π TLS/SSL β Deep Dive: Handshake, Cipher Suites, Certificate Chain, Attacks & Detection
Nota ini adalah panduan komprehensif Transport Layer Security β dari sejarah SSL sampai TLS 1.3. Mencakup handshake step-by-step (TLS 1.2 vs 1.3), cipher suite anatomy, Certificate Authority hierarchy & chain validation, key exchange (RSA vs DH vs ECDHE), forward secrecy, session resumption, TLS fingerprinting (JA3/JA3S), TLS in HTTP/2 and HTTP/3, downgrade attacks (BEAST, CRIME, POODLE, ROBOT), dan practical detection of malicious TLS (C2 beaconing, encrypted traffic analysis). TLS adalah perimeter baru setelah network perimeter hilang.
Posisi di Vault
Nota ini terkait dengan http-protocol-deepdive (HTTPS = HTTP + TLS), cryptography-biometrics (crypto primitives yang dipake TLS), networking-fundamentals-tcpip-bgp (TCP handshake yang terjadi sebelum TLS), waf-reverse-proxy-deepdive (TLS termination di reverse proxy), container-kubernetes-security-deepdive (mTLS di service mesh), cloudflare-ruleset-engine-phases (TLS inspection), cobalt-strike dan sliver (C2 HTTPS profiles, JA3 evasion), dan comprehensive-threat-directory (TLS attack taxonomy).
Daftar Isi
- Foundation
- X.509 Certificate Chain
- Cipher Suite Anatomy
- TLS Handshake β Step by Step
- TLS 1.3 β Simplified
- Session Resumption
- TLS in HTTP/2 & HTTP/3
- TLS Fingerprinting β JA3 JA3S
- TLS Attack Surface
- Practical Detection of Malicious TLS
- Hardening Checklist
- Koneksi ke Vault
- References
Foundation
Timeline SSL β TLS
| Versi | Tahun | Status | Masalah |
|---|---|---|---|
| SSL 1.0 | 1994 (Netscape) | π΄ Tidak pernah rilis | Bugs parah |
| SSL 2.0 | 1995 | π΄ Deprecated (RFC 6176) | Multiple security flaws: same key for auth+encryption, MD5, weak MAC |
| SSL 3.0 | 1996 | π΄ Deprecated (RFC 7568) | POODLE attack (CVE-2014-3566) |
| TLS 1.0 | 1999 (RFC 2246) | π΄ Deprecated | BEAST (CVE-2011-3389), Lucky13 |
| TLS 1.1 | 2006 (RFC 4346) | π΄ Deprecated | CBC timing attacks |
| TLS 1.2 | 2008 (RFC 5246) | π‘ Masih dipake | Masih aman dengan konfigurasi benar (AES-GCM, ECDHE) |
| TLS 1.3 | 2018 (RFC 8446) | π’ Recommended | Forward secrecy wajib, 1-RTT handshake, hapus cipher lemah |
Kenapa TLS Bukan SSL?
SSL adalah nama lama (Netscape). Setelah diadopsi IETF, namanya diubah jadi TLS (Transport Layer Security). Tapi masyarakat umum masih nyebut βSSLβ β makanya sertifikat disebut βSSL certificateβ padahal sebenarnya TLS.
What TLS Does (dan Tidak)
| Lapisan | Dilindungi TLS? | Catatan |
|---|---|---|
| URI/Path | β Tidak | Hanya hostname yang di-enkripsi (SNI sebelumnya bocor, sekarang ECH/ESNI) |
| Query Parameters | β Ya | Semua data HTTP body dan query di-enkripsi setelah TLS handshake |
| Headers | β Ya | Setelah TLS handshake selesai, HTTP headers ter-enkripsi |
| Server Certificate | π‘ Sebagian | Sertifikat server ter-enkripsi di TLS 1.3, bocor di TLS 1.2 |
| Server IP | β Tidak | IP tujuan selalu kelihatan (harus pakai VPN/Tor) |
| SNI (Server Name Indication) | π‘ Sebagian | ECH (Encrypted Client Hello) baru mulai diadopsi β sebelum itu SNI plaintext |
| Traffic Length | β Tidak | Ukuran packet bocor β bisa dipakai traffic analysis (site fingerprinting) |
| DNS Query | β Tidak | DNS biasanya plaintext (kecuali DNS over HTTPS/TLS) |
X.509 Certificate Chain
Hierarki Kepercayaan
ββββββββββββββββββββββββββββββββ
β Root CA (Self-Signed) β β Root store: ~150 CA di browser/OS
β "ISRG Root X1" β Private key: offline, penyimpanan super aman
ββββββββββββββββ¬ββββββββββββββββ
β Signed by Root CA
ββββββββββββββββΌββββββββββββββββ
β Intermediate CA β β Bisa beberapa level
β "R3" (Let's Encrypt) β Private key: online, rotasi teratur
ββββββββββββββββ¬ββββββββββββββββ
β Signed by Intermediate CA
ββββββββββββββββΌββββββββββββββββ
β Leaf / End-Entity Cert β β Yang dipasang di server
β "*.example.com" β Private key: di server web
ββββββββββββββββββββββββββββββββ
Kenapa pake intermediate, bukan langsung dari Root?
