Hacker News new | past | comments | ask | show | jobs | submit login

Off-topic: What is a good learning resource about TLS?

I've read the basics on Cloudflare's blog and MDN. But at my job, I encountered a need to upload a Let's encrypt public cert to the client's trusted store. Then I had to choose between Let's encrypt's root and intermediate certs, between key types RSA and ECDSA. I made it work, but it would be good to have an idea of what I'm doing. For example why root RSA key worked even though my server uses ECDSA cert. Before I added the root cert to a trusted store, clients used to add fullchain.pem from the server and it worked too — why?




I have a bunch of useful resources, most of which are free:

- If you're looking for a concise (yet complete) guide: https://www.feistyduck.com/library/bulletproof-tls-guide/

- OpenSSL Cookbook is a free ebook: https://www.feistyduck.com/library/openssl-cookbook/

- SSL/TLS and PKI history: https://www.feistyduck.com/ssl-tls-and-pki-history/

- Newsletter: https://www.feistyduck.com/newsletter/

- If you're looking for something comprehensive and longer, try my book Bulletproof TLS and PKI: https://www.feistyduck.com/books/bulletproof-tls-and-pki/


I learned a lot from TLS Mastery by Michael W. Lucas.


Thanks, looks exactly like what I wanted


I wrote a list of resources that helped me at https://www.bbkane.com/blog/learn-ssl/


Thx. For one API in my company, there is only root and intermediate certificates are present in the jks file but the leaf certificate is not. Would encryption work without a leaf certificate?

In another instance to connect to a server, only the root certificate is present in the trust store. Does it mean encryption can be performed with just the root certificate.

reply


> SSL is one of those weird niche subjects that no one learns until they run into a problem

Yep, that me.

Thanks for the blog post!


Use ECDSA if you can, since it reduces the size of the handshake on the wire (keys are smaller). Don’t bake in intermediate certs unless you have a very good reason.

No idea why the RSA key worked even though the server used RSA — maybe check into the recent cross-signing shenanigans that Let’s Encrypt had to pull to extend support for very old Android versions.


I've been reading a little since then, and I think it worked with RSA root cert because this cert was a trust anchor of the Chain of Trust of my server's ECDSA certificate.


Curious why you wouldn't have a Q and A with AI?

If the information is relatively unchanged and the details well documented why not ask questions to fill in the gaps?

The Socratic method has been the best learning tool for me and I'm doubling my understanding with the LLMs.


I think this method works best when you can verify the answer. So it has to be either a specific type of question (a request to generate code, which you can then run and test), or you have to know enough about the subject to be able to spot mistakes.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: