Michael W Lucas - TLS Mastery (Tux Edition)

TLS Mastery

Michael W Lucas

About the Author

https://mwl.io

More Tech Books from Michael W Lucas

Absolute BSD

Absolute OpenBSD (1st and 2nd edition)

Cisco Routers for the Desperate (1st and 2nd edition)

PGP and GPG

Absolute FreeBSD (2nd and 3rd edition)

Network Flow Analysis

the IT Mastery Series

SSH Mastery (1st and 2nd edition)

DNSSEC Mastery

Sudo Mastery (1st and 2nd edition)

FreeBSD Mastery: Storage Essentials

Networking for Systems Administrators

Tarsnap Mastery

FreeBSD Mastery: ZFS

FreeBSD Mastery: Specialty Filesystems

FreeBSD Mastery: Advanced ZFS

PAM Mastery

Relayd and Httpd Mastery

Ed Mastery

FreeBSD Mastery: Jails

SNMP Mastery

TLS Mastery

The Networknomicon

Other Nonfiction

Cash Flow For Creators

Only Footnotes

Books and Novels (as Michael Warren Lucas)

Immortal Clay

Kipuka Blues

Butterfly Stomp Waltz

Terrapin Sky Tango

Forever Falls

Hydrogen Sleets

Drinking Heavy Water

Aidan Redding Against the Universes

git commit murder

git sync murder

See your local bookstore for more!

TLS is perhaps the most complicated topic Ive ever written about. Writing this book would have been impossible without outside help.

This book would not exist if the Internet Security Research Group hadnt deployed ACME and organized Lets Encrypt . TLS certificates are not only free for most people, their maintenance and renewal is highly automatable. Theyve changed the whole Internet, and deserve our thanks for that.

It doesnt matter how many RFCs I study and how many technical mailing list archives I read: I lack the expertise and context to best illuminate an arcane topic like TLS . The folks who read this manuscripts early stages and pointed out my innumerable errors deserve special thanks. James Allen, Xavier Belanger, Trix Farrar, Loganaden Velvindron, Jan-Piet Mens, Mike O Connor, Fred Schlechter, Grant Taylor, Gordon Tetlow, and Fraser Tweedale, heres to you.

Lilith Saintcrow convinced me that The Princess Bride could be a useful motif for a serious technology book. This book was written during the 2020 pandemic, so I must also thank The Princess Bride for providing me a desperately needed sense of hope.

Dan Langille gracefully submitted to the pillaging of his blog for useful hints and guidance. I am grateful that JP Mens, Evan Hunt, and John-Mark Gurney provoked him into updating that blog and saving me a bunch of work.

I am unsure if I should profusely thank Bob Beck for his time and patience in revealing the innards of TLS , or profoundly curse him and his spawn unto the seventh generation. I must acknowledge the usefulness of Happy Bobs Test CA, however, so Ill raise a glass to that while waffling over whether or not the bottle of fair-to-middlin wine I owe him should be laced with iocane powder .

For Liz.

Of the innumerable things I detest about information technology, first prize goes to the word security. Not the concepts behind it, the actual word. The definition of security wobbles drunkenly all about the dictionary depending on whos speaking, whos listening, the context, and the distance to the nearest brute squad. Its a transcendental state where everyone is perfectly safe from everyone, but its not inconvenient or intimidating or incomprehensible in the slightest. Security is Happy Fun Land , where everybody eats hot fudge sundaes all day every day without developing diabetes or gaining so much as a gram.

The only way to make this word even slightly meaningful is to tightly define the context.

Thats one advantage Transport Layer Security (TLS ) has. What it secures is right in the name. And even then, its misunderstood. It doesnt make web servers secure. That little shield icon in the web browsers address bar doesnt mean your credit card information wont end up being used to purchase llama pornography. TLS encrypts a network connection during transit. Thats it. It doesnt protect the client or the server from attackers. It doesnt keep scammers from tricking you out of your personal data. It doesnt even totally guarantee that youre at the site you think youre at. Protecting data in transit is vital. While its best known for web sites, a TLS-aware application can apply TLS to any TCP or UDP network connection.

TLS is also poorly understood. Most sysadmins know that they get a certificate, slap it into place, and Magic Happens. Those certificates used to be expensive. Over the last twenty years the price dropped, and today you can get them for free. There are still times you want one of the expensive certificates, but most of us have no idea when or why that expense is warranted.

Even with free certificates, Im still not fond of TLS . This certainly isnt one of those books where the author is so besotted by the technology that you wonder if its going to turn into a kissing book. But TLS is pervasive, frustrating, and complex. Understanding is our only way to cope with it.

TLSMastery is written for Unix system administrators who manage applications built with TLS, and anyone who uses the OpenSSL command on any platform. I assume youre comfortable with the command line, scripting, privilege management, and other standard Unix features.

My reference platforms are FreeBSD , OpenBSD , Debian , and CentOS . The closer your Unix resembles one of these, the easier time youll have. If you run a less common Unix, presumably youre familiar with its idiosyncrasies. In particular, MacOS ships a stripped-down OpenSSL client lacking many of the functions discussed here. For real work on MacOS you probably need an add-on alternate OpenSSL.

Among the many ACME implementations, this book uses dehydrated ( https://dehydrated.io ). The principles demonstrated with dehydrated should apply to any other client. I use Apache 2.4 to show how certain dehydrated components work, but other web servers work just as well. For DNS -related examples I use BIND 9.16, but any name server that supports dynamic updates (RFC 2136) will also work.

My reference TLS toolkit is OpenSSL , version 1.1.1. I also use LibreSSL , OpenBSD s meticulously audited OpenSSL fork, but it retains compatibility with the OpenSSL command line. Anything referring to OpenSSL also applies to LibreSSL unless stated otherwise. The principles discussed are also applicable to other TLS toolkits like GnuTLS , but I dont demonstrate them. If you can build a functional OpenSSL or LibreSSL on your platform, it should work.

OpenSSL is not only for TLS ; it is a general-purpose encryption suite. Its command line is convoluted and complex in part because encryption is convoluted and complex. Its also complex because it originated in 1995 and attempts to retain backwards compatibility. I cant make you comfortable with the OpenSSL command line, but I might be able to reduce the amount of vertigo you experience when interacting with it.

Might.

You hear about SSL connections and certificates, and TLS connections and certificates. Whats the difference?

A digital certificate is a collection of carefully formatted information that identifies an entity, digitally signed by a Certificate Authority . A certificate signed by itself is called a self-signed certificate, and is the Internet equivalent of the handsome prince that smiles and says, Trust me. Maybe you can trust him, or maybe youve already been betrayed. Servers, services, and users can have certificates. We go into certificates in depth in Chapter 3. Certificates are a key component of both SSL and TLS .