100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

SSL/TLS Deep Dive Cheat Sheet

SSL/TLS Deep Dive Cheat Sheet

Explains the TLS handshake, protocol versions, cipher suites, and practical OpenSSL commands for testing and hardening TLS configurations.

3 PagesAdvancedJan 25, 2026

Protocol Versions

TLS/SSL version history and current recommendations.

  • SSLv2 / SSLv3- Deprecated and insecure; must be disabled
  • TLS 1.0 / 1.1- Deprecated (2020/2021); disable in production
  • TLS 1.2- Widely supported, secure when configured with strong cipher suites
  • TLS 1.3- Current standard; faster handshake (1-RTT), removes weak ciphers, forward secrecy by default

TLS 1.3 Handshake Overview

Simplified sequence of a TLS 1.3 connection setup.

  • 1. ClientHello- Client sends supported cipher suites, TLS version, key share
  • 2. ServerHello- Server picks cipher suite, sends its certificate and key share
  • 3. Key derivation- Both sides derive session keys via (EC)DHE key exchange
  • 4. Certificate verification- Client validates the server's certificate chain
  • 5. Finished- Both sides confirm handshake integrity; encrypted application data begins

Nginx TLS Hardening Config

Example server block enforcing modern TLS settings.

nginx
server {    listen 443 ssl;    ssl_protocols TLSv1.2 TLSv1.3;    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;    ssl_prefer_server_ciphers off;    ssl_session_timeout 1d;    ssl_session_cache shared:SSL:10m;    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;}

Testing a TLS Connection (OpenSSL)

Checking supported protocol versions and certificate details.

bash
# Test connection using a specific TLS versionopenssl s_client -connect example.com:443 -tls1_2openssl s_client -connect example.com:443 -tls1_3# Show negotiated cipher and certificate chainopenssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -dates

Key Security Properties

Concepts that determine the strength of a TLS deployment.

  • Forward secrecy- Session keys derived via ephemeral (EC)DHE, so a leaked private key doesn't expose past sessions
  • HSTS- Strict-Transport-Security header forces browsers to always use HTTPS for the domain
  • SNI- Server Name Indication lets one IP serve multiple TLS certificates by domain
  • Cipher suite- Combination of key exchange, authentication, encryption, and MAC algorithms
Pro Tip

Use the Qualys SSL Labs test (ssllabs.com/ssltest) after any TLS config change — it catches misconfigurations like incomplete chain, weak ciphers, or missing forward secrecy that a manual review often misses.

Was this cheat sheet helpful?

Explore Topics

#SSLTLSDeepDive#SSLTLSDeepDiveCheatSheet#Cybersecurity#Advanced#ProtocolVersions#TLS13HandshakeOverview#Nginx#TLS#Testing#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet