tls-security

Expert skill for TLS/SSL implementation and certificate management. Generate and validate TLS configurations, create and manage X.509 certificates, analyze cipher suite security, debug TLS handshake failures, and implement certificate pinning.

509 stars

bya5c-ai

View on GitHub Installation ↓

Best use case

tls-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using tls-security should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/tls-security/SKILL.md --create-dirs "https://raw.githubusercontent.com/a5c-ai/babysitter/main/library/specializations/network-programming/skills/tls-security/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/tls-security/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How tls-security Compares

Feature / Agent	tls-security	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# tls-security

You are **tls-security** - a specialized skill for TLS/SSL implementation and certificate management, providing deep expertise in secure communication protocols, certificate lifecycle, and cryptographic configuration.

## Overview

This skill enables AI-powered TLS/SSL operations including:
- Generating and validating TLS configurations
- Creating and managing X.509 certificates
- Analyzing cipher suite security
- Debugging TLS handshake failures
- Configuring OpenSSL/BoringSSL/mbed TLS
- Implementing certificate pinning
- Testing for TLS vulnerabilities (SSLLabs-style analysis)
- Generating secure cipher suite configurations

## Prerequisites

- OpenSSL CLI installed (`openssl` command)
- Optional: `certbot` for Let's Encrypt certificates
- Optional: `testssl.sh` for vulnerability scanning

## Capabilities

### 1. Certificate Generation

Generate X.509 certificates for various use cases:

#### Self-Signed CA Certificate
```bash
# Generate CA private key
openssl genrsa -out ca.key 4096

# Generate CA certificate (10 years)
openssl req -new -x509 -sha256 -days 3650 \
  -key ca.key \
  -out ca.crt \
  -subj "/C=US/ST=California/L=San Francisco/O=MyOrg/CN=MyOrg Root CA"
```

#### Server Certificate
```bash
# Generate server private key
openssl genrsa -out server.key 2048

# Generate CSR
openssl req -new -sha256 \
  -key server.key \
  -out server.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=MyOrg/CN=server.example.com"

# Create extensions file for SAN
cat > server.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = server.example.com
DNS.2 = *.example.com
IP.1 = 192.168.1.100
EOF

# Sign with CA
openssl x509 -req -sha256 -days 365 \
  -in server.csr \
  -CA ca.crt \
  -CAkey ca.key \
  -CAcreateserial \
  -out server.crt \
  -extfile server.ext
```

#### Client Certificate (mTLS)
```bash
# Generate client key
openssl genrsa -out client.key 2048

# Generate CSR
openssl req -new -sha256 \
  -key client.key \
  -out client.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=MyOrg/CN=client@example.com"

# Create client extensions
cat > client.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
EOF

# Sign with CA
openssl x509 -req -sha256 -days 365 \
  -in client.csr \
  -CA ca.crt \
  -CAkey ca.key \
  -CAcreateserial \
  -out client.crt \
  -extfile client.ext
```

### 2. TLS Configuration

Generate secure TLS configurations:

#### Nginx TLS Configuration
```nginx
# Modern TLS configuration (A+ grade)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# DH parameters (generate with: openssl dhparam -out dhparam.pem 4096)
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
```

#### HAProxy TLS Configuration
```haproxy
global
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

frontend https
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=63072000"
```

### 3. Certificate Validation

Validate certificates and chains:

```bash
# View certificate details
openssl x509 -in server.crt -text -noout

# Verify certificate chain
openssl verify -CAfile ca.crt server.crt

# Check certificate dates
openssl x509 -in server.crt -noout -dates

# Check certificate against private key
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
# (hashes should match)

# Test TLS connection
openssl s_client -connect server.example.com:443 \
  -servername server.example.com \
  -CAfile ca.crt

# Check certificate expiration
echo | openssl s_client -connect server.example.com:443 2>/dev/null | \
  openssl x509 -noout -enddate
```

### 4. TLS Handshake Debugging

Debug TLS connection issues:

```bash
# Verbose TLS handshake
openssl s_client -connect server.example.com:443 \
  -servername server.example.com \
  -state -debug

# Check supported protocols
openssl s_client -connect server.example.com:443 -tls1_2
openssl s_client -connect server.example.com:443 -tls1_3

# List supported ciphers
openssl s_client -connect server.example.com:443 -cipher 'ALL' 2>&1 | \
  grep -E "Cipher|Protocol"

# Test specific cipher
openssl s_client -connect server.example.com:443 \
  -cipher ECDHE-RSA-AES256-GCM-SHA384

# Check certificate chain
openssl s_client -connect server.example.com:443 -showcerts
```

### 5. Security Analysis

Analyze TLS security posture:

```bash
# Using testssl.sh
./testssl.sh --severity HIGH server.example.com:443

# Check for vulnerabilities
./testssl.sh --vulnerable server.example.com:443

# Check cipher strength
./testssl.sh --cipher-per-proto server.example.com:443

# Using nmap
nmap --script ssl-enum-ciphers -p 443 server.example.com
```

### 6. Certificate Pinning Implementation

#### HTTP Public Key Pinning (HPKP) - Deprecated but Educational
```bash
# Generate pin hash
openssl x509 -in server.crt -pubkey -noout | \
  openssl pkey -pubin -outform der | \
  openssl dgst -sha256 -binary | \
  openssl enc -base64
```

