November 28, 2025 20 min read Security, SSL/TLS, Encryption

Understanding SSL/TLS: A Complete Guide

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the backbone of encrypted web traffic. They ensure confidentiality, integrity, and authenticity of data between a client and a server. This guide expands on the handshake, ciphers, certificate lifecycle, validation methods, common vulnerabilities, mitigation strategies, and practical server configuration.

Protocol Overview & Evolution

Brief evolution recap:

SSL 2.0/3.0: Legacy and insecure — do not use.
TLS 1.0 / 1.1: Deprecated due to weaknesses.
TLS 1.2: Still common and configurable with modern ciphers.
TLS 1.3: Current recommended version — faster handshake, removed legacy ciphers, better forward secrecy.

Core Concepts

Confidentiality, Integrity, Authenticity

Confidentiality: data is encrypted (symmetric encryption).
Integrity: data modification is detectable (MAC/HMAC or AEAD).
Authenticity: server identity verified via certificates signed by a CA.

Asymmetric vs Symmetric Cryptography

Asymmetric (public-private): used for key exchange, digital signatures. Slower but enables secure key bootstrap.
Symmetric: used for bulk data encryption (AES-GCM, ChaCha20-Poly1305) — much faster.

Perfect Forward Secrecy (PFS)

PFS ensures that compromise of long-term keys (server private key) doesn’t allow decryption of past sessions. Achieved via ephemeral key exchange algorithms like DHE or ECDHE. TLS 1.3 mandates key exchange that provides PFS.

Cipher Suites (What they mean)

A cipher suite string shows the algorithms used: key exchange, authentication, encryption, and MAC/AEAD. Example:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Breakdown:

TLS_ECDHE: ECDHE key exchange (ephemeral elliptic curve)
RSA: authentication (certificate uses RSA)
AES_128_GCM: symmetric cipher and AEAD mode
SHA256: hash for signatures / HMAC if used

Handshake detailed notes

ClientHello: lists supported versions/ciphers, sends client random and optionally key share (TLS 1.3).
ServerHello: chooses version and cipher; sends server random and server key share if needed.
Certificate: server sends certificate chain to prove identity.
Key Exchange: ephemeral exchange creates shared symmetric keys.
Finished messages: both sides verify handshake transcript using the derived keys.

TLS 1.3 shortcut: key material is established earlier (via key shares in ClientHello), allowing a 1-RTT handshake in most cases and optionally zero-round-trip (0-RTT) for resumed sessions with some risks (replay).

TLS 1.3 — What changed and why it matters

TLS 1.3 brings improvements:

Reduced handshake round-trips (faster page loads).
Removed insecure and obsolete features (RSA key exchange, static Diffie-Hellman, CBC-mode ciphers, MD5/SHA-1-based HMACs).
Only AEAD ciphers supported (e.g., AES-GCM, ChaCha20-Poly1305).
Forward secrecy by default.

Certificate Authorities (CAs) & Certificate Chains

CAs validate ownership/identity and sign certificates. A typical certificate chain looks like:

End-entity certificate (example.com)
Intermediate CA certificate
Root CA certificate (trusted by OS/browser)

Browsers validate the chain up to a trusted root. If any certificate in chain is invalid, expired, or revoked, validation fails.

Certificate contents

Public key
Subject (identity info: CN, SANs)
Validity period
Issuer
Signature by issuer's private key
Extensions (Key Usage, Extended Key Usage, SAN, etc.)

Certificate Revocation — CRL & OCSP

Certificate revocation is how CAs mark certificates as no longer valid before expiration:

CRL (Certificate Revocation List): periodic list published by CA — less real-time
OCSP (Online Certificate Status Protocol): real-time check to CA — more immediate
OCSP Stapling: server fetches OCSP response and sends (staples) to client to improve privacy and performance

Common Vulnerabilities & Attacks (historic & lessons)

Notable attacks:

POODLE — SSLv3 fallback attack, led to disabling SSLv3.
Heartbleed — OpenSSL bug leaking memory (private keys, session data).
BEAST / Lucky13 — CBC-mode side-channel issues; mitigated by AEAD ciphers.
FREAK / Logjam — downgrade attacks exploiting weak export-grade cryptography.
Certificate authority compromises — rogue CA can issue trusted certificates.

