WIXLIB

Understanding Security LevelsConfiguring TLS 1.3Configuring OpenSSL DefaultsRecommended Suite ConfigurationGenerating DH ParametersLegacy Suite ConfigurationPerformanceCreating a Private Certification AuthorityFeatures and LimitationsCreating a Root CACreating a Subordinate CA13. Testing TLS with OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Custom-Compile OpenSSL for TestingConnecting to TLS ServicesCertificate VerificationTesting Protocols That Upgrade to TLSExtracting Remote CertificatesTesting Protocol SupportTesting Cipher Suite ConfigurationTesting Cipher Suite PreferenceTesting Named GroupsTesting DANETesting Session ResumptionKeeping Session State across ConnectionsChecking OCSP RevocationTesting OCSP StaplingChecking CRL RevocationTesting RenegotiationTesting for HeartbleedDetermining the Strength of Diffie-Hellman Parameters14. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

PrefaceYou are about to undertake a journey into the mysterious world of cryptography. If youare like me, and you find the experience equal parts challenging and rewarding, you maystay on this journey long after you finish reading this book. I am writing this in late 2021,seven years after the publication of the first edition, and my own journey is still very muchongoing. I don’t think it’s going to end any time soon.Although I’d been a user of SSL since its early years, I developed a deep interest in it around2004, when I worked on my first book, Apache Security. That book had a chapter dedicatedto transport security; back then I thought that would be enough. About five years later, in2009, I was looking for something new to do; I decided to spend more time on SSL and TLS,and I’ve stayed in the field ever since. The result is this book, now in its second edition morethan a decade later.My main reason for going back to SSL (it was still just SSL then) was the thought thatI could improve things. I saw an important technology hampered by a lack of tools anddocumentation. Cryptography is a fascinating subject: it’s a field in which, the more youknow, the more you discover how much you don’t know. I can’t count how many times I’vehad the experience of reaching a new level of understanding of a complex topic only to haveyet another layer of complexity open up to me; that’s what makes the subject amazing.I spent about two years writing the first edition of this book. At first, I thought I’d be ableto spread the effort so that I wouldn’t have to dedicate my life to it, but that didn’t work. Atsome point, I realized that things are changing so quickly that I constantly need to go backand rewrite the “finished” chapters. Toward the end, I had to spend every spare momentwriting to keep up. I am now working on the second edition, and the situation is verysimilar. Since the first edition’s publication, TLS 1.3 was released, and that’s a brand-newprotocol that has led to many other changes elsewhere. It’s not surprising that I needed towrite a new chapter for TLS 1.3. But in the next three chapters I worked on, I found therewere deep changes and a great deal of new content throughout there as well. More workfollowed. In the end, it took another two years to complete the second edition.xv

I wrote this book to save you time. I’ve spent many years learning everything I could aboutSSL/TLS and PKI and I know that only a few can afford to do the same. I thought that ifI put the most important parts of what I’ve learned into a book, others might be able toachieve a similar level of understanding in a fraction of the time—and here we are.This book has the word “bulletproof ” in the title, but that doesn’t mean that TLS isunbreakable. It does mean that if you follow the advice from this book you’ll be able to getthe most out of TLS and deploy it as securely as anyone else in the world. It’s not alwaysgoing to be easy—especially with web applications—but if you persist, you’ll have the sameor better security than 99% of deployments out there.Broadly speaking, there are two paths you can take to read this book. One is to start fromthe beginning. If you have time, this is going to be the more enjoyable approach. I madesure to make the book approachable even if you have little experience with cryptography.You can also read the book from the end, so to speak, by starting with the configurationguide, which will give you practical advice you can use immediately. After that, use the restof the book as a reference guide as needed.Scope and AudienceThis book exists to document everything you need to know about SSL/TLS and PKI forpractical, daily work. I aimed for just the right mix of theory, protocol detail, vulnerabilityand weakness information, and deployment advice to help you get your job done.As I was writing the book, I imagined representatives of three diverse groups looking overmy shoulder and asking me questions:System administratorsAlways pressed for time and forced to deal with an ever-increasing number ofsecurity issues on their systems, system administrators need reliable advice about TLSso that they can deal with its configuration quickly and efficiently. Turning to theWeb for information on this subject is counterproductive, because there’s so muchincorrect and obsolete documentation out there.DevelopersAlthough SSL initially promised to provide security transparently for any TCP-basedprotocol, in reality developers play a significant part in ensuring that applicationsremain secure. This is particularly true for web applications, which evolved aroundSSL and TLS and incorporated features that can subvert them. In theory, you “justenable encryption”; in practice, you enable encryption but also pay attention to adozen or so issues, ranging from small to big, that can break your security. In thisbook, I made a special effort to document every single one of those issues.xviPreface

