I bought it and skimmed through most of it, and I have a hard time recommending it personally. It’s really short on the crypto and offers no insight into why TLS behaves the way it does. I would like to at least see an explanation of the TLS handshake process, but there is none. It’s a lot of “using openssl s_client”-type of discussion; i.e. how to use it, not so much on how it works, and that applies to most of the book (including the ocsp parts).<p>Practical, not necessarily theoretical; but if that’s what you are looking for, then it’s a great book.
TLS always felt like a scary beast to me until I started writing Go. The crypto/tls package is amazing and makes doing incredible things with TLS super easy. We're using it in lots of interesting ways behind the scenes for Encore, leveraging Vault, a custom CA, SPIFFE for workload identity and more.<p>I haven't read the book, but learning more about TLS is easily one of the best time investments I've made.
I recommend this blog post as a good primer for TLS.<p><a href="http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html" rel="nofollow">http://www.moserware.com/2009/06/first-few-milliseconds-of-h...</a>
In my opinion, Michael W Lucas is one of the best tech writers working today. I have made great use of his books Absolute OpenBSD, SSH Mastery, and Httpd & Relayd Mastery.<p>He also wrote Absolute FreeBSD and PGP & GPG: Email for the Practical Paranoid, among many others.
Feisty Duck has some great material and training in this vein => <a href="https://www.feistyduck.com/" rel="nofollow">https://www.feistyduck.com/</a><p>I just sat through the 4 1/2 day online training they offer, and thought it was worth the price, as long as the company was picking up the tab.
Can someone who has read it post their review?<p>The contents look good and I feel like it might help me patch some holes in my knowledge. It has the advantage of at least looking like it's up to date (a lot of SSL writing has been obsoleted).
My first impression is that a book called "TLS Mastery" should dive deeper than what the toc suggests this one does.<p>TLS privacy seems to be a big rather little-known topic. OCSP leaks etc. Does this book cover it in-depth?
Anyone know if the book covers ESNI? Or if there's a good resource on how to set that up with Nginx, CloudFlare DNS, and Let's Encrypt?<p>EDIT: Okay, it looks like this is not yet ready for most people to use.
I learned few years ago that you can do TLS auth without client side certs.<p>People were always surprised how they stay logged in after clearing cookies.
Step 1. Give up volition to a third party certificate authority and hope your internet service is never controversial enough to get it revoked like sci-hub.