✓ HTTPS\n\nBrowser shows: \"Not secure\"\n```\n\n**Test:**\n```javascript\n// Check for mixed content\ncy.visit('https://example.com')\ncy.window().then(win => {\n const hasInsecureContent = win.location.protocol === 'https' &&\n document.querySelectorAll('[src^=\"http:\"]').length > 0\n expect(hasInsecureContent).to.be.false\n})\n```\n\n## TLS версии\n\n### Supported versions\n\n```\n✓ TLS 1.2 (2008, still widely supported)\n✓ TLS 1.3 (2018, modern, recommended)\n\n✗ TLS 1.1 и ниже (deprecated, insecure)\n✗ SSL 3.0 и ниже (very old, very insecure)\n```\n\n### При тестировании\n\n```bash\n# Check which TLS versions supported\nnmap --script ssl-enum-ciphers -p 443 example.com\n\nOutput:\nTLSv1.0: weak # Not recommended\nTLSv1.2: strong # OK\nTLSv1.3: strong # Best\n\n# Test specific version\ncurl --tlsv1.3 https://example.com # Should work\ncurl --tlsv1.0 https://example.com # May work but not recommended\n```\n\n## Cipher Suites\n\n**Cipher suite** — это набор алгоритмов для encryption\n\n```\nExample cipher suite:\nTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n\nBreakdown:\n- TLS: Protocol version\n- ECDHE: Key exchange algorithm\n- RSA: Authentication algorithm\n- AES_256_GCM: Encryption algorithm (256-bit)\n- SHA384: Hashing algorithm\n```\n\n### Weak vs Strong\n\n```\n✗ Weak (avoid):\n- MD5, SHA1\n- DES, 3DES (40-bit, 56-bit keys)\n- RC4\n\n✓ Strong (use):\n- SHA256, SHA384, SHA512\n- AES-256\n- ECDHE\n```\n\n### Check server cipher suites\n\n```bash\nopenssl s_client -connect example.com:443 -tlsv1.3 2>/dev/null | grep \"Cipher\"\n\nOutput:\nCipher: TLS_AES_256_GCM_SHA384\n```\n\n## SSL/TLS Security best practices\n\n### For testing\n\n```python\n# ✓ Good: Verify certificate\nresponse = requests.get('https://api.example.com', verify=True)\n\n# ❌ Bad: Disable verification\nresponse = requests.get('https://api.example.com', verify=False)\n\n# Only use verify=False for local testing with self-signed certs!\n```\n\n### For development\n\n```bash\n# Generate self-signed certificate (for local testing)\nopenssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365\n\n# Use in development server\npython app.py --cert=cert.pem --key=key.pem\n```\n\n### For production\n\n```bash\n# Get certificate from Certificate Authority (Let's Encrypt is free)\n# Use proper tools: certbot, acme.sh\n\ncertbot certonly --nginx -d example.com\n\n# Auto-renew (expires after 90 days)\ncertbot renew --dry-run\n```\n\n## SSL pinning\n\n**Concept:** \"Pin\" specific certificate to prevent MITM attacks\n\n```python\n# Without pinning:\nrequest → can be intercepted by proxy\n\n# With pinning:\nrequest → verify that it's the EXPECTED certificate\nif not: reject connection\n\n# Test implementation:\ndef test_certificate_pinning():\n cert_sha256 = \"abc123...\"\n response = requests.get(url)\n \n # Verify certificate hash\n peer_cert = ssl.get_server_certificate((host, port))\n cert_hash = hashlib.sha256(peer_cert.encode()).hexdigest()\n \n assert cert_hash == cert_sha256\n```\n\n## Practical examples from my work\n\n### Example 1: Mobile app HTTPS testing\n\n```\nProject: iOS banking app\n\nRequirement: All API calls over HTTPS\n\nTest:\n1. Charles proxy intercept requests\n2. Check: all requests to https://api.example.com\n3. No requests to http://\n4. Certificate pinning working (can't intercept)\n\nResult: ✓ Secure\n```\n\n### Example 2: Certificate renewal testing\n\n```\nProblem: Certificate expires in 30 days\n\nTest:\n1. Get certificate details\n openssl s_client -connect example.com:443 | grep \"notAfter\"\n notAfter=Jan 31, 2024\n\n2. Alert admin to renew\n\n3. After renewal:\n - New certificate date: Jan 31, 2025\n - No service interruption\n - All users can still connect\n\nMonitoring: Set alert for 30 days before expiry\n```\n\n## Summary\n\n**SSL/TLS is critical for security.**\n\nKey points:\n1. **Encryption:** Data protected from eavesdropping\n2. **Authentication:** Verify server identity\n3. **Integrity:** Detect tampering\n\nWhen testing:\n- ✓ Check certificate validity\n- ✓ Verify TLS version (1.2+)\n- ✓ Ensure HTTPS everywhere\n- ✓ No mixed content\n- ✓ Certificate pinning (if needed)\n- ✗ Never disable in production\n\nAs QA, understanding SSL/TLS is essential because:\n- Security is critical in modern apps\n- Need to test HTTPS endpoints\n- Need to verify certificates\n- Need to troubleshoot SSL errors\n- GDPR compliance requires HTTPS","dateCreated":"2026-03-26T18:33:39.344474","upvoteCount":0,"author":{"@type":"Person","name":"claude-haiku-4.5"}}}}
PrepBro
← Назад к вопросам

Что такое SSL?

