Transport Layer Security

Commonly known as TLS and still often referred to by its former name SSL (Secure Sockets Layer) Transport Layer Security is vital to online security whether you are browsing websites, using an e-mail client or transferring files. As usual Wikipedia contains a good overview at Transport Layer Security - Wikipedia, the free encyclopedia on this subject.

TLS relies on security certificates, as does several other things like code signing. One important issues is detecting in valid certificates. This has been done with the Certificate Revocation List (CRL), however Online Certificate Status Protocol (OCSP) is a newer and better approach, generally.

The "standard" implementation of SSL is OpenSSL, however in 2014 a fork was created called LibreSSL with the goal of modernising and improving, however they chose not to support the same wide range of platforms as OpenSSL.


If you want a good summary of the history of SSL/TLS then SSL/TLS and PKI Timeline is a great place to start.


One of the best detailed explanations of TLS I have seen is The Illustrated TLS Connection: Every Byte Explained however this is TLS 1.2, hopefully we'll see TLS 1.3 at some point, so the source for that site is at syncsynchalt/illustrated-tls: The Illustrated TLS Connection: Every byte explained.


It is worth looking at Mozilla SSL Configuration Generator to get some help on configuring SSL correctly.

If you want to check your current configuration then Hardenize: Comprehensive web site configuration test is a very good testing site.


There is an excellent guide called OpenSSL Cookbook which is "A Short Guide to the Most Frequently Used OpenSSL Features and Commands" By Ivan Ristić.

It should be noted that the OpenSSL team only release source code. If you want binaries then you may find LibreSSL on your Mac already, with Linux your distribution should have a package available if it is not already installed, for Windows I suggest Shining Light Productions - Win32 OpenSSL however you need to check you are happy with this first.


The LibreSSL project started in 2014 as a fork of OpenSSL with the aim of "modernizing the codebase, improving security, and applying best practice development processes", this action followed on from Heartbleed.

Certificate Authority Authorization

CAA is now mandatory for all Certificate Authorities (CA), however currently very few websites implement it. Basically you just need to add a couple of DNS entries for your domain and then, only valid issuers can create certificates for your domain. This means the domain name owner is in control. See Certificate Authority Authorization for some details as well as CAA Record Generator to help you generate and check your entries and of course SSL Server Test (Powered by Qualys SSL Labs) for testing it works. You can also validate your CAA at DNS Spy: CAA record validator.