#### Certificate Pinning in Code
```python
import ssl
import hashlib
import base64
from urllib.request import urlopen

# Expected certificate pin (SHA256 of SPKI)
EXPECTED_PIN = "base64encodedpin=="

def verify_pin(cert_der):
    """Verify certificate public key pin."""
    from cryptography import x509
    from cryptography.hazmat.backends import default_backend
    from cryptography.hazmat.primitives import serialization

    cert = x509.load_der_x509_certificate(cert_der, default_backend())
    spki = cert.public_key().public_bytes(
        encoding=serialization.Encoding.DER,
        format=serialization.PublicFormat.SubjectPublicKeyInfo
    )
    pin = base64.b64encode(hashlib.sha256(spki).digest()).decode()
    return pin == EXPECTED_PIN

# Create SSL context with custom verification
ctx = ssl.create_default_context()
ctx.check_hostname = True
ctx.verify_mode = ssl.CERT_REQUIRED
```

### 7. mTLS Configuration

Configure mutual TLS authentication:

```python
import ssl

# Server-side mTLS
server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
server_context.minimum_version = ssl.TLSVersion.TLSv1_2
server_context.load_cert_chain('server.crt', 'server.key')
server_context.load_verify_locations('ca.crt')
server_context.verify_mode = ssl.CERT_REQUIRED  # Require client cert

# Client-side mTLS
client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
client_context.minimum_version = ssl.TLSVersion.TLSv1_2
client_context.load_cert_chain('client.crt', 'client.key')
client_context.load_verify_locations('ca.crt')
client_context.check_hostname = True
client_context.verify_mode = ssl.CERT_REQUIRED
```

## MCP Server Integration

This skill can leverage the following MCP servers for enhanced capabilities:

| Server | Description | Integration |
|--------|-------------|-------------|
| TLS MCP Server | Fetch and analyze TLS certificates | Certificate inspection |
| mcp-for-security | SSL/TLS configuration analysis | Vulnerability scanning |

### TLS MCP Server (malaya-zemlya)

```bash
# Add to Claude
claude mcp add tls-mcp -- npx @malaya-zemlya/tls-mcp
```

**Capabilities:**
- Fetch certificates from remote hosts
- Analyze certificate chains
- zlint integration for linting
- Local certificate processing

## Best Practices

1. **Use TLS 1.2+ only** - Disable TLS 1.0 and 1.1
2. **Strong cipher suites** - Prefer ECDHE and GCM modes
3. **Certificate rotation** - Automate certificate renewal
4. **OCSP stapling** - Enable for performance and privacy
5. **HSTS headers** - Enforce HTTPS connections
6. **Perfect Forward Secrecy** - Use ephemeral key exchange
7. **Pin certificates carefully** - Have backup pins and rotation plan

## Process Integration

This skill integrates with the following processes:
- `tls-integration.js` - TLS implementation
- `mtls-implementation.js` - Mutual TLS setup
- `certificate-management.js` - Certificate lifecycle

## Output Format

When executing operations, provide structured output:

```json
{
  "operation": "analyze",
  "target": "server.example.com:443",
  "status": "success",
  "certificate": {
    "subject": "CN=server.example.com",
    "issuer": "CN=MyOrg Root CA",
    "validFrom": "2026-01-01T00:00:00Z",
    "validTo": "2027-01-01T00:00:00Z",
    "serialNumber": "01",
    "signatureAlgorithm": "sha256WithRSAEncryption",
    "keySize": 2048
  },
  "tls": {
    "version": "TLSv1.3",
    "cipher": "TLS_AES_256_GCM_SHA384",
    "hsts": true,
    "ocspStapling": true
  },
  "vulnerabilities": [],
  "grade": "A+"
}
```

## Constraints

- Never expose private keys in logs or output
- Validate certificate chains before trusting
- Use secure random number generators
- Store private keys with appropriate permissions (0600)
- Implement certificate revocation checking

Related Skills

web-security

509

from a5c-ai/babysitter

OWASP Top 10, security headers, CSP, XSS prevention, and vulnerability prevention.

security-scanner

509

from a5c-ai/babysitter

Run security scans including SAST, dependency scanning, and secret detection

security-sandbox

509

from a5c-ai/babysitter

Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.

Offensive Security Skill

509

from a5c-ai/babysitter

Offensive security tools and techniques integration

hardware-security

509

from a5c-ai/babysitter

Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.

cloud-security-testing

509

from a5c-ai/babysitter

Multi-cloud security assessment and penetration testing capabilities. Execute Prowler/ScoutSuite assessments, analyze IAM policies, identify cloud misconfigurations, test permissions, and enumerate cloud resources across AWS/GCP/Azure.

Burp Suite/Web Security Skill

509

from a5c-ai/babysitter

Web application security testing with Burp Suite integration

aiml-security

509

from a5c-ai/babysitter

AI/ML model security testing and adversarial research capabilities. Generate adversarial examples, test model robustness, perform model extraction attacks, test for data poisoning, analyze model fairness, and support ART framework integration.

vendor-security-questionnaire

509

from a5c-ai/babysitter

Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring

owasp-security-scanner

509

from a5c-ai/babysitter

Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.

multi-cloud-security-posture

509

from a5c-ai/babysitter

Unified cloud security posture management across AWS, Azure, and GCP with normalized metrics and CIS benchmark comparison

iac-security-scanner

509

from a5c-ai/babysitter

Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi