TLS/SSL
Transport Layer Security
Section titled “Transport Layer Security”Concepts
Section titled “Concepts”- PKI (Public Key Infrastructure): Framework for digital certificates. What is PKI? (Cloudflare).
- Chain of Trust: Root CA -> Intermediate CA -> Leaf Certificate.
- Symmetric Encryption: Fast, uses shared key (AES, ChaCha20). Used for data transfer.
- Asymmetric Encryption: Slow, uses Public/Private key pair (RSA, ECC). Used for key exchange.
The Handshake (Simplified)
Section titled “The Handshake (Simplified)”- Client Hello: Supported versions, cipher suites, random bytes. What happens in a TLS Handshake? (Cloudflare).
- Server Hello: Selected version/cipher, Server Certificate.
- Key Exchange: Diffie-Hellman (ECDHE) to agree on a shared secret (Session Key).
- Finished: Verify integrity.
- Application Data: Encrypted with Session Key.
TLS 1.3 Improvements:
- Removes obsolete crypto (SHA-1, RC4).
- 1-RTT Handshake: Faster connection setup.
- 0-RTT Resumption: Resuming previous sessions instantly (security trade-off: replay attacks).
Cloudflare SSL Modes
Section titled “Cloudflare SSL Modes”- Flexible: Encrypted Client <-> Cloudflare. Plaintext Cloudflare <-> Origin. (Insecure, avoid).
- Full: Encrypted end-to-end. Origin can use self-signed cert.
- Full (Strict): Encrypted end-to-end. Origin must have a valid trusted certificate.
- mTLS (Mutual TLS): Server authenticates Client using a Client Certificate. Used for Zero Trust and securing Origin Pulls.