The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a configuration generator to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.
nginx does not support HTTPS connections when used as a forward proxy by default. This module adds support.
Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.
Arriving Summer 2015
To access and sync my Owncloud's calendar and contacts with my Android
phone in a (more-or-less) secure manner through HTTPS, I needed to get a
SSL/TLS certificate. Or precisely: a self-signed root CA (Certification
Authority) certificate.
After searching for Howtos and creating a bunch of CA certificates,
normal certificates, signing them, signing them vice-versa etc. -- yes,
I don't really have a clue -- I mostly run into one of these errors:
- when signing normal cert with CA cert: "not self-signed"
- when self-signing normal cert with itself: "no Basic Constraint CA flag"
Then I finally found (https://langui.sh/2009/01/18/openssl-self-signed-ca/)
this one-liner that does the job just fine::
$ openssl req -newkey rsa:2048 -days 365 -x509 -nodes -out root.cer
Make sure to use the domain name you want to use this certificate on as
the Common Name (CN).
This creates a certificate file (named as defined in the -out
parameter)
and a key file, named 'privkey.pem' in my case. I had to upload this to
in the admin interface of my shared hoster, and 5 minutes later the
certificate was installed and accepted by DAVDroid, the Android syncing
app.
My PyCon Ru 2014 slides about writing secure APIs are online:
starred items / from Planet Python http://planet.python.org/
HTTPS Everywhere is a Firefox extension that encrypts your communications with a number of major websites.
HTTP session hijacking over open wireless networks with a simple Firefox plugin. Nice.