Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network.

The authentication relied on Certificate Authorities (CA) and a public key infrastructure using X.509 certificates. The server register with a CA and sign its public key with the key of CA for a fee. The client, after receiving the public key from server, verifies it with the CA.

File:Ssl handshake with two way authentication with certificates.png - Wikimedia Commons

OpenSSL is a toolkit for the TLS and SSL.

see Open SSL

• ImperialViolet - Overclocking SSL
• ImperialViolet - Public key pinning
• Survival Guide - TLS/SSL and SSL (X.509) Certificates (CA-signed and Self-Signed)
• Is TLS Fast Yet?
• BetterCrypto⋅org
• Rolling out Public Key Pinning with HPKP Reporting – Google Web Updates
• The SSL/TLS Handshake: an Overview – SSL Information and FAQ
• SSL: it’s hard to do right | The Recompiler
• How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer | Ars Technica
• Critics slam SSL authority for minting certificate for impersonating sites | Ars Technica
• How to obtain and install an SSL/TLS certificate, for free | Ars Technica
• Web served, part 2: Securing things with SSL/TLS | Ars Technica

HSTS

• HTTP Strict Transport Security - Wikiwand: always use HTTPS
• HSTS Preload List Submission

SSL checkers

• Qualys SSL Labs
• SSL Certificate Checker - Diagnostic Tool | DigiCert.com

Perfect Forward Secrecy (PFS)

• SSL Enabling Forward Secrecy | DigiCert.com

Issues

CA

As it turns out, CA may not be trust-worthy after all. There are many instances of CA issuing fraudulent certificates (willingly or being hacked).

• How the Comodo certificate fraud calls CA trust into question | Ars Technica
• Google warns of unauthorized TLS certificates trusted by almost all OSes[Updated] | Ars Technica Google Chrome will banish Chinese certificate authority for breach of trust | Ars Technica
• Another fraudulent certificate raises the same old questions about certificate authorities | Ars Technica

Heartbleed (2014)

• Heartbleed Bug
• Heartbleed – Andrew Kennedy
• Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style | Ars Technica
• Coder in a World of Code: My Heart Bleeds for OpenSSL

Renegotiation Gap (2009)

• Truth in SOA: Really Understanding the SSL/TLS Vulnerability (Part 1)

Let’s Encrypt

• Let’s Encrypt
• How It Works
• Technology
• The CA’s Role in Fighting Phishing and Malware - Let’s Encrypt - Free SSL/TLS Certificates
• Rate Limits for Let’s Encrypt - Documentation - Let’s Encrypt Community Support
• Let’s Encrypt Demo - YouTube
• Generate free SSL certificates with Docker and LetsEncrypt | Tit Petrič
• How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04 | DigitalOcean
• Let’s Encrypt with HAProxy
• Let’s Encrypt on Raspberry Pi
• adventures in haproxy: tcp, tls, https, ssh, openvpn
• LetsEncrypt on Nginx
• How to configure Nginx with free Let’s Encrypt SSL certificate on Debian or Ubuntu Linux

Clients

• letsencrypt
• Certbot
• acmetool
• diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Let’s Encrypt
• Neilpang/le: Simplest shell script for LetsEncrypt free Certificate client
• xenolf/lego: Let’s Encrypt client and ACME library written in Go Used in Caddy
• Daplie/node-letsencrypt: letsencrypt for node.js
• DylanPiercey/auto-sni: Free, automated HTTPS for NodeJS made easy.

Heroku

• Announcing Heroku Free SSL Beta and Flexible Dyno Hours | Heroku
• Let’s Encrypt and Heroku [Solved] - Server - Let’s Encrypt Community Support
• Let’s Encrypt with a Rails app on Heroku // Collective Idea | Crafting web and mobile software based in Holland, Michigan
• Use Let’s Encrypt TLS certificate on Heroku – Sikachu’s Blog – Medium
• SSL Endpoint | Heroku Dev Center
• Set up CloudFlare’s free SSL on Heroku

Standards

• RFC 2986 - PKCS #10: Certification Request Syntax Specification Version 1.7
• RFC 3447 - Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1
• RFC 5958 - Asymmetric Key Packages
• RFC 6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0
• RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
• RFC 7292 - PKCS #12: Personal Information Exchange Syntax v1.1