration, and Use of Transport
-Layer Security (TLS) Implementations
-https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf (SP800-186)
-If the server is configured with an ECDSA signature certificate, either curve P-256 or curve P-384 should be used for the public key in the certificate
-ECDSA key lengths page 6
-https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
@@ Line 64: / Line 75: @@
-NIST Special Publication 800-56A
+NIST Special Publication 800-56A\\
-Revision 3
+Revision 3\\
-Recommendation for Pair-Wise Key-
+Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete
-Establishment Schemes Using Discrete
+Logarithm Cryptography\\
-Logarithm Cryptography
 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
+===== Cipher Suites ====
+https://ciphersuite.info/