====== Transport Layer Security (TLS) ======

  * [[https://youtu.be/Ikv2G2Zm01s|IXIA: Understanding TLS 1.3]]
  * [[https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF|NSA: Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations]]
===== Analyse des Protokolls: =====

  * http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
  * https://www.cloudflare.com/de-de/learning/ssl/what-happens-in-a-tls-handshake/
  * http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session
  * https://albertx.mx/https-connections-browsers/
  * https://albertx.mx/https-handshake/

<code bash>
openssl s_client -state -connect google.de:443
# danach
GET / HTTP/1.1
Host: www.google.de
</code>

===== Wireshark-Tipps: =====
  * https://wiki.wireshark.org/SSL
  * https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
  * https://lekensteyn.nl/files/wireshark-ssl-decryption.pdf
  * https://osqa-ask.wireshark.org/questions/24489/ssl-handshake-certificate-hidden
===== Testservices =====

  * https://www.ssllabs.com/ssltest/
  * https://securityheaders.io
  * https://observatory.mozilla.org
  * [[https://www.sslshopper.com/certificate-decoder.html|Certificate Decoder]]

==== Webserver Configuration ====
  * [[https://mozilla.github.io/server-side-tls/ssl-config-generator/|Mozilla SSL Configuration Generator]]
  * https://scaron.info/blog/improve-your-nginx-ssl-configuration.html

==== Web-Security ====
  * https://webmasters.googleblog.com/2017/03/nohacked-year-in-review.html
  * [[https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757#.a58mifv6v|Content Security Policy for Single Page Web Apps]]

===== OpenSSL =====

**''.cer''** oder  **''.crt''** Dateien speichern X.509 Zertifikate in **DER** oder **BASE-64** (PEM) encoding.

Anzeige eines PEM (Base-64)-kodierten SSL Zertifikats:
<code bash>
openssl x509 -text -noout -in certificate.pem 
</code>

Anzeige eines binären DER-kodierten SSL Zertifikats:
<code bash>
openssl x509 -text -noout -in certificate.der -inform DER
</code>

Umwandlung eines DER-kodierten Zertifikats in BASE-64 Kodierung
<code bash>
openssl x509 -inform DER -in certificate.cer -out certificate.pem
</code>
==== Set up your own Certificate Authority (CA) ====

  * https://jamielinux.com/docs/openssl-certificate-authority/index.html
  * https://www.phildev.net/ssl/

==== Certificate Enrolment ====

  * https://tools.ietf.org/html/draft-gutmann-scep-10

==== Certificate Management ====
  * https://github.com/hashicorp/vault
  * https://news.ycombinator.com/item?id=14321498