SSL/TLS Deep Dive Cheat Sheet
Explains the TLS handshake, protocol versions, cipher suites, and practical OpenSSL commands for testing and hardening TLS configurations.
3 PagesAdvancedJan 25, 2026
Protocol Versions
TLS/SSL version history and current recommendations.
- SSLv2 / SSLv3- Deprecated and insecure; must be disabled
- TLS 1.0 / 1.1- Deprecated (2020/2021); disable in production
- TLS 1.2- Widely supported, secure when configured with strong cipher suites
- TLS 1.3- Current standard; faster handshake (1-RTT), removes weak ciphers, forward secrecy by default
TLS 1.3 Handshake Overview
Simplified sequence of a TLS 1.3 connection setup.
- 1. ClientHello- Client sends supported cipher suites, TLS version, key share
- 2. ServerHello- Server picks cipher suite, sends its certificate and key share
- 3. Key derivation- Both sides derive session keys via (EC)DHE key exchange
- 4. Certificate verification- Client validates the server's certificate chain
- 5. Finished- Both sides confirm handshake integrity; encrypted application data begins
Nginx TLS Hardening Config
Example server block enforcing modern TLS settings.
nginx
server { listen 443 ssl; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;}
Testing a TLS Connection (OpenSSL)
Checking supported protocol versions and certificate details.
bash
# Test connection using a specific TLS versionopenssl s_client -connect example.com:443 -tls1_2openssl s_client -connect example.com:443 -tls1_3# Show negotiated cipher and certificate chainopenssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -dates
Key Security Properties
Concepts that determine the strength of a TLS deployment.
- Forward secrecy- Session keys derived via ephemeral (EC)DHE, so a leaked private key doesn't expose past sessions
- HSTS- Strict-Transport-Security header forces browsers to always use HTTPS for the domain
- SNI- Server Name Indication lets one IP serve multiple TLS certificates by domain
- Cipher suite- Combination of key exchange, authentication, encryption, and MAC algorithms
Pro Tip
Use the Qualys SSL Labs test (ssllabs.com/ssltest) after any TLS config change — it catches misconfigurations like incomplete chain, weak ciphers, or missing forward secrecy that a manual review often misses.
Was this cheat sheet helpful?
Explore Topics
#SSLTLSDeepDive#SSLTLSDeepDiveCheatSheet#Cybersecurity#Advanced#ProtocolVersions#TLS13HandshakeOverview#Nginx#TLS#Testing#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance