Deploy360 11 July 2014

CloudFlare Releases Open Source CFSSL, a TLS/SSL Toolkit

By Dan YorkDirector, Internet Technology

CloudFlare logoYesterday the folks over at CloudFlare introduced their “CFSSL” toolkit for working with TLS (SSL) certificates. Their blog post explains what CFSSL is all about, and they have also made the code available along with further documentation on Github: https://github.com/cloudflare/cfssl

This is interesting to me for a couple of reasons.  First, their blog post has some excellent diagrams outlining the challenges with ensuring that a TLS certificate is able to be validated by a web browser.  The author Nick Sullivan points out that different browsers trust different numbers of Certificate Authorities (CAs) – and that older browsers may not trust newer CA certificates.  He outlines the need to create “certificate bundles” that include multiple TLS chains.  The key point of all of this is to make it so that your TLS certificate is accessible to the widest range of browsers and systems.

As a tutorial alone, the post is a good read.

It also highlights the complexity (some might say “brokenness”!) of the current CA system and why many folks are looking for mechanisms to add more trust into the system (the DANE protocol being one of those potential mechanisms).

The post also explains their CFSSL tool which is available for anyone to use.  While it is not exactly a TLS library, like some of the other tools we’ve highlighted in our TLS for Applications area, the source code is available and some developers may find it of use.  I found it interesting that the tool could also be used to create your own CA and generate your own certificates.  This might be useful for people looking to do additional testing or to run their own CA for their own purposes.

Regardless of what you may do with the toolkit, kudos to CloudFlare for making it available under a permissive open source license and for providing the documentation they do.  I hope it will help some folks out there make the Internet more secure!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...