ManagersLast but not least, I wrote the book for managers who, even though not necessarilyinvolved with the implementation, still have to understand what’s going on and makedecisions. The security space is getting increasingly complicated, so understandingthe attacks and threats is often a job in itself. Often, there isn’t any one way to dealwith the situation, and the best way often depends on the context.Overall, you will find very good coverage of HTTP and web applications here but little tono mention of other protocols. This is largely because HTTP is unique in the way it uses encryption, powered by browsers, which have become the most popular application-deliveryplatform we’ve ever had. With that power come many problems, which is why there is somuch space dedicated to HTTP.But don’t let that deceive you; if you take away the HTTP chapters, the remaining content(about two-thirds of the book) provides generic advice that can be applied to any protocolthat uses TLS.ContentsThis book has 13 chapters, which can be grouped into several parts. The parts build onone another to provide a complete picture, starting with theory and ending with practicaladvice.The first part, chapters 1 through 4, is the foundation of the book and discusses cryptography, SSL, TLS, and PKI: Chapter 1, SSL, TLS, and Cryptography, begins with an introduction to SSL and TLSand discusses where these secure protocols fit in the Internet infrastructure. Theremainder of the chapter provides an introduction to cryptography and discusses theclassic threat model of the active network attacker. Chapter 2, TLS 1.3, discusses TLS 1.3, the most recent protocol revision. At the time ofwriting, TLS 1.3 is well supported by both clients and servers, and widely used. This isthe chapter you should read to understand how things work today. Chapter 3, TLS 1.2, discusses TLS 1.2, which is still very much relevant and needed inpractice. Understanding this protocol is also very useful to understand what improvements were made in TLS 1.3 and why. Information about earlier protocol revisions isprovided where appropriate. An overview of the protocol evolution from SSL 3 onwardis included at the end for reference. Chapter 4, Public Key Infrastructure, is an introduction to Internet PKI, which is thepredominant trust model used on the Internet today. The focus is on the standardsand organizations as well as governance, ecosystem weaknesses and possible futureimprovements. This chapter now includes coverage of Certificate Transparency.Contentsxvii

The second part, chapters 5 through 8, details the various problems with trust infrastructure, our security protocols, and their implementations in libraries and programs: Chapter 5, Attacks against PKI, deals with attacks on the trust ecosystem. It covers allthe major CA compromises, detailing the weaknesses, attacks, and consequences. Thischapter gives a thorough historical perspective on the security of the PKI ecosystem,which is important for understanding its evolution. Chapter 6, HTTP and Browser Issues, is all about the relationship between HTTPand TLS, the problems arising from the organic growth of the Web, and the messyinteractions between different pieces of the web ecosystem. Chapter 7, Implementation Issues, deals with issues arising from design and programming mistakes related to random number generation, certificate validation, and otherkey TLS and PKI functionality. In addition, it discusses voluntary protocol downgradeand truncation attacks, as well as high-profile issues, such as Heartbleed, FREAK, andLogjam. Chapter 8, Protocol Attacks, is the longest chapter in the book. It covers all the majorprotocol flaws discovered in recent years: insecure renegotiation, BEAST, CRIME,Lucky 13, POODLE and POODLE TLS, RC4, TIME and BREACH, and Triple Handshake Attack. The newer ROBOT and Raccoon attacks are also there, among others. Abrief discussion of Bullrun and its impact on the security of TLS is also included.The third part, chapters 9 through 11, provides comprehensive advice about deploying TLSin a secure and efficient fashion: Chapter 9, Performance, focuses on the speed of TLS, going into great detail aboutvarious performance improvement techniques for those who want to squeeze every bitof speed out of their servers. Chapter 10, HSTS, CSP, and Pinning, covers some advanced topics that strengthenweb applications, such as HTTP Strict Transport Security and Content Security Policy.It also covers pinning, which is an effective way of reducing the large attack surfaceimposed by our current PKI model. Chapter 11, Configuration Guide, is the map for the entire book and provides step-bystep instructions on how to deploy secure and well-performing TLS servers and webapplications. This chapter has effectively been rewritten for the second edition.The fourth and final part consists of chapters 12 and 13, which focus on OpenSSL, the defacto standard for everyday TLS and PKI work on the command line: Chapter 12, OpenSSL Command Line, describes the most frequently used OpenSSLfunctionality, with a focus on installation, configuration, and key and certificate management. The last section in this chapter provides instructions on how to construct andmanage a private certification authority.xviiiPreface

