An ACME protocol client written purely in Shell (Unix shell) language.
Full ACME protocol implementation. Support ECDSA certs. Support SAN and wildcard certs. Simple, powerful and very easy to use. You only need 3 minutes to learn it. Bash, dash and sh compatible. Purely written in Shell with no dependencies on python. Self-contained, just one script is needed to issue, renew and install your certificates automatically. DOES NOT require root/sudoer access. Docker ready. IPv6 ready. Cron job notifications for renewal or error etc.
An interactive list of ciphersuite configurations that can be searched, sorted, and queried. The link bookmarked is a best practice set, from strongest to least trustworthy cryptosystems.
This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.
The focus of this guide is merely to give current best practices for configuring complex cipher suites and related parameters in a copy & paste-able manner. The guide tries to stay as concise as is possible for such a complex topic as cryptography. Naturally, it can not be complete. There are many excellent guides (II & SYM, 2012) and best practice documents available when it comes to cryptography. However none of them focuses specifically on what an average system administrator needs for hardening his or her systems' crypto settings.
testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. Clear human-readable and machine-readable outputs. No installation needed, uses only bash. Test any SSL/TLS enabled service on any port.
A simple zero-config tool to make locally trusted development certificates with any names you'd like. Does this by adding (and managing) a local CA on your laptop which you can issue arbitrary certs for (including localhost).
Secure your email server with STARTTLS Everywhere! Your email service can be insecure in numerous different ways. The service below performs a quick check of your email server's security configuration, including whether STARTTLS is supported, and whether it may qualify for the STARTTLS Policy List.
How to harden SSL support on your web server to mitigate attacks like BREACH, BEAST, and Lucky 13. Updated regularly.
Plug an XMPP server or client into this site and it'll audit certain aspects of its COMSEC posture, such as key sizes, whether or not crypto is enabled, and what crypto protocols it supports. If you're paranoid about instant messaging, you may wish to start by using this site.
mbed TLS (formerly PolarSSL) is an SSL implementation written from scratch designed for use in embedded applications and systems. The API was designed to make sense (unlike some other implementations I could mention) and the source code is written with readability in mind. Written in C as portably as possible. Modules are designed to be as loosely coupled as is feasible. opensource by default, but they do ask you to purchase commercial licenses if appropriate. Has a not-insignificant list of commercial and government users.
A tutorial on how to harden SSL and TLS in Nginx. Includes changing and increasing the size of Diffie-Hellman parameters for better security.