SSL / TLS Reference

// versions · cipher suites · openssl commands · cert chain · errors

// tls version status

SSL 2.0

BROKEN — NEVER USE

Deprecated 1996. Multiple critical flaws. Should be disabled everywhere.

SSL 3.0

BROKEN — POODLE

Vulnerable to POODLE attack (2014). RFC 7568 prohibits its use.

TLS 1.0

DEPRECATED — DISABLE

PCI-DSS compliance requires disabling. BEAST attack vulnerability.

TLS 1.1

DEPRECATED

Deprecated by RFC 8996 (2021). Disable unless legacy support needed.

TLS 1.2

ACCEPTABLE

Still widely used. Secure with correct cipher suites. Supported everywhere.

TLS 1.3

RECOMMENDED

Fastest, most secure. Removed weak algorithms. Mandatory forward secrecy.

// tls 1.3 improvements

✓ Removed: RSA key exchange, CBC ciphers, SHA-1, MD5, DES, 3DES
✓ Mandatory: Forward secrecy (ephemeral key exchange only)
✓ Faster: 1-RTT handshake (vs 2-RTT in TLS 1.2), 0-RTT resumption
✓ Only 5 cipher suites (all secure, all AEAD)
✓ Encrypted handshake — less metadata exposed

// test & inspect

# Test TLS connection and show certificate
openssl s_client -connect gridwire.io:443

# Show only certificate info
openssl s_client -connect gridwire.io:443 -showcerts < /dev/null

# Test specific TLS version
openssl s_client -connect gridwire.io:443 -tls1_2
openssl s_client -connect gridwire.io:443 -tls1_3

# Check if TLS 1.0 is enabled (should fail on secure servers)
openssl s_client -connect gridwire.io:443 -tls1

# Show supported ciphers
openssl ciphers -v 'ALL:!ADH:@STRENGTH'

# Test specific cipher
openssl s_client -connect gridwire.io:443 -cipher ECDHE-RSA-AES256-GCM-SHA384

// certificate operations

# View certificate details
openssl x509 -in cert.pem -text -noout

# Check cert expiry date only
openssl x509 -in cert.pem -noout -enddate

# Check expiry of remote cert
echo | openssl s_client -connect gridwire.io:443 2>/dev/null | openssl x509 -noout -dates

# Verify cert matches private key (hashes must match)
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa  -noout -modulus -in key.pem  | openssl md5

# Generate CSR (certificate signing request)
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

# Self-signed cert (dev/testing only)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Convert PFX/P12 to PEM
openssl pkcs12 -in cert.pfx -out cert.pem -nodes

// certificate chain

# Certificate chain (top to bottom)
Root CA          Self-signed. Trusted by OS/browser. Offline for security.
    ↓
Intermediate CA  Signed by Root. Online. Issues end-entity certs.
    ↓
End-Entity Cert  Your domain cert. Signed by Intermediate.

# Browser verifies: End-Entity → Intermediate → Root (in trust store)
# Missing intermediate = SSL error even if cert is valid

// certificate types

DV (Domain Validated)    Proves domain ownership only. Fast. Let's Encrypt.
OV (Org Validated)       Org identity verified. Medium trust. Days to issue.
EV (Extended Validated)  Full org vetting. Highest trust. Weeks to issue.
Wildcard                  *.domain.com — covers all subdomains (one level)
SAN/Multi-domain         Multiple domains in one cert (Subject Alt Names)
Self-Signed              Not trusted by browsers. Dev/internal use only.

// let's encrypt / certbot

# Install certbot (Ubuntu/Debian)
sudo apt install certbot python3-certbot-nginx

# Issue cert for nginx
sudo certbot --nginx -d gridwire.io -d www.gridwire.io

# Issue cert for apache
sudo certbot --apache -d gridwire.io

# Renew all certs
sudo certbot renew

# Test renewal (dry run)
sudo certbot renew --dry-run

# Check cert expiry
sudo certbot certificates

// common ssl/tls errors & fixes

Error	Cause	Fix
ERR_CERT_AUTHORITY_INVALID	Self-signed or missing intermediate	Install full cert chain including intermediate CA
ERR_CERT_DATE_INVALID	Cert expired or system clock wrong	Renew cert or fix system time (check NTP)
ERR_CERT_COMMON_NAME_INVALID	Domain doesn't match cert CN/SAN	Reissue cert with correct domain, check www vs non-www
SSL_ERROR_RX_RECORD_TOO_LONG	HTTP served on HTTPS port	Check server config — port 443 must serve TLS not plain HTTP
HANDSHAKE_FAILURE	No common cipher suite	Update cipher suite config, check TLS version compatibility
CERT_HAS_EXPIRED	Certificate past notAfter date	Renew certificate. Set up auto-renewal (certbot, ACME)
unable to verify leaf signature	Missing intermediate in chain	Concatenate: cat domain.crt intermediate.crt > fullchain.crt
certificate verify failed	Untrusted CA or wrong cert	Install CA bundle, or use -CAfile with openssl

// recommended cipher suites — tls 1.3

TLS_AES_256_GCM_SHA384           ✓ Recommended
TLS_CHACHA20_POLY1305_SHA256      ✓ Recommended (faster on mobile/ARM)
TLS_AES_128_GCM_SHA256           ✓ Acceptable

// recommended cipher suites — tls 1.2

ECDHE-ECDSA-AES256-GCM-SHA384    ✓ Recommended
ECDHE-RSA-AES256-GCM-SHA384      ✓ Recommended
ECDHE-ECDSA-AES128-GCM-SHA256    ✓ Acceptable
ECDHE-RSA-AES128-GCM-SHA256      ✓ Acceptable

# AVOID these in TLS 1.2:
RC4-*                             ✗ RC4 is broken
*-CBC-*                           ✗ BEAST/LUCKY13 vulnerable
*-NULL-*                          ✗ No encryption
*-EXPORT-*                        ✗ Deliberately weak (FREAK)
DH-* (non-ECDHE)                  ✗ Logjam vulnerable

// nginx ssl config — modern

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000" always;