- Root CA private key disimpan offline (air-gapped) β jarang dipake
- Intermediate bisa di-revoke tanpa revoke Root
- Kalo intermediate compromised, Root masih aman β bisa revoke intermediate dan terbitkan baru
Certificate Fields
| Field | Contoh | Fungsi |
|---|---|---|
| Subject | CN=*.example.com, O=Example Corp, C=US | Identitas pemilik sertifikat |
| Subject Alternative Names (SAN) | DNS:example.com, DNS:*.example.com | Domain yang dilindungi β modern browser cuma lihat SAN, gak lihat CN |
| Issuer | CN=R3, O=Let's Encrypt | CA yang nerbitin |
| Validity | Not Before: Jul 15 2026, Not After: Oct 15 2026 | Masa berlaku β 90 hari untuk Letβs Encrypt (Auto Renew) |
| Public Key | RSA 2048-bit atau ECDSA P-256 | Kunci publik milik server |
| Signature Algorithm | sha256WithRSAEncryption | Algoritma yang dipake CA untuk sign cert |
| Key Usage | Digital Signature, Key Encipherment | Cara kunci boleh dipake |
| Extended Key Usage | TLS Web Server Authentication | Konteks penggunaan |
| CRL Distribution Points | http://crl.example.com/root.crl | Lokasi daftar sertifikat yang di-revoke |
| OCSP Responder | http://ocsp.example.com | Endpoint pengecekan status real-time |
| Fingerprint (SHA-256) | a1:b2:c3:... | Hash sertifikat β identifier unik |
Chain Validation
Browser saat connect ke https://example.com:
1. Server kirim: Leaf Cert + Intermediate Cert(s) (tapi gak kirim Root)
2. Browser:
a. Verifikasi signature Leaf β Intermediate
b. Verifikasi signature Intermediate β Root (Root ada di trust store browser)
c. Cek validity period (belum expired)
d. Cek hostname (SAN cocok dengan domain yang dikunjungi)
e. Cek revocation status (CRL atau OCSP)
f. Cek Key Usage / Extended Key Usage
3. Kalau semua lolos β π padlock hijau
Certificate Validation Failures
| Error | Arti | Penyebab Umum |
|---|---|---|
| Self-signed cert | Certificate Authority gak dikenal | Dev server, internal tools |
| Hostname mismatch | SAN gak cocok dengan domain di URL | Wildcard gak cover subdomain, cert buat server beda |
| Expired cert | Melewati Not After | Gak renew tepat waktu |
| Revoked cert | CA udah revoke | Private key compromised, domain ganti |
| Incomplete chain | Intermediate gak dikirim server | Server config salah |
| Unknown issuer | Root gak ada di trust store | Root CA baru, atau fake cert |
Letβs Encrypt & ACME Protocol
Apa: CA gratis yang otomatis nerbitin sertifikat via ACME protocol. 90 hari validity β auto-renewal.
1. Install certbot / acme.sh
2. Domain validation: HTTP-01 (file di /.well-known/acme-challenge/) atau DNS-01 (TXT record)
3. ACME server terbitkan cert + private key
4. Auto-renew: cron/systemd timer check tiap 60 hari
Kenapa 90 hari? Biar dampak kompromi terbatas. Kalo compromised, maksimal 90 hari dipake β bukan 2 tahun.
Cipher Suite Anatomy
Cipher suite adalah kombinasi algoritma yang disepakati client & server untuk satu koneksi TLS.
