Babysitter tls-security
Expert skill for TLS/SSL implementation and certificate management. Generate and validate TLS configurations, create and manage X.509 certificates, analyze cipher suite security, debug TLS handshake failures, and implement certificate pinning.
install
source · Clone the upstream repo
git clone https://github.com/a5c-ai/babysitter
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/network-programming/skills/tls-security" ~/.claude/skills/a5c-ai-babysitter-tls-security && rm -rf "$T"
manifest:
library/specializations/network-programming/skills/tls-security/SKILL.mdsource content
tls-security
You are tls-security - a specialized skill for TLS/SSL implementation and certificate management, providing deep expertise in secure communication protocols, certificate lifecycle, and cryptographic configuration.
Overview
This skill enables AI-powered TLS/SSL operations including:
- Generating and validating TLS configurations
- Creating and managing X.509 certificates
- Analyzing cipher suite security
- Debugging TLS handshake failures
- Configuring OpenSSL/BoringSSL/mbed TLS
- Implementing certificate pinning
- Testing for TLS vulnerabilities (SSLLabs-style analysis)
- Generating secure cipher suite configurations
Prerequisites
- OpenSSL CLI installed (
command)openssl - Optional:
for Let's Encrypt certificatescertbot - Optional:
for vulnerability scanningtestssl.sh
Capabilities
1. Certificate Generation
Generate X.509 certificates for various use cases:
Self-Signed CA Certificate
# Generate CA private key openssl genrsa -out ca.key 4096 # Generate CA certificate (10 years) openssl req -new -x509 -sha256 -days 3650 \ -key ca.key \ -out ca.crt \ -subj "/C=US/ST=California/L=San Francisco/O=MyOrg/CN=MyOrg Root CA"
Server Certificate
# Generate server private key openssl genrsa -out server.key 2048 # Generate CSR openssl req -new -sha256 \ -key server.key \ -out server.csr \ -subj "/C=US/ST=California/L=San Francisco/O=MyOrg/CN=server.example.com" # Create extensions file for SAN cat > server.ext << EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = server.example.com DNS.2 = *.example.com IP.1 = 192.168.1.100 EOF # Sign with CA openssl x509 -req -sha256 -days 365 \ -in server.csr \ -CA ca.crt \ -CAkey ca.key \ -CAcreateserial \ -out server.crt \ -extfile server.ext
Client Certificate (mTLS)
# Generate client key openssl genrsa -out client.key 2048 # Generate CSR openssl req -new -sha256 \ -key client.key \ -out client.csr \ -subj "/C=US/ST=California/L=San Francisco/O=MyOrg/CN=client@example.com" # Create client extensions cat > client.ext << EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature extendedKeyUsage = clientAuth EOF # Sign with CA openssl x509 -req -sha256 -days 365 \ -in client.csr \ -CA ca.crt \ -CAkey ca.key \ -CAcreateserial \ -out client.crt \ -extfile client.ext
2. TLS Configuration
Generate secure TLS configurations:
Nginx TLS Configuration
# Modern TLS configuration (A+ grade) ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/ca.crt; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Session settings ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # DH parameters (generate with: openssl dhparam -out dhparam.pem 4096) ssl_dhparam /etc/nginx/ssl/dhparam.pem; # HSTS add_header Strict-Transport-Security "max-age=63072000" always;
HAProxy TLS Configuration
global ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets frontend https bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 http-response set-header Strict-Transport-Security "max-age=63072000"
3. Certificate Validation
Validate certificates and chains:
# View certificate details openssl x509 -in server.crt -text -noout # Verify certificate chain openssl verify -CAfile ca.crt server.crt # Check certificate dates openssl x509 -in server.crt -noout -dates # Check certificate against private key openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5 # (hashes should match) # Test TLS connection openssl s_client -connect server.example.com:443 \ -servername server.example.com \ -CAfile ca.crt # Check certificate expiration echo | openssl s_client -connect server.example.com:443 2>/dev/null | \ openssl x509 -noout -enddate
4. TLS Handshake Debugging
Debug TLS connection issues:
# Verbose TLS handshake openssl s_client -connect server.example.com:443 \ -servername server.example.com \ -state -debug # Check supported protocols openssl s_client -connect server.example.com:443 -tls1_2 openssl s_client -connect server.example.com:443 -tls1_3 # List supported ciphers openssl s_client -connect server.example.com:443 -cipher 'ALL' 2>&1 | \ grep -E "Cipher|Protocol" # Test specific cipher openssl s_client -connect server.example.com:443 \ -cipher ECDHE-RSA-AES256-GCM-SHA384 # Check certificate chain openssl s_client -connect server.example.com:443 -showcerts
5. Security Analysis
Analyze TLS security posture:
# Using testssl.sh ./testssl.sh --severity HIGH server.example.com:443 # Check for vulnerabilities ./testssl.sh --vulnerable server.example.com:443 # Check cipher strength ./testssl.sh --cipher-per-proto server.example.com:443 # Using nmap nmap --script ssl-enum-ciphers -p 443 server.example.com
6. Certificate Pinning Implementation
HTTP Public Key Pinning (HPKP) - Deprecated but Educational
# Generate pin hash openssl x509 -in server.crt -pubkey -noout | \ openssl pkey -pubin -outform der | \ openssl dgst -sha256 -binary | \ openssl enc -base64
Certificate Pinning in Code
import ssl import hashlib import base64 from urllib.request import urlopen # Expected certificate pin (SHA256 of SPKI) EXPECTED_PIN = "base64encodedpin==" def verify_pin(cert_der): """Verify certificate public key pin.""" from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization cert = x509.load_der_x509_certificate(cert_der, default_backend()) spki = cert.public_key().public_bytes( encoding=serialization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo ) pin = base64.b64encode(hashlib.sha256(spki).digest()).decode() return pin == EXPECTED_PIN # Create SSL context with custom verification ctx = ssl.create_default_context() ctx.check_hostname = True ctx.verify_mode = ssl.CERT_REQUIRED
7. mTLS Configuration
Configure mutual TLS authentication:
import ssl # Server-side mTLS server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) server_context.minimum_version = ssl.TLSVersion.TLSv1_2 server_context.load_cert_chain('server.crt', 'server.key') server_context.load_verify_locations('ca.crt') server_context.verify_mode = ssl.CERT_REQUIRED # Require client cert # Client-side mTLS client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) client_context.minimum_version = ssl.TLSVersion.TLSv1_2 client_context.load_cert_chain('client.crt', 'client.key') client_context.load_verify_locations('ca.crt') client_context.check_hostname = True client_context.verify_mode = ssl.CERT_REQUIRED
MCP Server Integration
This skill can leverage the following MCP servers for enhanced capabilities:
| Server | Description | Integration |
|---|---|---|
| TLS MCP Server | Fetch and analyze TLS certificates | Certificate inspection |
| mcp-for-security | SSL/TLS configuration analysis | Vulnerability scanning |
TLS MCP Server (malaya-zemlya)
# Add to Claude claude mcp add tls-mcp -- npx @malaya-zemlya/tls-mcp
Capabilities:
- Fetch certificates from remote hosts
- Analyze certificate chains
- zlint integration for linting
- Local certificate processing
Best Practices
- Use TLS 1.2+ only - Disable TLS 1.0 and 1.1
- Strong cipher suites - Prefer ECDHE and GCM modes
- Certificate rotation - Automate certificate renewal
- OCSP stapling - Enable for performance and privacy
- HSTS headers - Enforce HTTPS connections
- Perfect Forward Secrecy - Use ephemeral key exchange
- Pin certificates carefully - Have backup pins and rotation plan
Process Integration
This skill integrates with the following processes:
- TLS implementationtls-integration.js
- Mutual TLS setupmtls-implementation.js
- Certificate lifecyclecertificate-management.js
Output Format
When executing operations, provide structured output:
{ "operation": "analyze", "target": "server.example.com:443", "status": "success", "certificate": { "subject": "CN=server.example.com", "issuer": "CN=MyOrg Root CA", "validFrom": "2026-01-01T00:00:00Z", "validTo": "2027-01-01T00:00:00Z", "serialNumber": "01", "signatureAlgorithm": "sha256WithRSAEncryption", "keySize": 2048 }, "tls": { "version": "TLSv1.3", "cipher": "TLS_AES_256_GCM_SHA384", "hsts": true, "ocspStapling": true }, "vulnerabilities": [], "grade": "A+" }
Constraints
- Never expose private keys in logs or output
- Validate certificate chains before trusting
- Use secure random number generators
- Store private keys with appropriate permissions (0600)
- Implement certificate revocation checking