I bought it and skimmed through most of it, and I have a hard time recommending it personally. Itās really short on the crypto and offers no insight into why TLS behaves the way it does. I would like to at least see an explanation of the TLS handshake process, but there is none. Itās a lot of āusing openssl s_clientā-type of discussion; i.e. how to use it, not so much on how it works, and that applies to most of the book (including the ocsp parts).
Practical, not necessarily theoretical; but if thatās what you are looking for, then itās a great book.
> Itās really short on the crypto and offers no insight into why TLS behaves the way it does. ... Itās a lot of āusing openssl s_clientā-type of discussion;
That is literally how the author explained in his book's Amazon Kindle version's free preview[1]. The author specifically said he is not a brilliant mathematician so he's not going into the details of explaining the math but rather explain the how-to from a practitioner's standpoint. Obviously, you don't need to be a brilliant mathematician in order to under the math behind public-key cryptography but for many engineers, I agree with the author that I care more of about how to configure it and make it work securely rather than the reason behind the scene. The author also claimed that he would recommend some further readings if you would like to dig into it more.
TLS always felt like a scary beast to me until I started writing Go. The crypto/tls package is amazing and makes doing incredible things with TLS super easy. We're using it in lots of interesting ways behind the scenes for Encore, leveraging Vault, a custom CA, SPIFFE for workload identity and more.
I haven't read the book, but learning more about TLS is easily one of the best time investments I've made.
> TLS always felt like a scary beast to me until I started writing Go. The crypto/tls package is amazing and makes doing incredible things with TLS super easy.
This x100. I have been recently developing an embedded CA for a gRPC service in golang. Issuing a root, intermediate, server and a client cert for mtls is less than 350 lines of code. Itās incredible.
Iāve written more about it here: https://gruchalski.com/posts/2021-03-28-firebuild-rootfs-grp....
just curious, what do you need SPIFEE workload identity for? I've used it in the past for building something like Tailscale
We use it as part of mTLS to provide access to application metadata. It doesn't need to be SPIFFE but it made sense for our use case :)
I see, so a workload spins up and wants to learn something about itself and uses identity verification to gain access to it? My use case was an untrusted node getting a centrally issued key to join a p2p VPN
I recommend this blog post as a good primer for TLS.
http://www.moserware.com/2009/06/first-few-milliseconds-of-h...
Yes, a fantastic article! I hope we get an updated version with ESNI / Encrypted Hello eventually
In my opinion, Michael W Lucas is one of the best tech writers working today. I have made great use of his books Absolute OpenBSD, SSH Mastery, and Httpd & Relayd Mastery.
He also wrote Absolute FreeBSD and PGP & GPG: Email for the Practical Paranoid, among many others.
Feisty Duck has some great material and training in this vein => https://www.feistyduck.com/
I just sat through the 4 1/2 day online training they offer, and thought it was worth the price, as long as the company was picking up the tab.
Can someone who has read it post their review?
The contents look good and I feel like it might help me patch some holes in my knowledge. It has the advantage of at least looking like it's up to date (a lot of SSL writing has been obsoleted).
Every book MWL has released has been super helpful in my experience.
Probably one of the best tech writers Iāve ever encountered. I own most of this books - especially the more BSD specific ones.
Just bought the Tux edition on Amazon for Kindle. $10. Says it was published/updated April 5, 2021. Hands on practice with OpenSSL. Engaging writing style. Doesn't assume too much or too little. No bullshit.
This command alone in the first ten pages makes it worth it. Establish TLS connection, get certs, and decode certs for any site:
openssl s_client -showcerts -connect www.mwl.io:443 </dev/null | openssl x509 -text -noout
10/10.
Hmmm... for that kind of stuff, I've found sslshopper's page to be very useful. https://www.sslshopper.com/article-most-common-openssl-comma...
And for the TLS handshake, this is incredibly useful: https://tls.ulfheim.net (The Illustrated TLS Connection). Towards the bottom of this page, you now have TLS 1.3 illustrated as well.
My first impression is that a book called "TLS Mastery" should dive deeper than what the toc suggests this one does.
TLS privacy seems to be a big rather little-known topic. OCSP leaks etc. Does this book cover it in-depth?
Anyone know if the book covers ESNI? Or if there's a good resource on how to set that up with Nginx, CloudFlare DNS, and Let's Encrypt?
EDIT: Okay, it looks like this is not yet ready for most people to use.
Encrypted Client Hello, which is what eSNI developed into, is an active draft for the TLS working group. If you have relevant expertise I'm sure that the group would be happy to have you, in particular if you have any insight into how to achieve goals like Don't Stand Out while also keeping ECH as simple as possible.
https://www.youtube.com/watch?v=AIDnO_QB64A is the most recent interim video conference meeting on this topic.
I expect that during 2021 they'll pin down the more controversial parts that remain to be done.
As an end user, I have been using ESNI-enabled openssl to make HTTP requests to sites using Cloudflare and for me it works great.
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.