Format TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ββββ ββββ ββββ βββββ βββ ββββββ
1 2 3 4 5 6
| Komponen | Contoh | Fungsi | Opsi Umum |
|---|---|---|---|
| 1. Protokol | TLS | Protocol | TLS |
| 2. Key Exchange | ECDHE | Pertukaran kunci β cara client & server sepakat session key | RSA, DH, DHE, ECDHE, PSK |
| 3. Authentication | RSA | Autentikasi server β verifikasi identitas via cert | RSA, ECDSA, DSS |
| 4. Encryption | AES_128_GCM | Enkripsi data setelah handshake | AES-GCM, AES-CBC, ChaCha20 |
| 5. MAC/Hash | SHA256 | Integrity check β verifikasi data gak diubah | SHA, SHA256, SHA384, Poly1305 |
| 6. Key Exchange (opsional) | β | Beberapa format include _ untuk variasi | β |
TLS 1.3 β Simplified
TLS 1.3 hapus banyak opsi:
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
Hanya 5 cipher suite yang diizinkan β semuanya pake AEAD + HKDF. Gak ada RSA key exchange (gak ada forward secrecy tanpa), gak ada CBC mode, gak ada RC4.
Forward Secrecy
Konsep: Kalo private key server bocor, session key koneksi masa lalu tetap aman.
Cara kerja: Session key diturunkan dari ephemeral key exchange (DHE atau ECDHE), bukan dari RSA private key. RSA key exchange: session key di-enkripsi dengan private key β kalo private key bocor, semua session masa lalu bisa di-dekripsi. ECDHE: tiap session pake temporary key baru, dihapus setelah session selesai.
Status: TLS 1.3 mewajibkan forward secrecy. TLS 1.2 dengan cipher ECDHE juga aman. Cipher RSA key exchange harus di-disable.
AEAD β Authenticated Encryption with Associated Data
Kombinasi enkripsi + integrity check dalam satu operasi. Cegah padding oracle attack (CBC mode rentan). Contoh: AES-GCM, ChaCha20-Poly1305.
TLS Handshake β Step by Step
TLS 1.2 Full Handshake (2 RTT)
Client (browser) Server (nginx)
β β
βββββββ 1. ClientHello βββββββββββββββββββββββββ
β TLS version, cipher suites, β
β random bytes, session ID β
β β
ββββββ 2. ServerHello ββββββββββββββββββββββββββ
β Chosen version, cipher suite, β
β random bytes, session ID β
β β
ββββββ 3. Certificate ββββββββββββββββββββββββββ
β Server cert chain β
β β
ββββββ 4. ServerKeyExchange ββββββββββββββββββββ
β ECDHE params (pubkey, signature) β
β β
ββββββ 5. ServerHelloDone ββββββββββββββββββββββ
β "Udah, giliran lo" β
β β
βββββββ 6. ClientKeyExchange βββββββββββββββββββ
β ECDHE client pubkey β
β β Kedua pihak compute shared secret β
β β Turunkan session key β
β β
βββββββ 7. ChangeCipherSpec ββββββββββββββββββββ
β "Mulai enkripsi" β
β β
βββββββ 8. Finished (encrypted) ββββββββββββββββ
β MAC of all handshake messages β
β β
ββββββ 9. ChangeCipherSpec βββββββββββββββββββββ
ββββββ 10. Finished (encrypted) ββββββββββββββββ
β Server verify handshake integrity β
β β
ββββββββββββββββ Data (encrypted) βββββββββββββββ
Total: 2 RTT setelah TCP handshake (yang 1 RTT). Jadi HTTPS = TCP (1 RTT) + TLS 1.2 (2 RTT) = 3 RTT sebelum byte data pertama.
Detail Message
ClientHello:
Version: TLS 1.2 (0x0303)
Random: 32-byte random (client_random)
Session ID: (untuk resumption)
Cipher Suites: [TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305, ...]
Compression: [null] # null-satu-satunya yang aman
Extensions:
- SNI: "example.com"
- ALPN: ["h2", "http/1.1"]
- Supported Groups: [x25519, secp256r1, secp384r1] # ECDHE curves
- Signature Algorithms: [rsa_pss_rsae_sha256, ecdsa_secp256r1_sha256]
- Key Share (TLS 1.3): ...ServerHello:
Version: TLS 1.2
Random: 32-byte (server_random)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Extensions:
- ALPN: "h2"Key Generation
Pre-Master Secret = ECDHE(client_private, server_public) # shared secret
β
Master Secret = PRF(Pre-Master Secret + client_random + server_random)
β
Session Key = PRF(Master Secret + "key expansion" + ...)
