{"id":3442,"date":"2025-12-26T20:06:39","date_gmt":"2025-12-26T17:06:39","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/ssl-tls-protokol-guncellemeleri-ve-guvenlik-aciklari\/"},"modified":"2025-12-26T20:06:39","modified_gmt":"2025-12-26T17:06:39","slug":"ssl-tls-protokol-guncellemeleri-ve-guvenlik-aciklari","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/ssl-tls-protokol-guncellemeleri-ve-guvenlik-aciklari\/","title":{"rendered":"SSL\/TLS Protokol G\u00fcncellemeleri ve G\u00fcvenlik A\u00e7\u0131klar\u0131"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#SSLTLS_Protokol_Guncellemeleri_Neden_Bu_Kadar_Kritik\"><span class=\"toc_number toc_depth_1\">1<\/span> SSL\/TLS Protokol G\u00fcncellemeleri Neden Bu Kadar Kritik?<\/a><\/li><li><a href=\"#SSL039den_TLS039e_Protokol_Surumlerinin_Kisa_Tarihcesi\"><span class=\"toc_number toc_depth_1\">2<\/span> SSL&#039;den TLS&#039;e: Protokol S\u00fcr\u00fcmlerinin K\u0131sa Tarih\u00e7esi<\/a><ul><li><a href=\"#SSL_20_ve_SSL_30_Tarihin_Tozlu_Raflarinda_Kalmalari_Gereken_Surumler\"><span class=\"toc_number toc_depth_2\">2.1<\/span> SSL 2.0 ve SSL 3.0: Tarihin Tozlu Raflar\u0131nda Kalmalar\u0131 Gereken S\u00fcr\u00fcmler<\/a><\/li><li><a href=\"#TLS_10_ve_TLS_11_Yetersiz_Guvenlik_Artik_Resmen_Kullanim_Disi\"><span class=\"toc_number toc_depth_2\">2.2<\/span> TLS 1.0 ve TLS 1.1: Yetersiz G\u00fcvenlik, Art\u0131k Resmen Kullan\u0131m D\u0131\u015f\u0131<\/a><\/li><li><a href=\"#TLS_12_Halen_Omurgayi_Tasiyan_Surum\"><span class=\"toc_number toc_depth_2\">2.3<\/span> TLS 1.2: Halen Omurgay\u0131 Ta\u015f\u0131yan S\u00fcr\u00fcm<\/a><\/li><li><a href=\"#TLS_13_Sadelik_Hiz_ve_Varsayilan_Olarak_Guvenlik\"><span class=\"toc_number toc_depth_2\">2.4<\/span> TLS 1.3: Sadelik, H\u0131z ve Varsay\u0131lan Olarak G\u00fcvenlik<\/a><\/li><\/ul><\/li><li><a href=\"#Tarihi_Guvenlik_Aciklari_Hangi_Dersleri_Cikardik\"><span class=\"toc_number toc_depth_1\">3<\/span> Tarihi G\u00fcvenlik A\u00e7\u0131klar\u0131: Hangi Dersleri \u00c7\u0131kard\u0131k?<\/a><ul><li><a href=\"#BEAST_CRIME_BREACH_Tasarim_ve_Sikistirma_Hatalarinin_Bedeli\"><span class=\"toc_number toc_depth_2\">3.1<\/span> BEAST, CRIME, BREACH: Tasar\u0131m ve S\u0131k\u0131\u015ft\u0131rma Hatalar\u0131n\u0131n Bedeli<\/a><\/li><li><a href=\"#POODLE_SSL_30039in_Sonunu_Getiren_Saldiri\"><span class=\"toc_number toc_depth_2\">3.2<\/span> POODLE: SSL 3.0&#039;\u0131n Sonunu Getiren Sald\u0131r\u0131<\/a><\/li><li><a href=\"#FREAK_Logjam_DROWN_ve_SWEET32_Zayif_ve_Export_Sifreler\"><span class=\"toc_number toc_depth_2\">3.3<\/span> FREAK, Logjam, DROWN ve SWEET32: Zay\u0131f ve \u201cExport\u201d \u015eifreler<\/a><\/li><li><a href=\"#Heartbleed_Protokol_Degil_Uygulama_Kutuphane_Seviyesi_Acik\"><span