TLS: Transport Layer Security:TLS is an updated, more secure version of SSL. We still refer to our security certificates as SSL because it’s a more common term, but when you buy SSL from DigiCert, you get the most trusted, up-to-date TLS certificates.
HTTPS: Hyper Text Protocol Secure: HTTPS appears in the URL when a website is secured by an SSL/TLS certificate. Users can view the details of the certificate, including the issuing authority and the corporate name of the website owner, by clicking the lock symbol on the browser bar.
256-bit encryption: Process of scrambling an electronic document using an algorithm whose key is 256 bits in length. The longer the key, the stronger it is.
Asymmetric cryptography: Ciphers that imply a pair of two keys during the encryption and decryption processes. In the world of SSL and TLS, we call them public and private keys.
Certificate signing request (CSR): Machine-readable form of a DigiCert certificate application. A CSR usually contains the public key and distinguished name of the requester.
Certificate authority (CA): Entity authorized to issue, suspend, renew or revoke certificates under a CPS (Certification Practice Statement). CAs are identified by a distinguished name on all certificates and CRLs they issue. A CA must publicize its public key or provide a certificate from a higher-level CA attesting to the validity of its public key if it’s subordinate to a Primary Certification Authority. DigiCert is a Primary Certification Authority (PCA).
Cipher suite: A set of key exchange protocols, which includes the authentication, encryption and message authentication algorithms used within SSL protocols.
Common name (CN): Attribute value within the distinguished name of a certificate. For SSL certificates, the common name is the DNS host name of the site to be secured. For Software Publisher Certificates, the common name is the organization name.
Connection error: Security issues preventing a secure session are flagged when a user tries to access a site.
Domain Validation (DV) SSL Certificates: The most basic level of SSL certificate. Only domain name ownership is validated before the certificate is issued.
Elliptic Curve Cryptography (ECC): Creates encryption keys based on the idea of using points on a curve for the public/private key pair. Extremely difficult to break using the brute force methods often employed by hackers and offers a faster solution with less computing power than pure RSA chain encryption.
Encryption: Process of transforming readable (plaintext) data into an unintelligible form (ciphertext) so the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).
Extended Validation (EV) SSL Certificates: The most comprehensive form of secure certificate. The domain is validated and the company or organization undergoes a strict authentication process.
Key exchange: How users and servers securely establish a pre-master secret for a session.
Look beyond the lock: Our consumer education campaign about how to view high-assurance Extended Validation certificates. In order to combat the meteoric rise of phishing websites on the internet that pose as legitimate companies while using a legitimate Domain Validated certificate and therefore have the same padlock as other certificates.
Master secret: The key material used for a generation of encryption keys, MAC secrets and initialization vectors.
Message Authentication Code (MAC): A one-way hash function arranged over a message and a secret.
Organization Validation (OV) SSL Certificates: A type of SSL certificate that validates ownership of the domain and the existence of the organization behind it.
Padlock: The icon found in the URL bar of most major browsers to signal a website is secured by HTTPS encryption. The padlock is only the first layer of a TLS/SSL certificate. If users click on the padlock icon, they can determine if a website has done its due diligence to keep customers safe online.
Pre-master secret: The key material used for the master secret derivation.
Public key infrastructure (PKI): Architecture, organization, techniques, practices and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. The PKI consists of systems that collaborate to provide and implement the public key cryptographic system, and possibly other related services.
Secure server: Server that protects host web pages using SSL or TLS. When a secure server is in use, the server is authenticated to the user. User information is encrypted by the web browser’s SSL protocol before being sent across the internet. Information can only be decrypted by the host site that requested it.
SAN (Subject Alternative Name) SSL certificates: Type of certificate that allows multiple domains to be secured with one SSL certificate.
SSL: Abbreviation for secure sockets layer. Protocol for web browsers and servers that allows for the authentication, encryption and decryption of data sent over the internet.
SSL certificate: Server certificate that enables authentication of the server to the user and encryption of data transferred between the server and the user.
SSL Handshake: A protocol used within SSL for the purpose of security negotiation.
Symmetric encryption: Encryption method that implies the same key is used both during the encryption and decryption processes.
TCP: Transmission control protocol, one of the main protocols in any network.
Wildcard SSL certificates: Type of certificate used to secure multiple subdomains.
توجه داشته باشید، هنگام کار با SSL و پروکسی، دو گزینه وجود دارد. این که کدام گزینه را انتخاب کنید بستگی به نیازهای شما دارد، اما در اینجا من فقط گزینه اول را پوشش میدهم.
یک گزینه این است که رمزگذاری SSL را در nginx خاتمه دهید و از متن خام برای برقراری ارتباط بین nginx و سرویس وب داخلی خود استفاده کنید. این امر بارگذاری رمزنگاری را بر دوش nginx میگذارد و کار کمتری بر روی سرویس وب شما میگذارد. اگر سرویس وب شما به طور عمومی در دسترس نیست (مگر از طریق rproxy) و در دستگاه مشابه پروکسی زندگی میکند، این به طور کلی یک گزینه امن است. این همان چیزی است که در زیر به آن پرداخته شده است.