βββ Client Write Key (encrypt data from client β server)
βββ Server Write Key (encrypt data from server β client)
βββ Client Write IV
βββ Server Write IV
Kenapa random client & server ikut? Biar kalo dua koneksi beda pake pre-master secret yang sama (sangat kecil kemungkinannya) tetap menghasilkan session key yang beda.
TLS 1.3 β Simplified
TLS 1.3 Handshake (1 RTT)
Client Server
β β
βββββββ ClientHello ββββββββββββββββββββββββββββββββ
β Key Share (ECDHE pubkey langsung!) β
β Supported versions: [1.3, 1.2] β
β Cipher suites: [TLS_AES_128_GCM_SHA256, ...] β
β β
ββββββ ServerHello βββββββββββββββββββββββββββββββββ
β Key Share (ECDHE pubkey) β
β β Kedua pihak compute shared secret β
β β Turunkan handshake traffic key β
β β
ββββββ EncryptedExtensions βββββββββββββββββββββββββ
ββββββ Certificate (encrypted!) ββββββββββββββββββββ
ββββββ CertificateVerify (encrypted!) ββββββββββββββ
ββββββ Finished (encrypted!) βββββββββββββββββββββββ
β β
βββββββ Finished (encrypted!) ββββββββββββββββββββββ
β β
ββββββββββββββββββββ Data βββββββββββββββββββββββββββ
Perbedaan utama TLS 1.2 vs 1.3:
| Aspek | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Handshake RTT | 2 RTT (full) | 1 RTT (full), 0-RTT (resumption) |
| Certificate delivery | Plaintext (bocor) | Encrypted |
| Forward secrecy | Opsional | β Wajib |
| Cipher suites | 37+ kombinasi | 5 AEAD-only |
| Key exchange | RSA, DH, DHE, ECDHE | ECDHE, (EC)DHE only |
| Algorithm negotiation | ClientHello β ServerHello (sequential) | ClientHello β ServerHello + KeyShare (parallel) |
| Session resumption | Session ID, Session Ticket | PSK (Pre-Shared Key) |
| Compression | Ada (risk) | β Dihapus |
| Renegotiation | Ada (risk) | β Dihapus |
| ChangeCipherSpec | Explicit message | Implicit (hapus dari spec) |
0-RTT (Early Data)
Dengan TLS 1.3 + PSK (resumption), client bisa langsung kirim data di ClientHello sebelum handshake selesai:
Client (pernah connect sebelumnya) Server
β β
βββββββ ClientHello + PSK + Early Data βββββββββ
β Data HTTP request LANGSUNG! β
β β
ββββββ ServerHello + Finished ββββββββββββββββββ
ββββββ Response (encrypted) ββββββββββββββββββββ
β οΈ Risiko 0-RTT:
- Replay attack β attacker bisa intercept dan kirim ulang early data yang sama. Server harus implement replay protection (key idempotent request seperti GET, atau nonce).
- Forward secrecy β data 0-RTT dienkripsi dengan PSK, bukan ephemeral key. Kalo PSK bocor, data 0-RTT bisa di-dekripsi.
Session Resumption
Biar gak perlu full handshake setiap kali:
Session ID (TLS 1.2, stateful)
1. Handshake pertama: Server simpan session di memory, kirim Session ID
2. Handshake kedua: Client kirim Session ID β server cek memory β kalo cocok, pake session key lama
3. Server harus simpan session β masalah di load balancer (harus session store shared)
Session Ticket (TLS 1.2, stateless)
1. Server kirim Session Ticket (encrypted blob β session key di-enkripsi server key)
2. Client simpan ticket
3. Handshake berikutnya: client kirim ticket β server decrypt β dapet session key
4. Lebih scalable (gak perlu shared store)
PSK (TLS 1.3)
Evolusi dari session ticket. Client kirim PSK identity, server match, langsung 1-RTT atau 0-RTT.
TLS in HTTP/2 & HTTP/3
HTTP/2 + TLS
HTTP/2 tidak mewajibkan TLS secara spesifik (spec bilang βencryption optionalβ), tapi semua browser cuma implement HTTP/2 over TLS β jadi praktisnya HTTP/2 = HTTPS.
