TLS

TLS（Transport Layer Security），昔稱SSL（Secure Sockets Layer）

• 參照：『維基百科～Transport_Layer_Security』。可用於架設Https的加密網站。

技術文件

TLS

• RFC 8446: "The Transport Layer Security (TLS) Protocol Version 1.3".
• RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2".
• RFC 4346: "The Transport Layer Security (TLS) Protocol Version 1.1".
• RFC 2246: "The TLS Protocol Version 1.0".

SSL

• RFC 6101: "The Secure Sockets Layer (SSL) Protocol Version 3.0".

Extensions to TLS 1.0 include

• RFC 2595: "Using TLS with IMAP, POP3 and ACAP". Specifies an extension to the IMAP, POP3 and ACAP services that allow the server and client to use transport-layer security to provide private, authenticated communication over the Internet.
• RFC 2712: "Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)". The 40-bit cipher suites defined in this memo appear only for the purpose of documenting the fact that those cipher suite codes have already been assigned.
• RFC 2817: "Upgrading to TLS Within HTTP/1.1", explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
• RFC 2818: "HTTP Over TLS", distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
• RFC 3207: "SMTP Service Extension for Secure SMTP over Transport Layer Security". Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
• RFC 3268: "AES Ciphersuites for TLS". Adds Advanced Encryption Standard (AES) cipher suites to the previously existing symmetric ciphers.
• RFC 3546: "Transport Layer Security (TLS) Extensions", adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions. Made obsolete by RFC 4366.
• RFC 3749: "Transport Layer Security Protocol Compression Methods", specifies the framework for compression methods and the DEFLATE compression method.
• RFC 3943: "Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)".
• RFC 4132: "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)".
• RFC 4162: "Addition of SEED Cipher Suites to Transport Layer Security (TLS)".
• RFC 4217: "Securing FTP with TLS".
• RFC 4279: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", adds three sets of new cipher suites for the TLS protocol to support authentication based on pre-shared keys.

Extensions to TLS 1.1 include

• RFC 4347: "Datagram Transport Layer Security" specifies a TLS variant that works over datagram protocols (such as UDP).
• RFC 4366: "Transport Layer Security (TLS) Extensions" describes both a set of specific extensions and a generic extension mechanism.
• RFC 4492: "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)".
• RFC 4680: "TLS Handshake Message for Supplemental Data".
• RFC 4681: "TLS User Mapping Extension".
• RFC 4785: "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)".
• RFC 5054: "Using the Secure Remote Password (SRP) Protocol for TLS Authentication". Defines the TLS-SRP ciphersuites.
• RFC 5077: "Transport Layer Security (TLS) Session Resumption without Server-Side State".
• RFC 5081: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication", obsoleted by RFC 6091.

Extensions to TLS 1.2 include

• RFC 5288: "AES Galois Counter Mode (GCM) Cipher Suites for TLS".
• RFC 5289: "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)".
• RFC 5746: "Transport Layer Security (TLS) Renegotiation Indication Extension".
• RFC 5878: "Transport Layer Security (TLS) Authorization Extensions".
• RFC 6066: "Transport Layer Security (TLS) Extensions: Extension Definitions", includes Server Name Indication and OCSP stapling.
• RFC 6091: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication".
• RFC 6176: "Prohibiting Secure Sockets Layer (SSL) Version 2.0".
• RFC 6209: "Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)".
• RFC 6460: "Suite B Profile for Transport Layer Security (TLS)".

Encapsulations of TLS include

• RFC 5216: "The EAP-TLS Authentication Protocol"

相關教學

用戶端

• 使用 Secure Sockets Layer

伺服器端

• How To：在網頁伺服器上設定 SSL
• Windows 2003 核發自己的 IIS SSL 憑證步驟
• 如何在 IIS 中 HTTPS 的服務設定
• How to Setup SSL on IIS 7.0
• 購買與安裝 SSL 憑證完全攻略 (以 IIS 7.0 為例)
• 你的SSL憑證安全嗎？

FAQ

SSL憑證種類

SSL憑證，副檔名為 .crt

• 在檔名中有 Root 字眼的是「CA 根憑證」
• 在檔名中有 SSL 字眼的是「中繼憑證」
• 在檔名中有 Server 字眼的是「自我憑證」

SSL憑證申請

• 中華電信通用憑證管理中心
• 產品價格表 - GuardTech
• GCA 政府憑證管理中心（台灣的政府機關專用）

IE或.NET無法連上的網站

• 【茶包射手筆記】Chrome、Python 可以但 IE11、.NET 程式無法連線的 TLS 1.2 網站-黑暗執行緒

Certbot

• 似乎可以申請免費SSL憑證使用？
• Certbot
  • 解析 Certbot（Let's encrypt） 使用方式 | DEVLOG of andyyou
  • [Ubuntu 使用 Certbot 自動更新 Let’s Encrypt 憑證 | Calos's Blog]
  • 玩具烏托邦: 用 certbot 幫同網域下眾網站創建共用的 ssl 憑證
  • Let's Encrypt - 免費的 SSL 憑證 | 老洪的 IT 學習系統
  • ACME 客戶端 - Let's Encrypt - 免費的 SSL/TLS 憑證
  • SSL憑證@xoops--NGINX 使用 Let’s Encrypt 免費 SSL 憑證設定 HTTPS 安全加密網頁