In this client–server model, the application data is encapsulated in such a way as to ensure confidentiality and integrity of the exchanges. The server is necessarily authenticated, and additional functions allow for authenticating the client when such a need has been identified.
Since the appearance of its predecessor SSL** in 1995, TLS has been adopted by many Internet stakeholders in order to secure traffic linked to websites and electronic messaging.
This is furthermore a privileged solution for protecting internal infrastructure traffic. For these reasons, the protocol and its implementations are subject to constant research. Over the years, several vulnerabilities have been discovered, motivating the development of corrections and countermeasures in order to prevent compromising exchanges.
The TLS deployment that provides the most assurance in terms of security is therefore based on the use of up-to-date software, but also on adjusting the parameters of the protocol according to the context. The explanations provided by this guide are supplemented with several recommendations aimed at reaching a level of security that is compliant with the state of the art, in particular concerning the cipher suites to be retained.
This guide is also available in French : « Recommandations de sécurité relatives à TLS »
*Transport Layer Security.
**Secure Sockets Layer.