ALPN (Application-Layer Protocol Negotiation):
ClientHello: ALPN = ["h2", "http/1.1"]
ServerHello: ALPN = "h2" β client & server pake HTTP/2
HTTP/3 + QUIC
HTTP/3 = HTTP over QUIC. QUIC menggabungkan TLS 1.3 built-in β bukan layer terpisah:
ββββββββββββββββββββββββ
β HTTP/3 β
ββββββββββββββββββββββββ€
β QUIC Transport β
β βββ TLS 1.3 βββββββββ€ β Built-in, bukan layer terpisah
β βββ UDP βββββββββββββ€
ββββββββββββββββββββββββ€
β UDP β
ββββββββββββββββββββββββ
TLS Fingerprinting β JA3 JA3S
Konsep
Setiap client TLS (browser, curl, Go net/http, Python requests, Cobalt Strike beacon) mengirim ClientHello dengan kombinasi unik dari:
- TLS version yang didukung
- Cipher suites (urutan)
- Extensions (tipe + urutan)
- Supported curves
- Elliptic curve formats
- Signature algorithms
Kombinasi ini β hash β JA3 fingerprint.
Cara Kerja
ClientHello dari Chrome 130:
Version: 0x0303 (TLS 1.2)
Cipher Suites: [0x1301, 0x1302, 0x1303, 0xc02b, 0xc02f, ...] # 17 suites
Extensions: [0x0000, 0x001b, 0x002d, 0x0033, 0x4469, ...] # 10 extensions
Supported Groups: [0x001d, 0x0017, 0x0018]
β JA3 = "771,4865-4866-4867-49195-49199-...-52392,0-11-...-65281,29-23-24,0"
β MD5 = efebb8252f524b7c4a2d6e7c1a4e8f2aPenggunaan Security
| Use Case | Cara |
|---|---|
| C2 detection | Cobalt Strike HTTPS beacon punya JA3 signature yang dikenal (51c64c77f60c4b6bβ¦). Block JA3 = block C2 |
| Malware detection | Malware pake library TLS sendiri β JA3 unik yang gak cocok browser normal |
| Impersonation detection | Attacker pake curl dengan user-agent βChromeβ tapi JA3 curl beda sama JA3 Chrome asli |
| Bot detection | Bot/scraper punya JA3 beda dari browser real |
Keterbatasan:
- JA3 bisa diubah dengan memodifikasi TLS library (Cobalt Strike sudah support JA3 randomization sejak v4.7)
- JA3 yang sama dari dua tools berbeda bisa terjadi collision
- Private library bisa generate JA3 baru yang belum dikenal
Implementation
# Capture JA3 dari pcap
# Di Suricata:
ja3-fingerprints: yes
# Di zeek:
@load protocols/ssl/ja3
# Custom detection command:
tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields \
-e tls.handshake.ja3 -e tls.handshake.ja3sTLS Attack Surface
Downgrade Attacks
| Attack | Target | Cara Kerja | TLS 1.3 Mitigasi? |
|---|---|---|---|
| POODLE (SSL 3.0) | CBC mode | Exploit padding oracle di SSL 3.0 | β (SSL 3.0 dihapus) |
| BEAST (TLS 1.0) | CBC mode | Predict IV via block chaining | β (AEAD-only) |
| CRIME | Compression | Inject known plaintext β ukur perubahan ukuran kompresi | β (kompresi dihapus) |
| Lucky13 | CBC mode | Timing oracle dari CBC padding | β (AEAD-only) |
| Logjam | DHE export | Force DHE ke export-grade (512-bit) | β (export cipher dihapus) |
| FREAK | RSA export | Force RSA ke export-grade (512-bit) | β (export cipher dihapus) |
| ROBOT | RSA key exchange | Return of Bleichenbacher oracle (CVE-2017-17305) | β (RSA key exchange dihapus) |
| Downgrade to TLS 1.2 | Protocol version | Forced downgrade via network MITM | π‘ Sebagian (downgrade protection SCSV) |
Mitigasi utama: Nonaktifkan semua protokol sebelum TLS 1.2, pake cipher AEAD-only, disable compression, disable renegotiation (client-side renego).
