What is TLS?
TLS (Transport Layer Security) is a cryptographic protocol that provides secure communication over computer networks. TLS is the successor to SSL (Secure Sockets Layer) and is the technology behind HTTPS connections, secure email transmission (STARTTLS), and many other encrypted internet protocols. When you see the padlock icon in your browser, TLS is working to encrypt data between your device and the server.TLS Version History
| Version | Year | Status |
|---|---|---|
| SSL 2.0 | 1995 | Deprecated, insecure |
| SSL 3.0 | 1996 | Deprecated, insecure |
| TLS 1.0 | 1999 | Deprecated |
| TLS 1.1 | 2006 | Deprecated |
| TLS 1.2 | 2008 | Current standard |
| TLS 1.3 | 2018 | Latest, recommended |
How TLS Works
TLS Handshake (TLS 1.2)
Client Server
│ │
├──── ClientHello ─────────────────► │
│ (supported ciphers, random) │
│ │
│ ◄─── ServerHello ──────────────────┤
│ (selected cipher, cert) │
│ │
├──── Key Exchange ────────────────► │
│ (encrypted pre-master secret) │
│ │
│ ◄─── Finished ─────────────────────┤
│ │
└──── Encrypted Data ◄──────────────►┘
TLS 1.3 Improvements
- Fewer round trips (faster handshake)
- Removed insecure ciphers
- Forward secrecy mandatory
- Encrypted handshake messages
TLS Components
Certificates
- Authenticate server identity
- Issued by Certificate Authorities
- Contains public key for encryption
Cipher Suites
Define encryption algorithms used:
TLS_AES_256_GCM_SHA384 (TLS 1.3)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (TLS 1.2)
│ │ │ │
│ │ │ └── Hash algorithm
│ │ └── Encryption algorithm
│ └── Key exchange
└── Protocol
TLS Use Cases
| Application | Protocol | Port |
|---|---|---|
| Web browsing | HTTPS | 443 |
| Email (IMAP) | IMAPS | 993 |
| Email (SMTP) | SMTPS | 465 |
| Email submission | STARTTLS | 587 |
| FTP | FTPS | 990 |
Server Configuration
Nginx TLS Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
Best Practices
1. Use TLS 1.2 or 1.3: Disable older versions
2. Strong cipher suites: Prefer AEAD ciphers
3. Enable HSTS: Force TLS connections
4. Certificate management: Automate renewal
5. Forward secrecy: Use ECDHE key exchange
6. Regular testing: SSL Labs, testssl.sh
Testing TLS Configuration
# OpenSSL test
openssl s_client -connect example.com:443 -tls1_3
# Check certificate
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -text
TLS is the foundation of secure internet communication, encrypting data in transit to protect against eavesdropping, tampering, and man-in-the-middle attacks.