This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.
The focus of this guide is merely to give current best practices for configuring complex cipher suites and related parameters in a copy & paste-able manner. The guide tries to stay as concise as is possible for such a complex topic as cryptography. Naturally, it can not be complete. There are many excellent guides (II & SYM, 2012) and best practice documents available when it comes to cryptography. However none of them focuses specifically on what an average system administrator needs for hardening his or her systems' crypto settings.
In this series, we show ways to secure your web server. We will use Debian 9 and Apache httpd 2.4.25 in our examples, however, you can convert most configuration to other operating systems or web servers.
testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. Clear human-readable and machine-readable outputs. No installation needed, uses only bash. Test any SSL/TLS enabled service on any port.
The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below. The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams.
A simple zero-config tool to make locally trusted development certificates with any names you'd like. Does this by adding (and managing) a local CA on your laptop which you can issue arbitrary certs for (including localhost).
Secure your email server with STARTTLS Everywhere! Your email service can be insecure in numerous different ways. The service below performs a quick check of your email server's security configuration, including whether STARTTLS is supported, and whether it may qualify for the STARTTLS Policy List.
A system for allowing the reboot of servers with encrypted hard drives when you arent physically present to type in the passphrases. It relies upon strictly timed encrypted network communications with trusted systems and the use of PGP to decrypt some of the keying material.
A Git repository of config files for various network services that hardens their settings and sets up SSL and/or TLS to encrypt traffic.
How to harden SSL support on your web server to mitigate attacks like BREACH, BEAST, and Lucky 13. Updated regularly.
Plug an XMPP server or client into this site and it'll audit certain aspects of its COMSEC posture, such as key sizes, whether or not crypto is enabled, and what crypto protocols it supports. If you're paranoid about instant messaging, you may wish to start by using this site.
mbed TLS (formerly PolarSSL) is an SSL implementation written from scratch designed for use in embedded applications and systems. The API was designed to make sense (unlike some other implementations I could mention) and the source code is written with readability in mind. Written in C as portably as possible. Modules are designed to be as loosely coupled as is feasible. opensource by default, but they do ask you to purchase commercial licenses if appropriate. Has a not-insignificant list of commercial and government users.
A tutorial on how to harden SSL and TLS in Nginx. Includes changing and increasing the size of Diffie-Hellman parameters for better security.