configuring-tls-1-3-for-secure-communications
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/configuring-tls-1-3-for-secure-communicationsConfigure TLS 1.3 to secure network communications instantly.
- Eliminates handshake latency and removes obsolete cipher suites.
- Requires Python 3.8+ and test environment access.
- Validates configurations against common misconfigurations automatically.
- Delivers clear security assessment results for compliance.
SKILL.md
.github/skills/configuring-tls-1-3-for-secure-communicationsView on GitHub ↗
--- name: configuring-tls-1-3-for-secure-communications description: TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements over TLS 1.2 in both security and performance. It reduces handshake latency to 1-R domain: cybersecurity subdomain: cryptography tags: [cryptography, tls, ssl, transport-security, network-security] version: "1.0" author: mahipal license: Apache-2.0 --- # Configuring TLS 1.3 for Secure Communications ## Overview TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements over TLS 1.2 in both security and performance. It reduces handshake latency to 1-RTT (and 0-RTT for resumed sessions), removes obsolete cipher suites, and mandates perfect forward secrecy. This skill covers configuring TLS 1.3 on servers, validating configurations, and testing for common misconfigurations. ## When to Use - When deploying or configuring configuring tls 1 3 for secure communications capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Familiarity with cryptography concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Objectives - Configure TLS 1.3 on nginx and Apache web servers - Implement TLS 1.3 in Python applications using the ssl module - Validate TLS configurations with openssl and testssl.sh - Understand TLS 1.3 cipher suites and key exchange mechanisms - Configure 0-RTT early data with appropriate protections - Disable legacy TLS versions (1.0, 1.1) and weak cipher suites ## Key Concepts ### TLS 1.3 Cipher Suites | Cipher Suite | Key Exchange | Authentication | Encryption | Hash | |-------------|-------------|----------------|------------|------| | TLS_AES_256_GCM_SHA384 | ECDHE/DHE | Certificate | AES-256-GCM | SHA-384 | | TLS_AES_128_GCM_SHA256 | ECDHE/DHE | Certificate | AES-128-GCM | SHA-256 | | TLS_CHACHA20_POLY1305_SHA256 | ECDHE/DHE | Certificate | ChaCha20-Poly1305 | SHA-256 | ### TLS 1.3 vs 1.2 Improvements - **1-RTT Handshake**: Full handshake completes in one round trip (vs 2 in TLS 1.2) - **0-RTT Resumption**: Resumed connections can send data immediately - **No RSA Key Exchange**: Only ephemeral Diffie-Hellman (mandatory PFS) - **Simplified Cipher Suites**: Removed CBC, RC4, 3DES, static RSA, SHA-1 - **Encrypted Handshake**: Server certificate is encrypted after ServerHello ### Key Exchange Groups - **x25519**: Curve25519 ECDH (preferred, fast) - **secp256r1**: NIST P-256 ECDH (widely supported) - **secp384r1**: NIST P-384 ECDH (higher security margin) - **x448**: Curve448 ECDH (highest security) ## Workflow 1. Verify OpenSSL version supports TLS 1.3 (1.1.1+) 2. Generate or obtain TLS certificate and private key 3. Configure server to use TLS 1.3 cipher suites 4. Disable TLS 1.0 and 1.1 (optionally keep 1.2 for compatibility) 5. Set preferred key exchange groups 6. Enable OCSP stapling for certificate validation 7. Test configuration with openssl s_client and testssl.sh 8. Configure HSTS header for HTTP Strict Transport Security ## Security Considerations - 0-RTT data is vulnerable to replay attacks; limit to idempotent requests - Always include TLS 1.2 fallback if legacy client support is required - Use ECDSA certificates for better performance (vs RSA) - Enable OCSP stapling to improve client certificate validation - Set HSTS header with long max-age and includeSubDomains - Monitor for certificate transparency logs ## Validation Criteria - [ ] TLS 1.3 handshake completes successfully - [ ] Only approved cipher suites are offered - [ ] Perfect forward secrecy is enforced - [ ] TLS 1.0 and 1.1 are rejected - [ ] OCSP stapling is functional - [ ] Certificate chain is valid and complete - [ ] testssl.sh reports no vulnerabilities
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.