Mitigations & Best Practices

Use TLS 1.3 where possible; otherwise TLS 1.2 with modern ciphers.
Prefer AEAD ciphers: AES-GCM, ChaCha20-Poly1305.
Use ECDHE for key exchange to provide PFS.
Enable OCSP stapling and short-lived OCSP responses.
Keep OpenSSL / TLS library up-to-date to patch CVEs.
Protect private keys (hardware security modules, offline storage for root CA).
Harden servers with secure ciphersuite order and disable insecure protocols/ciphers.
Use automated certificate renewals (Let's Encrypt + Certbot / ACME clients).

Practical Server Configuration Examples

Nginx (recommended minimal modern config)

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/ssl/example.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/example.com/privkey.pem;

    # TLS versions
    ssl_protocols TLSv1.2 TLSv1.3;

    # Prefer server ciphersuites
    ssl_prefer_server_ciphers off;

    # Recommended ciphers (TLSv1.2 fallback)
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...
        :ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}

Apache (httpd) snippet

<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile /etc/ssl/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/ssl/example.com/privkey.pem

    SSLProtocol -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on

    # OCSP stapling (mod_ssl, Apache 2.4.3+)
    SSLUseStapling on
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
</VirtualHost>

Certificate Automation & Let's Encrypt

ACME (Automated Certificate Management Environment) enables issuance/renewal without manual steps. Certbot is the most common client. Example renew command:

sudo certbot --nginx -d example.com -d www.example.com
# Certbot installs cron/systemd job to auto-renew
sudo certbot renew --dry-run

Advanced Topics

Mutual TLS (mTLS)

mTLS: both client and server present certificates and verify each other—useful for internal APIs, zero-trust environments, and IoT.

Certificate Pinning

Pinning ties a client to a particular certificate/public key to avoid rogue CA issues. Use with caution — poor pinning causes outages if pins are not updated correctly. HPKP (HTTP Public Key Pinning) is deprecated; use application-level pins or short-lived certs + monitoring.

ALPN (Application-Layer Protocol Negotiation)

ALPN allows negotiation of protocols like HTTP/2 or HTTP/3 within the TLS handshake — essential for enabling HTTP/2 without extra round trips.

SNI (Server Name Indication)

SNI allows one server IP to host multiple TLS sites by sending the desired hostname in ClientHello. Without SNI, certificates will not match virtual hosts.

Testing & Validation

Use SSL Labs (Qualys) to grade your public site for protocol, cipher and configuration correctness.
Use openssl s_client -connect example.com:443 -servername example.com to inspect certificates and handshake details.
Test OCSP stapling status via openssl ocsp commands and online tools.

Creating Your Own CA (Expanded)

Below is a condensed, documented flow for building a local Root CA and intermediate — expanded from your earlier script with additional explanations and tips.

Directory structure

~/my-ca/
├─ certs/                # issued certs
├─ private/               # private keys (protect this directory)
├─ csr/                   # certificate signing requests
├─ newcerts/              # db for openssl
├─ index.txt              # DB used by OpenSSL CA operations
├─ serial                 # serial number counter
└─ openssl.cnf            # CA configuration

Important Security Tips

Keep the root private key offline and encrypted with a strong passphrase.
Limit access to private/ directory and use hardware security modules if possible.
Rotate intermediate CAs periodically and keep short validity for server certs.

Verifying certificate chain (example)

openssl verify -CAfile certs/root.crt \
  -untrusted intermediate/certs/intermediate.crt \
  intermediate/certs/example.com.crt
# expected: intermediate/certs/example.com.crt: OK

Certificate lifecycle & renewal strategy

Use short-lived certificates when possible (90 days is typical for Let's Encrypt).
Automate renewals and monitoring (Prometheus + cert-exporter or built-in certbot timers).
Have emergency re-issuance procedure for key compromise.

Real-world troubleshooting commands

# Inspect certificate (PEM)
openssl x509 -in example.com.crt -text -noout

# Test handshake & show negotiated cipher
openssl s_client -connect example.com:443 -servername example.com

# Check which TLS versions server supports (use nmap/sslyze for detailed scans)
nmap --script ssl-enum-ciphers -p 443 example.com

Security Considerations & Checklist

Checklist:

✅ TLS 1.3 enabled (fallback TLS 1.2 only)
✅ Strong cipher suites (AEAD)
✅ PFS via ECDHE
✅ OCSP stapling enabled
✅ HSTS header with preload consideration
✅ Automated certificate renewal

Conclusion

SSL/TLS is fundamentally about establishing secure, authenticated channels. Modern best practices push for TLS 1.3, AEAD ciphers, OCSP stapling, and automated certificate lifecycle. For production, prefer public CAs or managed PKI services for reliability and simpler trust management — and keep private keys protected at all times.