Certificate Attacks
| Attack | Cara | Mitigasi |
|---|---|---|
| MITM dengan fake CA | Install fake Root CA di device korban | Certificate Pinning, CRL, OCSP |
| Certificate Spoofing | Compromise CA β terbitkan cert palsu | Certificate Transparency (CT logs) β deteksi cert aneh |
| OCSP Bypass | Block OCSP responder β browser gak bisa cek status | OCSP Stapling (server yang ngasih timestamped OCSP response) |
| Revoked cert masih dipake | Browser offline β gak bisa OCSP | CRLSet (Chrome), OneCRL (Firefox) β distributed CRL |
TLS Renegotiation Attack
Attacker inject plaintext di tengah session TLS β server kira itu bagian dari autentikasi client. Ditemukan 2009. TLS 1.3 sudah hapus renegotiation.
Protocol Downgrade via SNI
Sebelum ECH (Encrypted Client Hello), SNI dikirim plaintext β attacker bisa lihat domain mana yang dikunjungi, bahkan di HTTPS. ECH fix ini dengan mengenkripsi seluruh ClientHello.
Practical Detection of Malicious TLS
Indicators of Malicious TLS
| Indicator | Kemungkinan | Detection |
|---|---|---|
| JA3 tidak dikenal | Custom TLS stack (malware, C2) | JA3 blocklist / allowlist (browser-only) |
| Cipher suite tidak wajar | Malware pake cipher tua (RC4, CBC) karena library lawas | Suricata: tls.ciphers rule |
| TLS version tua | Malware pake OpenSSL lama β TLS 1.0/1.1 | Log tls.version |
| Self-signed cert | C2 server pake self-signed | Alert tls.certificate.self_signed |
| Certificate mismatch | C2 domain gak cocok sama CN/SAN | Suricata: tls.certificate.issuer |
| Unusual cert issuer | C2 pake cert dari CA gak dikenal | Threat intel feed |
| Beacon interval + TLS | Koneksi TLS periodik ke IP asing | Zeek conn.log + time pattern |
| TLS handshake ke IP (bukan domain) | C2 langsung ke IP tanpa SNI | Suricata: tls.sni kosong |
| Large cert | Custom CA yang generate cert gede >2KB | tls.certificate.length |
| No ALPN | C2 gak negotiate HTTP/2 β langsung | tls.alpn kosong |
Detection Tool
# Zeek β TLS logging
# conn.log: waktu, IP, port, bytes
# ssl.log: JA3, cipher, version, certificate chain, ALPN, SNI
# Query TLS ke IP tanpa SNI
cat ssl.log | zeek-cut ts server_name server_ip cipher | awk '$2 == "-"'
# Deteksi JA3 mencurigakan
cat ssl.log | zeek-cut ja3 | sort | uniq -c | sort -rn | head
# Python detection script
python3 << 'EOF'
import json
# Cek beacon interval: koneksi TLS periodik?
# Logika: group by IP, hitung interval rata-rata
# Kalo std dev rendah + interval tetap = beacon
EOFSuricata Rule β Deteksi C2 TLS
alert tls $HOME_NET any -> $EXTERNAL_NET any (
msg:"ET MALWARE Possible C2 - TLS to IP without SNI";
flow:established,to_server;
tls.sni; content:"|00|"; distance:0; within:1;
tls.version; content:"|03 03|"; # TLS 1.2 minimum
reference:url,attack.mitre.org/techniques/T1573/001;
classtype:trojan-activity;
sid:1000001; rev:1;
)Hardening Checklist
β TLS 1.2 minimum β disable TLS 1.0, TLS 1.1, SSL 3.0, SSL 2.0
β Cipher AEAD-only: TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256
β Forward secrecy wajib β disable RSA key exchange
β Disable compression (CRIME)
β Disable client-side renegotiation
β HPKP deprecated β jangan pake
β HSTS: max-age=31536000; includeSubDomains; preload
β OCSP Stapling: aktifkan dan monitor
β Certificate Transparency: pastiin cert terdaftar di CT logs
β Private key: 2048-bit RSA minimum, prefer ECDSA P-256
β ED25519 untuk SSH β bukan TLS (tapi good practice)
β ECH (Encrypted Client Hello): aktifkan kalo tersedia
β TLS 1.3 preferred β optimalkan konfigurasi untuk 1-RTT/0-RTT
β Monitor JA3 β detect unusual TLS fingerprint
β Automatic renewal: Let's Encrypt (90 hari) β prevent expired cert
β Revocation: pastiin OCSP responder reachable, fallback ke CRL
