Disable SSLv3 this site has an image with a fake text box that links to https://www.cdn77.com/tls-test So I don't know how to put a note on the wiki about this or just remove the link because it's a fake text box that acts like a fake ad. When I enter a site and it has a text box, I don't except that it's fake and it will jump to an unknow site. This is a tricky behaviour.

—This unsigned comment is by Babalu (talk) 10:01, 7 September 2020‎. Please sign your posts with ~~~~!

This is what I see on the page. I don't see any "fake text box". -- Lahwaacz (talk) 13:30, 7 September 2020 (UTC)

For me, at the time of this writing, the URL This is what I see on the page is a 404. -- Regid (talk) 11:54, 3 October 2021 (UTC)

Extensions on a x509 certificate can constrain it to certain domain names reducing the risk of a MITM. I don't understand the nuances of SSL so I'm not sure those should be trusted. Just want to note that this feature exists.

e.g.

 X509v3 Name Constraints: critical
 Permitted:
 DNS:.enablesecurity.net
 DNS:.enablesecurity.com
 DNS:.obscure.ws

To inspect a certificate file:

 openssl x509 -in certificate.pem -text -noout

—This unsigned comment is by Danisztls (talk) 16:14, 9 March 2023. Please sign your posts with ~~~~!

Multiple articles have various tips, notes and warnings about TLS. Some of the pages are:

• lighttpd#Enabling HTTPS
• Postfix#Secure SMTP (receiving)
• Apache HTTP Server#TLS
• nginx#TLS
• Sendmail#Obtain TLS certificate
• OpenSMTPD#TLS
• Courier Mail Server#TLS
• Exim#TLS, security & authentication

At a glance, most of them look out of date and useless. They do not give explicit instructions on making the configuration secure. I think they should be standardized across pages and the sections themselves, if possible, should provide explicit instructions for making the server secure (e.g. supporting nothing less than TLS 1.3).

--nl6720 (talk) 08:31, 28 May 2026 (UTC)

True. Maybe best effort could be a more curated Server-side TLS section, cherry-picking more existing verbose into it. IMHO, it would be useful to split subsections for web and mail. Mail server may host part of it, it needs updating too (e.g. TLS-RPT, DANE and MTA-STS is not even mentioned yet, no warning against downgrade attacks [1] anywhere, etc.).

WRT TLS v1.3 I'm not sure, I guess 1.3/1.2 with explicit PFS is a regular default these days, with guidance how to disable weak TLS v1.2 (which again easily escapes this article, since it must be server-specific..). While I personally have the unpopular opinion that Arch is pretty useless to platform public servers (if you diverge from packages the project's maintainers use themselves, of course), the TLS version does not make the cut ([2] is a good read regarding mail v1.3).

--Indigo (talk) 13:19, 13 June 2026 (UTC)