Chapter 13, Testing TLS with OpenSSL, continues with OpenSSL and explains how touse its command-line tools to test server configuration. Even though it’s often mucheasier to use an automated tool for testing, OpenSSL remains the tool you turn to whenyou want to be sure about what’s going on.SSL versus TLSIt is unfortunate that we have two names for essentially the same protocol. In my experience, most people are familiar with the name SSL and use it in the context of transportlayer encryption. You will also hear SSL in the context of “SSL certificates.” Some people,usually those who spend more time with the protocols, use or try to make themselves usethe correct name, whichever is right in the given context. It’s probably a lost cause. Despitethat, I tried to do the same. It was a bit cumbersome at times, but I think I managed toachieve it by (1) avoiding either name where possible, (2) mentioning where advice appliesto all protocol versions, and (3) using TLS in all other cases. You probably won’t notice, andthat’s fine.For the second edition, however, I decided to drop the word “SSL” from the title, calling thebook Bulletproof TLS and PKI. The world has left SSL behind, and it’s time that we leave itbehind as well.Online ResourcesThis book doesn’t have an online companion, but it does have an online file repositorythat contains the files referenced in the text. The repository is available at github.com/ivanr/bulletproof-tls.To be notified of events and news as they happen, follow @ivanristic on Twitter. TLS is allI do these days, and I try to highlight everything that’s relevant. There’s hardly any noise.In addition, my Twitter account is where I will mention improvements to the book as theyhappen.You may also want to keep an eye on my blog, which is at blog.ivanristic.com. To be honest,I don’t publish much these days, probably because if I am not working on this book, I amspending all of my time on my startup, called Hardenize, which is all about making the bestof the available security standards. If you like this book, I suspect you will like Hardenize aswell; check it out at www.hardenize.com. It has a very heavy focus on both TLS and PKI.If you have access to this book in digital form, you may periodically log into your accounton the Feisty Duck web site to download the most recent version. Your access includesunlimited updates of the same edition. If you’d like to stay up to date with events, considersubscribing to our monthly TLS Newsletter. Initially, the newsletter was just a mailing listSSL versus TLSxix

we used to let our readers know when updates were made available, but later we decided tokeep it as a useful no-fluff service.FeedbackI am fortunate that I can update this book whenever I want to. It’s not a coincidence; Iworked hard to make it that way. I published my first book with a traditional publisher anddidn’t enjoy the fact that your book is set in stone once it’s out. So, for my other books, Ibuilt a platform for continuous publishing. If I make a change today, it will be available toyou tomorrow, after an automated daily build takes place. It’s a tad more difficult to updatepaper books, but with print on demand we’re able to publish new revisions whenever thereis need.Therefore, unlike with many other books that might never see a new edition, your feedbackmatters. If you find an error, it will be fixed in a few days. The same is true for minorimprovements, such as language changes or clarifications. If one of the platforms changes insome way or there’s a new development, I can cover it. My aim with this book is to keep itup-to-date for as long as there’s interest in it.Please write to me at ivanr@webkreator.com.About the AuthorIn this section, I get to write about myself in third person; here are a few words about me:Ivan Ristić writes computer security books and builds security products. Hisbook Bulletproof TLS and PKI, the result of more than a decade of researchand study, is widely recognized as the de facto reference manual for SSL/TLSand PKI. His work on SSL Labs made hundreds of thousands of web sitesmore secure. He also created ModSecurity, a leading open source web application firewall.More recently, Ivan founded Hardenize, a platform for automated discoveryand continuous network security monitoring. He also serves as a member ofLet’s Encrypt’s technical advisory board.About the Technical ReviewersIn working on the second edition, I was joined by my technical reviewers, who helped mewrite a much better book than I would have otherwise been able to. They were my safety netin tackling complex topics.Emily Stark is a technical lead and manager on the Chrome Security team, where shefocuses on secure transport. Her team works on HTTPS adoption, certificate verificationxxPreface

and policies, Certificate Transparency, the TLS stack, and connection security UX. She alsoworks on usable security in the browser, with a research-driven approach. She holds degreesin computer science from Stanford University and MIT.Matt Caswell is a programmer and open source enthusiast. He has been actively contributing to the OpenSSL Project for many years. He is currently a committer to the project,a member of the OpenSSL Technical Committee and a member of the OpenSSL Management Committee. Since becoming a full-time fellow on the project in 2014, he has mademany significant contributions. Most recently, he developed most of OpenSSL’s TLS 1.3implementation and has been one of the primary developers of OpenSSL 3.0.AcknowledgmentsAlthough I wrote all of the words in this book, I am not the sole author. My work buildson an incredible wealth of information about cryptography and computer security scatteredamong books, standards, research papers, conference talks, and blog posts—and eventweets. There are hundreds of people whose work made this book what it is.Over the years, I have been fortunate to correspond about computer security with manypeople wh

Automated Certificate Management Environment 126 Weaknesses 126 Improvement Attempts 130 PKI Ecosystem Measurements 131 5. Attacks against PKI . 135 Verisign Microsoft Code-Signing Certificate 135 Thawte login.live.com 136 StartCom Breach (2008) 137