OpenSSL Config Example
# nginx TLS config β strong, modern
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off; # Client pilih (modern β sesuai rekomendasi Mozilla)
ssl_ecdh_curve X25519:secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;Koneksi ke Vault
- http-protocol-deepdive β HTTPS = HTTP + TLS, baca ini dulu untuk paham layer di atas TLS
- cryptography-biometrics β crypto primitives (AES, ECDHE, SHA) yang TLS pake
- networking-fundamentals-tcpip-bgp β TCP handshake yang terjadi SEBELUM TLS handshake
- waf-reverse-proxy-deepdive β TLS termination di reverse proxy (nginx, Cloudflare)
- container-kubernetes-security-deepdive β mTLS Istio, service mesh TLS
- cloudflare-ruleset-engine-phases β TLS fingerprinting di Cloudflare, ECH/ESNI
- cobalt-strike dan sliver β C2 HTTPS beacon dengan JA3 evasion, custom TLS stack
- api-security-deep-dive β API authentication via mTLS dan OAuth2 over TLS
- comprehensive-threat-directory β taksonomi ancaman berbasis TLS
- zero-trust-security β TLS sebagai fondasi zero trust (mTLS everywhere)
References
- IETF. RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3. 2018. https://datatracker.ietf.org/doc/rfc8446/
- IETF. RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2. 2008.
- IETF. RFC 6066: TLS Extensions (SNI, ALPN, etc). 2011.
- IETF. RFC 7301: ALPN. 2014.
- IETF. RFC 8879: TLS Certificate Compression. 2021.
- Mozilla. Security/Server Side TLS. https://wiki.mozilla.org/Security/Server_Side_TLS
- Mozilla. SSL Configuration Generator. https://ssl-config.mozilla.org/
- Qualys SSL Labs. SSL Server Test. https://www.ssllabs.com/ssltest/
- Qualys SSL Labs. SSL/TLS Deployment Best Practices. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
- Cloudflare. TLS 1.3 Overview. https://www.cloudflare.com/learning-resources/tls-1-3/
- Cloudflare. What is SNI? https://www.cloudflare.com/learning/ssl/what-is-sni/
- Cloudflare. ECH β Encrypted Client Hello. https://blog.cloudflare.com/encrypted-client-hello/
- Letβs Encrypt. ACME Protocol. https://letsencrypt.org/docs/acme-protocol/
- Certificate Transparency. RFC 6962. https://certificate.transparency.dev/
- JA3. JA3 Fingerprinting. https://github.com/salesforce/ja3
- Suricata. TLS/SSL Detection Rules. https://suricata.readthedocs.io/en/latest/rules/tls-keywords.html
- Zeek. SSL/TLS Logging. https://docs.zeek.org/en/current/scripts/base/protocols/ssl/main.zeek.html
- Cipherli.st. Strong Ciphers for Apache, nginx, etc. https://cipherli.st/
- OpenSSL. OpenSSL Documentation. https://www.openssl.org/docs/
- BoringSSL. BoringSSL Documentation. https://boringssl.googlesource.com/boringssl/
- Google. TLS 1.3 0-RTT Replay Attack. https://www.rfc-editor.org/rfc/rfc9001.html
- sslLabs. SSL/TLS Attack History. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Attacks
Bottom Line
TLS adalah fondasi keamanan transport modern β tapi bukan solusi ajaib. TLS mengamankan isi percakapan, tapi metadata (IP, panjang packet, timing) tetap bocor. Buat security engineer: (1) Cipher suite pilih AEAD + ECDHE β jangan sentuh CBC, jangan sentuh RSA key exchange. (2) TLS 1.3 wajib β lebih cepat, lebih aman, lebih sederhana. (3) JA3 fingerprinting adalah alat deteksi C2 yang powerful tapi harus dipahami keterbatasannya β attacker bisa JA3 randomization. (4) Certificate Transparency mengubah sertifikat dari βtrust based on secrecyβ menjadi βtrust based on transparencyβ β setiap cert yang diterbitkan untuk domain lo tanpa sepengetahuan lo = indikasi compromise. (5) Forward secrecy mengubah dampak private key leakage dari βsemua masa lalu terbacaβ jadi βhanya masa depanβ β ini bukan opsi, ini wajib.