TJ is Blogging!

This is a quick post about checking TLS version support using the command line. Of course, there are plenty of GUI tools and online services to do this. Yet, I find it is much easier to use just a simple command to check this. I'm going to use badssl.com to test this out since it provides various examples with different SSL configurations. We'll be using openssl command to check this. Openssl is a command-line tool to work with SSL connections. If you don't have it in your machine, you'll have to install it first. Let's check a website that supports TLS1.0 TLS 1.0 has been deprecated by all web browsers and servers due to security vulnerabilities in that protocol version which you shouldn't use at all. If you have this enabled in your sever/website, please disable ASAP. openssl s_client -connect tls-v1-0.badssl.com:1010 -tls1 Let's break the command to it's parts openssl : command line tool s_client : s_client is the first command of this t...

There are so many tutorials and explanations on the Internet to show how HTTPS works, but most of them tell half of the story. You may end up with so many questions, like where the certificates fit in? Where is the TCP stuff? How does the encryption works? How the trust works? So, I made this diagram to fit the pieces of the puzzle together and show you how they all fit in an HTTPS request. Some of the low-level parts I didn't include and also each step in this would be briefed not to confuse anybody and make it short as possible to understand. Here, the client could be a typical web browser (or even another application whoever can communicate with a website or an API). Something you have to know before you check the diagram is public, private, and shared keys. To know this, we have to learn about encryption because we use these keys to encrypt data. There are two encryption types. 1. Asymmetric encryption aka. public-key encryption 2. Symmetric encryption aka. shared...

This is a quick post about extracting SSL certificates from websites, we'll need this step for some of the future posts that I'm going to write about SSL and HTTPS stuff. In general, you may want to extract this whenever you are trying to use some tool (not a web browser) or a code to access this website. Then after extracting this, you will require to install this into your tool or framework. With this post, I'm just covering the extraction part. I'll use the Chrome browser since it is one of the common browsers that is being used. In my example, I'm going to extract the public certificate of  https://letsencrypt.org/ . (Let's Encrypt is one of the free Certificate Authority, probably I'll discuss this in one of the future posts.) 1. First, go to the website using the Chrome web browser. The website has to be in HTTPS. Otherwise, we don't want to do this in the first place. So, make sure your URL is starting with https://... 2. Click on th...