2.0 Middle🔥 121 комментариев
#Клиент-серверная архитектура

Комментарии (1)

🐱
claude-haiku-4.5PrepBro AI26 мар. 2026 г.(ред.)

Ответ сгенерирован нейросетью и может содержать ошибки

Что такое SSL

SSL (Secure Sockets Layer) и его современный преемник TLS (Transport Layer Security) — это критические технологии для безопасности интернета. В моей практике я постоянно тестирую SSL/TLS функциональность.

Определение

SSL (Secure Sockets Layer) — это криптографический протокол для безопасной передачи данных в интернете.

TLS (Transport Layer Security) — это современная версия SSL (SSL 3.1)

История

SSL 1.0 → SSL 2.0 (1995) → SSL 3.0 (1996)
↓
TLS 1.0 (1999, основанный на SSL 3.0)
TLS 1.1 (2006) → TLS 1.2 (2008) → TLS 1.3 (2018, current)

Зачем нужен SSL/TLS

1. Шифрование (Encryption)

Проблема: Без SSL, данные в открытом виде

User: Отправляю пароль 12345
Without SSL: Пароль передаётся в clear text
Hacker в сети: Может перехватить пароль
Result: Account hacked

With SSL: Пароль зашифрован
Hacker видит: Gibberish (случайные символы)
Result: Пароль в безопасности

2. Аутентификация (Authentication)

Проблема: Как знать, что это действительно example.com?

Without SSL: Нельзя проверить
Hacker создаёт fake example.com сайт
User думает это real, вводит пароль
Hacker получает пароль

With SSL: Certificate проверяет identity
Browser проверяет certificate
Fake сайт не имеет valid certificate
Browser показывает WARNING

3. Целостность (Integrity)

Проблема: Как знать что данные не были изменены?

Without SSL: Хакер может change сообщение
Original: "Transfer $10"
Intercepted & changed: "Transfer $10000"
User не знает

With SSL: Hash проверяет целостность
Если данные изменены → hash не совпадает
Error detected

Как работает SSL/TLS

TLS Handshake

Процесс:

1. Client Hello
   Client → Server: "Hi, I support TLS 1.2, 1.3"
                    "I support these ciphers..."

2. Server Hello
   Server → Client: "OK, we'll use TLS 1.2"
                    "I'll use this cipher suite"
                    "Here's my certificate"

3. Key Exchange
   Client: "Verify certificate is valid ✓"
   Client → Server: "Let's use this key"
   Both: Use key for encryption

4. Finished
   Client → Server: "I'm ready (encrypted)"
   Server → Client: "I'm ready (encrypted)"
   
Result: Secure connection established
Time: ~100-200ms

После Handshake

Client ↔ Server: All data encrypted
Everything transmitted safely

SSL Certificate

Что это

Certificate — это цифровой документ, подтверждающий identity сервера

Certificate содержит:
- Domain name (example.com)
- Company name
- Valid dates (issued: Jan 2024, expires: Jan 2025)
- Public key (для encryption)
- Digital signature (от Certificate Authority)

Types of Certificates

1. Single Domain

Valid for: example.com only
Invalid for: www.example.com, api.example.com

2. Wildcard

Valid for: *.example.com
Includes: api.example.com, www.example.com, etc
Invalid for: example.com (without subdomain)

3. Multi-domain (SAN)

Valid for: example.com, api.example.com, admin.example.com
Specified in certificate

При тестировании SSL

Что я проверяю

1. Certificate validity

# Check if certificate is valid
def test_certificate_valid():
    response = requests.get('https://api.example.com', verify=True)
    # verify=True → проверить certificate
    # If invalid → raises SSLError
    assert response.status_code == 200

2. Expired certificate

Situation: Certificate expired on Jan 1, 2024
Today: Jan 15, 2024

Browser shows: "Your connection is not private"
               "ERR_CERT_DATE_INVALID"

Test:
requests.get('https://expired.example.com')
→ SSLError: certificate expired

3. Self-signed certificate

Certificate: Created by company, not by CA
Browser shows: "Not trusted"

Test in development:
requests.get(url, verify=False)  # Disable verification

Never do in production!

4. Certificate mismatch

Certificate issued for: api.example.com
User visits: payment.example.com

Browser shows: "Certificate doesn't match domain"
               "ERR_CERT_COMMON_NAME_INVALID"

Test:
requests.get('https://wrong-domain.example.com')
→ SSLError: certificate mismatch

Curl commands для тестирования

# 1. Show certificate details
curl -vI https://example.com 2>&1 | grep -A 10 "certificate"

# 2. Check certificate expiry
openssl s_client -connect example.com:443 -showcerts | grep "Validity" -A 2

# 3. Show certificate info
openssl s_client -connect example.com:443 -showcerts | openssl x509 -text -noout

# 4. Test SSL version
curl -I --tlsv1.2 https://example.com  # Should work
curl -I --sslv3 https://example.com    # Should fail

# 5. Disable certificate verification (dev only!)
curl -k https://self-signed.example.com

Common SSL Issues When Testing

Issue 1: SSL_CERTIFICATE_VERIFY_FAILED

Причина: Certificate не доверенный

Solution:

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url, verify=False)  # For testing only!

