#tls — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #tls, aggregated by home.social.
-
#phetch - #GopherProtocol client written in #Rust with #Tor / #I2P proxy support + #TLS as the bonus:
https://github.com/xvxx/phetchTo handle I2P connections use following trick:
TOR_PROXY=127.0.0.1:4447 target/release/phetch -o gopher://phlogqhspsjzcdubodidwc74pmc56hik2t3bhajwc47rg6snboia.b32.i2p:70/1ps/ -
#phetch - #GopherProtocol client written in #Rust with #Tor / #I2P proxy support + #TLS as the bonus:
https://github.com/xvxx/phetchTo handle I2P connections use following trick:
TOR_PROXY=127.0.0.1:4447 target/release/phetch -o gopher://phlogqhspsjzcdubodidwc74pmc56hik2t3bhajwc47rg6snboia.b32.i2p:70/1ps/ -
#phetch - #GopherProtocol client written in #Rust with #Tor / #I2P proxy support + #TLS as the bonus:
https://github.com/xvxx/phetchTo handle I2P connections use following trick:
TOR_PROXY=127.0.0.1:4447 target/release/phetch -o gopher://phlogqhspsjzcdubodidwc74pmc56hik2t3bhajwc47rg6snboia.b32.i2p:70/1ps/ -
Build a fortress in the realm of the clouds. #FreeBSD #GCP #GoogleCloud #OpenSource #TLS https://cromwell-intl.com/open-source/freebsd-google-cloud/?s=mc
-
Build a fortress in the realm of the clouds. #FreeBSD #GCP #GoogleCloud #OpenSource #TLS https://cromwell-intl.com/open-source/freebsd-google-cloud/?s=mc
-
Build a fortress in the realm of the clouds. #FreeBSD #GCP #GoogleCloud #OpenSource #TLS https://cromwell-intl.com/open-source/freebsd-google-cloud/?s=mc
-
Build a fortress in the realm of the clouds. #FreeBSD #GCP #GoogleCloud #OpenSource #TLS https://cromwell-intl.com/open-source/freebsd-google-cloud/?s=mc
-
Build a fortress in the realm of the clouds. #FreeBSD #GCP #GoogleCloud #OpenSource #TLS https://cromwell-intl.com/open-source/freebsd-google-cloud/?s=mc
-
SSL Labs checks the TLS-config of servers for PQC (post-quantum cryptography) key exchanges now.
https://www.ssllabs.com/ssltest/
#SSLlabs #SSLtest #qualys #pqc #tls #postQuantumCryptography #infosec
-
I have a much better autocert.HostPolicy for #Henhouse coming in. We'll be able to check the DNS records of the custom domain to ensure it's resolving to the correct IP before signaling to Caddy to provision a cert from Let's Encrypt.
-
TLSS или portable pki service в кармане
Сегодня я бы хотел рассказать о небольшом проекте, который тянется немного, немало, около двух лет. Я назвал его TLSS, или TLS Service — карманный pki сервис.
-
Как технически устроена DPI-фильтрация у российских провайдеров и как её детектировать: разбор open-source инструментов
В последние пару лет любой пользователь рунета научился различать “интернет дома” и “интернет в гостях у бабушки”. На одном провайдере YouTube открывается, на другом нет. Это ощущается как непредсказуемость, но за каждой такой деградацией стоят вполне конкретные технические механизмы. Запустил open-source инструмент dpi-checkers на трёх своих подключениях, разобрался с методами TCP 16-20 и CIDR-вайтлистами и расскажу, что технически происходит с вашим трафиком на L4 — от SNI-фильтрации до QUIC-блокировок.
https://habr.com/ru/articles/1033456/
#DPI #deep_packet_inspection #TCP #TLS #SNI #CIDR #цензура #OONI #сетевая_фильтрация
-
> I see a lot of criticism of #tls but it is more important for integrity than it is for confidentiality. It seems there are a lot of people here who do not remember the days that ISPs (and others) would insert stuff into html pages in the pre-TLS era.
-
🛑 #LetsEncrypt deixarà d'emetre certificats per a dominis .onion 🌐
Aquesta decisió respon a canvis en les normatives del CA/Browser Forum i afectarà directament la #seguretat de molts serveis a la xarxa #Tor. Un canvi rellevant per a la #privacitat a la xarxa. 🔐
Tota la info aquí: https://blog.elhacker.net/2026/05/lets-encrypt-detiene-emision-de.html
#Ciberseguretat #SSL #TLS #Onion #Internet #Privadesa #Tech #Web #Actualitat
-
Looks like Let's Encrypt has resumed issuing certs:
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
-
⚠️ 𝗟𝗲𝘁'𝘀 𝗘𝗻𝗰𝗿𝘆𝗽𝘁: 𝗦𝘁𝗼𝗽𝗽𝗶𝗻𝗴 𝗜𝘀𝘀𝘂𝗮𝗻𝗰𝗲 𝗳𝗼𝗿 𝗣𝗼𝘁𝗲𝗻𝘁𝗶𝗮𝗹 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁
"We have been made aware of a potential incident and are shutting down all issuance."
May 8, 2026 18:37 UTC
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
#letsencrypt #tls #webpki #pki #browsers #security #privacy #selfhosting #cybersecurity #ITInfrastructure
-
Let's Encrypt just stopped the issuance of certificates after an (so far not publicly disclosed) incident:
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
If anyone encounters issues today with failed certificate renewals: It's probably not your setup.