گزینه دیگر این است که SSL را از طریق nginx به مقصد نهایی منتقل کنید. این بهتر است اگر خدمات شما در پشت پروکسی بر روی ماشینهای مختلف زندگی میکند، به این ترتیب ارتباطات شبکه از طریق سیم رمزگذاری میشود، حتی اگر داخلی باشد. اگر سرویس وب مقصد پشت سر پروکسی روی همان دستگاه پروکسی قرار دارد، رمزگذاری آن از طریق nginx سود کمتری دارد. اگر برنامه شما در انجام SSL کند عمل میکند یا اصلاً نمیتواند آن را انجام دهد، اجازه دهید nginx آن را مدیریت کند. اگر برنامه شما باید خود سطح SSL را مدیریت کند، آن را از طریق nginx ارسال کنید.
افزودن SSL به سرور در nginx نیاز به افزودن یک کلید واژه ssl به دستور listen و شامل دو گزینه پیکربندی اضافی دارد:
ssl_certificate
ssl_certificate_key
گزینههای SSL بسیار بیشتری وجود دارد که میتوانید آنها را در http://nginx.org/en/docs/http/ngx_http_ssl_module.html پیدا کنید، اما حداقل دو مورد نیاز گواهی و کلید است.
# Template SSL virtual host
server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ssl;
server_name www.mydomain.com;
ssl_certificate /path/to/cert.pem
ssl_certificate_key /path/to/private-key.pem
# Optional, set strong ciphers
ssl_ciphers HIGH:!aNULL:!MD5;
}
How to install SSL Certificate on NGINX Server Quickly
How to Install SSL Certificate on NGINX Server
SSL/TLS Certificate Installation Instructions - Apache (Linux)
SSL Server Test (Powered by Qualys SSL Labs)
How to Create Your Own SSL Certificate Authority for Local HTTPS Development
I disabled SSL in User Level; Cant enable it now | DirectAdmin Forums
Installing SSL certificate - TinyCP
Installing an SSL Certificate in Linux Command Line
I disabled SSL in User Level; Cant enable it now | DirectAdmin Forums
How to Install SSL Certificate on NGINX Server
How to Install an SSL/TLS Certificate In Nginx - The SSL Store™
Installing an SSL certificate on Nginx - Hosting - Namecheap.com
/docs/manmaster/man1/openssl-pkcs12.html
Installing Certificate PFX into Debian Linux – Liam Cleary [MVP Alumni and MCT]
openssl - Convert an old style .p12 to .pem (unsupported algorithm RC2-40-CBC) - Stack Overflow
Prism - How to extract CA Chain, Public Certificate and RSA Key from PFX file
Generating CSR on Apache + OpenSSL/ModSSL/Nginx + Heroku - SSL Certificates - Namecheap.com
Prism - How to extract CA Chain, Public Certificate and RSA Key from PFX file
SSL Server Test (Powered by Qualys SSL Labs)
خرید ssl - گواهی ssl - گواهینامه اس اس ال و HTTPS - مبینهاست
امنیت سایت با خرید ssl - خرید اس اس ال- گواهینامه ssl- ssl ارزان - خرید ssl
ssl رایگان، معتبر و همیشگی، صدور تا نصب در 4 دقیقه! | XVPS
Нужен бесплатный SSL-сертификат? Легко / Хабр
NGINX SSL Termination | NGINX Documentation
internet - Edge HTTPS Certificate Issue: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED - Super User
Nginx SSL configuration not working on mobile browsers - Stack Overflow
OCSP (Online Certificate Status Protocol) ensures that the current status of a given SSL certificate is always communicated to the web server and the client's browser. This protocol provides updates on if a certificate has been revoked, so the browser knows to refuse the connection. Traditionally the requesting browser makes these checks with the OCSP provider, which extends the time a full SSL/TLS handshake takes and, as a result, makes HTTPS connections longer.
cPanel's Apache installation, by default, implements a technology known as 'OCSP Stapling,' which functions as a type of caching for the OCSP status. Essentially after making the first OCSP connection, the status is "stapled" to the SSL/TLS handshake from the server end, which reduces a significant load on the connecting browser and makes HTTPS connections faster.
The above error comes into play when OCSP Stapling fails because the host server couldn't connect to the certificate authority's OCSP server. This can happen for a variety of reasons. Common reasons include DNS caching causing your server to try connecting to the wrong Ip address, network issues preventing your server from reaching the OCSP server, or the certificate authority may be experiencing service issues.
Many certificate authorities tend to rotate and change the IP addresses where their OCSP server is hosted fairly frequently. This can result in servers trying to access an old IP address for the server, which may fail. This can be verified by checking what your server resolves the OCSP server to versus what a common public DNS resolver resolves.
The most common reason for sites reporting OCSP errors is network errors. Often, as a result of datacenter blocks, server firewalls, or other network interferences, the server is unable to connect to the necessary OCSP server. This can most reliably be verified by simply trying to ping (ping6 for servers with IPv6 configured) the OCSP server in your error.
Infrequently, certificate authorities may have service downtime with their OCSP responder servers. Certificate authorities, such as Sectigo, offer ways to check their service status and will announce if they're experiencing OCSP issues. If there are systemic issues with the OCSP responder servers, there will likely be a notice on their status page and, ideally, a projected ETA for service to be restored.
