TLS

Illustrated TLS Connection & Implementing a toy version of TLS 1.3 are useful.

Links

• duraconf - Collection of hardened configuration files for SSL/TLS services.
• Lemur - Manages TLS certificate creation.
• Step Certificates - Online certificate authority and related tools for secure automated certificate management, so you can use TLS everywhere.
• TLS 1.3 Is Coming: Here's What You Need To Know To Be Prepared For It (2019)
• autocertdelegate - Get LetsEncrypt TLS certs for internal-only TLS servers via a delegated golang.org/x/crypto/acme/autocert server.
• SwiftTLS - TLS implementation in Swift.
• Illustrated TLS Connection - Every byte of a TLS connection explained and reproduced. (Code) (HN)
• SSLproxy - Transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs, such as UTM services, for deep SSL inspection.
• libtls-bearssl - Implementation of libtls on top of BearSSL.
• TLS Encrypted Client Hello (2020)
• IDontSpeakSSL - Simple tool based on sslyze to scan large scope and provide SSL/TLS vulnerabilities.
• crypto/tls in Go
• OpenSSL - Robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
• BoringSSL - Fork of OpenSSL that is designed to meet Google's needs.
• Certigo - Utility to examine and validate certificates to help with debugging SSL/TLS issues.
• TLS for the Browsers of the Internet of Old Things (2020)
• JARM - Active Transport Layer Security (TLS) server fingerprinting tool.
• secure-connections - Simple client and server for showing what's happening with certificates during TLS setup.
• iguanaTLS - Minimal, experimental TLS 1.2 implementation in Zig.
• Auditing for TLS certificates (Go code)
• KEMTLS: Post-quantum TLS without signatures (2021)
• Simple Go HTTPS/TLS Examples
• third-wheel - TLS man-in-the-middle proxy written in rust, with the aim of being lightweight and fast.
• SSLsplit - Transparent SSL/TLS interception. (Web)
• Is TLS Fast Yet?
• tlsfuzzer - SSL and TLS protocol test suite and fuzzer.
• TLS Mastery (HN)
• mkcert.org - Web service that allows you to build customised TLS trust stores. (Code)
• Feisty Duck - SSL/TLS and PKI training and books.
• Bulletproof TLS Newsletter
• mint - Minimal TLS 1.3 Implementation in Go.
• Contruno - TLS termination proxy as a MirageOS.
• SSLyze - Fast and powerful SSL/TLS scanning library.
• NO STARTTLS - Why TLS is better without STARTTLS. Security Analysis of STARTTLS in the Email Context. (Lobsters)
• View your browser's TLS fingerprint (HN)
• BoringSSL Rust - Bindings for the Rust programming language and TLS adapters for tokio and hyper built on top of it.
• Tracing SSL/TLS connections using eBPF (2021) (HN)
• SmackTLS - State Machine Attacks.
• mod_md - Let's Encrypt (ACME) in Apache httpd.
• TLS Tools for Humans
• SSL Kill Switch 2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.
• Provision TLS certificates for your internal Tailscale services (2021)
• Certifi - Provides Mozilla's carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
• Staging TLS Certificates: Make every deployment a safe deployment (2021)
• Handshake Encryption: Endgame (an ECH update) (2021)
• Introducing SSL/TLS Recommender (2021) (Tweet)
• trustme - #1 quality TLS certs while you wait. (Docs)
• go-tunnel - TLS/SSL Tunnel - A modern STunnel replacement written in Go.
• Automating TLS certificate management in Docker (2021)
• Mutual TLS (mTLS) - Documentation on how to configure a broad array of technologies to perform mutual TLS. (Code)
• s2n - Implementation of the TLS/SSL protocols. (Lobsters)
• TLS-Attacker - Java-based framework for analyzing TLS libraries.
• TLS Fingerprinting
• acme-rs - ACME Client for Let's Encrypt written in Rust to request SSL/TLS certificates.
• TLS Poison - Tool that allows for generic SSRF via TLS, as well as CSRF via image tags in most browsers.
• TLA+ Foundation
• Wait-For-Them - Wait until TCP services are running.
• TLStunnel - TLS reverse proxy unikernel.
• Post-Quantum TLS without handshake signatures (2020) (Code)
• Fighting TLS fingerprinting with Node.js (HN)
• Implementing TLS Encrypted Client Hello (2021) (HN)
• Not-quite-so-broken TLS
• cilium-certgen - Convenience tool to generate and store certificates for Hubble Relay mTLS.
• TLSChecker - Rust TLS/SSL certificate expiration date from command-line checker.
• async-tls - Async TLS/SSL streams using Rustls.
• async-native-tls - Asynchronous Native TLS.
• Ask HN: What's your solution for SSL on internal servers? (2022)
• Transport Layer Security (5/6) (2022)
• The Illustrated TLS 1.3 Connection: Every Byte Explained (Code) (HN)
• Bulletproof TLS and PKI (2022) - Understanding and deploying SSL/TLS and PKI to secure servers and web applications.
• tls-scan - Internet scale, blazing fast SSL/TLS scanner ( non-blocking, event-driven ).
• tincan-tls - Clean room implementation of TLS 1.3.
• tls-listener - Rust wrapper around a connection listener to support TLS.
• qtls - Modified version of the standard library's TLS implementation, modified for the QUIC protocol.
• Cero - Scrape domain names from SSL certificates of arbitrary hosts.
• Implementing a toy version of TLS 1.3 (2022) (HN)
• Feilich - Small, no dependency, TLS 1.3 implementation in Zig, for Zig.
• What is TLS fingerprinting? (2022)
• GoSSL - Cross platform, easy to use SSL tool written with native Go.
• uTLS - Fork of the Go standard TLS library, providing low-level access to the ClientHello for mimicry purposes.
• TLS Encrypted Client Hello
• snid - Lightweight proxy server that forwards TLS connections based on the server name indication (SNI) hostname.
• Ghostunnel - Simple SSL/TLS proxy with mutual authentication for securing non-TLS services.
• When eBPF meets TLS. Defeating TLS encryption with eBPF tricks (2022) (HN)
• Extracting TLS keys from an unwilling application (2020)
• hallucinate - One-stop TLS traffic inspection and manipulation using dynamic instrumentation.
• Mastering two way TLS - Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual authentication.
• eCapture - Capture SSL/TLS text content without CA cert Using eBPF.
• proxyboi - Super simple reverse proxy with TLS support.
• TLS Reconciler - Hitless TLS Certificate Rotation Reconciliation Library.
• TLS-Scanner - Tool to assist pentesters and security researchers in the evaluation of TLS Server configurations.
• TLSX - Fast and configurable TLS grabber focused on TLS based data collection and analysis.
• Bertie - Minimal, high-assurance implementation of TLS 1.3 written in subset of Rust called hacspec.
• Picotls - TLS 1.3 implementation in C.
• The Illustrated DTLS Connection: Every Byte Explained (Code)
• hitch - Scalable TLS proxy by Varnish Software.
• Open to a fault: On the passive compromise of TLS keys via transient errors (2022)