Update: Let's Encrypt has resumed issuance.
-
Goodbye #letsencrypt? At least for now.
"We have been made aware of a potential incident and are shutting down all issuance."
https://letsencrypt.status.io/
E: Let's Encrypt has resumed issuance.
"Due to an issue with the cross-signed certificate from our Generation X root to our new Generation Y root, all issuance has been switched back to our Generation X root certificate."
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
-
OK that took the whole morning, mostly getting the ingress controller to correctly serve #tls (I didn't realise that in addition to setting the host names and cert secret, I also needed to ensure that each named server has an explicit rules block otherwise nginx uses the catch-all rules and doesn't apply TLS).
So now, when I push my #gnustepweb app to main, #woodpeckerCI builds and pushes to #quayio and #argoCD pulls and deploys the app in my prod cluster.
-
Что именно сломалось: разбираем блокировки РКН/ТСПУ по слоям сетевого стека. Rkn Block Checker
У вас не открывается сайт. Браузер пишет «Не удалось установить соединение». Это всё, что он знает — и это бесполезно. Потому что «не открывается» - это как минимум четыре разных истории. DNS-резолвер провайдера соврал. ISP режет пакеты по IP. ТСПУ прочитал имя хоста в открытом поле TLS ClientHello и оборвал соединение. Или вы получили честный 200 OK - и страницу-заглушку «доступ ограничен по решению Роскомнадзора». В каждом случае нужно делать разное, и без понимания, на каком слое стоит фильтр, можно тыкаться в любую сторону и не угадать. В статье разбираю все четыре механизма по слоям - снизу вверх, от DNS до HTTP - и показываю Python CLI, который запускает probes на каждом уровне и выдаёт диагноз: TCP_RESET, TLS_BLOCK, DNS_BLOCK, HTTP_STUB. Отдельно - про то, как «TCP открылся, а TLS handshake умер» становится надёжным отпечатком DPI на SNI, и почему параллельный стриминг результатов через as_completed радикально меняет UX по сравнению с pool.map(). Это диагностический инструмент, не средство обхода. Открытый код, MIT, pip install rkn-block-checker.
https://habr.com/ru/articles/1032572/
#python #github #IT #DNS #RKN #системное_администрирование #tls #cli #ТСПУ #DPI
-
Protocol implementation as art
-
A Caddy Cert Expired Because systemd-resolved Was Selectively Broken
https://rant.mvh.dev/a-caddy-cert-expired-because-systemd-resolved-was-selectively-broken/
-
Конфигурационный аудит веб-сайта с Termux на android за 15 минут. curl, ssl, dig — без взлома и без root
Анализ публично доступных HTTP-ответов и DNS-записей без аутентификации и активного вмешательства. Проверке подвергается только внешняя конфигурация: HTTP-заголовки, TLS/SSL, DNS, открытые порты. Уязвимости не эксплуатируются, нагрузки на сервер нет.
https://habr.com/ru/articles/1030924/
#Конфигурационный_аудит #Termux #Android #HTTP_Security_Headers #TLS #DNS #Порты
-
By consulting the proper documents, one may speak a secure and secret tongue. #TLS #LetsEncrypt #OpenSource https://cromwell-intl.com/open-source/tls-certificates/?s=mc
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
The 47-day certificate: faster treadmill, same broken foundation
Managing TLS certificates has become pretty crazy: Over the years validity was cut down from several years to two years to one year to half a year now. In a few years it will be only a little more than one month, with the additional requirement to basically continuously prove domain control.
(1/6)
https://offerman.com/en/blog/the-47-day-certificate-faster-treadmill-same-broken-foundation
#TLS #PKI #LetsEncrypt #ACME #DANE #DNSSEC #InternetSecurity #rant #selfhosting
-
Digital certificates ≠ just HTTPS.
DV, OV, EV, wildcard, SAN, mTLS, code signing…
All built on PKI and trust chains.If you work with infra, security, or networking — this matters.
👉 https://www.relianoid.com/resources/knowledge-base/misc/types-of-digital-certificates/
-
@xssfox : no they're not.
IIRC client certs are bound to the TLS channel, while passkeys are bound to the domain name.
Passkeys do not protect against DNS domain takeovers or BGP hijacks (where a malicious website hijacks the domain name and obtains a valid https website certificate).
OTOH if your browser has a TLS connection to a MitM proxy such as Cloudflare or Fastly, you're dead in the water anyway.
-
Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works https://github.com/acmesh-official/acme.sh
-
Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works https://github.com/acmesh-official/acme.sh
-
Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works https://github.com/acmesh-official/acme.sh
-
Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works https://github.com/acmesh-official/acme.sh
-
Certbot doesn't define CN by default which is required by pgBackRest and OpenVPN as of today. I tried to use a CSR but Certbot doesn't automatically renew those certificates making certbot pointless. I'm now using acme.sh and it just works https://github.com/acmesh-official/acme.sh
-
Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
-
Networking changes coming in macOS 27
https://fed.brid.gy/r/https://eclecticlight.co/2026/04/23/networking-changes-coming-in-macos-27/
-
Build your own secure realm, where the most powerful secret tongues are spoken. #TLS #OpenSSL #cybersecurity #Nginx #OpenSource https://cromwell-intl.com/open-source/nginx-openssl-quantum-safe/oqsprovider-on-freebsd.html?s=mc