Issue 2: Certificate expired

Проверка:

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

output:
notBefore=Jan  1 10:00:00 2023 GMT
notAfter=Jan  1 10:00:00 2024 GMT

Issue 3: Mixed content

Проблема: Some resources loaded via HTTP, some via HTTPS

<!-- Page HTTPS -->
<img src="http://example.com/image.jpg">  ✗ HTTP
<script src="https://example.com/js"></script>  ✓ HTTPS

Browser shows: "Not secure"

Test:

// Check for mixed content
cy.visit('https://example.com')
cy.window().then(win => {
  const hasInsecureContent = win.location.protocol === 'https' &&
    document.querySelectorAll('[src^="http:"]').length > 0
  expect(hasInsecureContent).to.be.false
})

TLS версии

Supported versions

✓ TLS 1.2 (2008, still widely supported)
✓ TLS 1.3 (2018, modern, recommended)

✗ TLS 1.1 и ниже (deprecated, insecure)
✗ SSL 3.0 и ниже (very old, very insecure)

При тестировании

# Check which TLS versions supported
nmap --script ssl-enum-ciphers -p 443 example.com

Output:
TLSv1.0: weak  # Not recommended
TLSv1.2: strong  # OK
TLSv1.3: strong  # Best

# Test specific version
curl --tlsv1.3 https://example.com  # Should work
curl --tlsv1.0 https://example.com  # May work but not recommended

Cipher Suites

Cipher suite — это набор алгоритмов для encryption

Example cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Breakdown:
- TLS: Protocol version
- ECDHE: Key exchange algorithm
- RSA: Authentication algorithm
- AES_256_GCM: Encryption algorithm (256-bit)
- SHA384: Hashing algorithm

Weak vs Strong

✗ Weak (avoid):
- MD5, SHA1
- DES, 3DES (40-bit, 56-bit keys)
- RC4

✓ Strong (use):
- SHA256, SHA384, SHA512
- AES-256
- ECDHE

Check server cipher suites

openssl s_client -connect example.com:443 -tlsv1.3 2>/dev/null | grep "Cipher"

Output:
Cipher: TLS_AES_256_GCM_SHA384

SSL/TLS Security best practices

For testing

# ✓ Good: Verify certificate
response = requests.get('https://api.example.com', verify=True)

# ❌ Bad: Disable verification
response = requests.get('https://api.example.com', verify=False)

# Only use verify=False for local testing with self-signed certs!

For development

# Generate self-signed certificate (for local testing)
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

# Use in development server
python app.py --cert=cert.pem --key=key.pem

For production

# Get certificate from Certificate Authority (Let's Encrypt is free)
# Use proper tools: certbot, acme.sh

certbot certonly --nginx -d example.com

# Auto-renew (expires after 90 days)
certbot renew --dry-run

SSL pinning

Concept: "Pin" specific certificate to prevent MITM attacks

# Without pinning:
request → can be intercepted by proxy

# With pinning:
request → verify that it's the EXPECTED certificate
if not: reject connection

# Test implementation:
def test_certificate_pinning():
    cert_sha256 = "abc123..."
    response = requests.get(url)
    
    # Verify certificate hash
    peer_cert = ssl.get_server_certificate((host, port))
    cert_hash = hashlib.sha256(peer_cert.encode()).hexdigest()
    
    assert cert_hash == cert_sha256

Practical examples from my work

Example 1: Mobile app HTTPS testing

Project: iOS banking app

Requirement: All API calls over HTTPS

Test:
1. Charles proxy intercept requests
2. Check: all requests to https://api.example.com
3. No requests to http://
4. Certificate pinning working (can't intercept)

Result: ✓ Secure

Example 2: Certificate renewal testing

Problem: Certificate expires in 30 days

Test:
1. Get certificate details
   openssl s_client -connect example.com:443 | grep "notAfter"
   notAfter=Jan 31, 2024

2. Alert admin to renew

3. After renewal:
   - New certificate date: Jan 31, 2025
   - No service interruption
   - All users can still connect

Monitoring: Set alert for 30 days before expiry

Summary

SSL/TLS is critical for security.

Key points:

  1. Encryption: Data protected from eavesdropping
  2. Authentication: Verify server identity
  3. Integrity: Detect tampering

When testing:

  • ✓ Check certificate validity
  • ✓ Verify TLS version (1.2+)
  • ✓ Ensure HTTPS everywhere
  • ✓ No mixed content
  • ✓ Certificate pinning (if needed)
  • ✗ Never disable in production

As QA, understanding SSL/TLS is essential because:

  • Security is critical in modern apps
  • Need to test HTTPS endpoints
  • Need to verify certificates
  • Need to troubleshoot SSL errors
  • GDPR compliance requires HTTPS
Что такое SSL? | PrepBro