class=\"toc_number toc_depth_2\">3.4<\/span> Heartbleed: Protokol De\u011fil, Uygulama (K\u00fct\u00fcphane) Seviyesi A\u00e7\u0131k<\/a><\/li><\/ul><\/li><li><a href=\"#Bugun_Icin_Guvenli_SSLTLS_Yapilandirmasinin_Temel_Taslari\"><span class=\"toc_number toc_depth_1\">4<\/span> Bug\u00fcn \u0130\u00e7in G\u00fcvenli SSL\/TLS Yap\u0131land\u0131rmas\u0131n\u0131n Temel Ta\u015flar\u0131<\/a><ul><li><a href=\"#1_Sadece_TLS_12_ve_TLS_13_Acik_Olsun\"><span class=\"toc_number toc_depth_2\">4.1<\/span> 1. Sadece TLS 1.2 ve TLS 1.3 A\u00e7\u0131k Olsun<\/a><\/li><li><a href=\"#2_Modern_ve_Guclu_Sifre_Paketleri_Kullanin\"><span class=\"toc_number toc_depth_2\">4.2<\/span> 2. Modern ve G\u00fc\u00e7l\u00fc \u015eifre Paketleri Kullan\u0131n<\/a><\/li><li><a href=\"#3_Sertifika_Anahtar_Uzunlugu_ve_Turu\"><span class=\"toc_number toc_depth_2\">4.3<\/span> 3. Sertifika Anahtar Uzunlu\u011fu ve T\u00fcr\u00fc<\/a><\/li><\/ul><\/li><li><a href=\"#Sunucu_Tarafinda_Protokol_Guncellemelerini_Nasil_Yonetmelisiniz\"><span class=\"toc_number toc_depth_1\">5<\/span> Sunucu Taraf\u0131nda Protokol G\u00fcncellemelerini Nas\u0131l Y\u00f6netmelisiniz?<\/a><ul><li><a href=\"#1_Isletim_Sistemi_ve_TLS_Kutuphanelerini_Guncel_Tutun\"><span class=\"toc_number toc_depth_2\">5.1<\/span> 1. \u0130\u015fletim Sistemi ve TLS K\u00fct\u00fcphanelerini G\u00fcncel Tutun<\/a><\/li><li><a href=\"#2_Web_Sunucusu_NginxApache_Yapilandirmasini_Merkezilestirin\"><span class=\"toc_number toc_depth_2\">5.2<\/span> 2. Web Sunucusu (Nginx\/Apache) Yap\u0131land\u0131rmas\u0131n\u0131 Merkez\u00eele\u015ftirin<\/a><\/li><li><a href=\"#3_Kontrol_Panellerinde_cPanel_DirectAdmin_vb_TLS_Profillerini_Dogru_Secin\"><span class=\"toc_number toc_depth_2\">5.3<\/span> 3. Kontrol Panellerinde (cPanel, DirectAdmin vb.) TLS Profillerini Do\u011fru Se\u00e7in<\/a><\/li><\/ul><\/li><li><a href=\"#Tarayici_ve_Uygulama_Uyumlulugu_Eski_Musteriyi_Kaybetmeden_Guvenligi_Artirmak\"><span class=\"toc_number toc_depth_1\">6<\/span> Taray\u0131c\u0131 ve Uygulama Uyumlulu\u011fu: Eski M\u00fc\u015fteriyi Kaybetmeden G\u00fcvenli\u011fi Art\u0131rmak<\/a><\/li><li><a href=\"#Regulasyon_ve_Standartlar_PCI_DSS_KVKK_ve_Kurumsal_Gereksinimler\"><span class=\"toc_number toc_depth_1\">7<\/span> Reg\u00fclasyon ve Standartlar: PCI DSS, KVKK ve Kurumsal Gereksinimler<\/a><\/li><li><a href=\"#Protokol_Seviyesinin_Otesi_HSTS_OCSP_Stapling_HTTP2_ve_HTTP3\"><span class=\"toc_number toc_depth_1\">8<\/span> Protokol Seviyesinin \u00d6tesi: HSTS, OCSP Stapling, HTTP\/2 ve HTTP\/3<\/a><ul><li><a href=\"#HSTS_HTTP_Strict_Transport_Security\"><span class=\"toc_number toc_depth_2\">8.1<\/span> HSTS (HTTP Strict Transport Security)<\/a><\/li><li><a href=\"#OCSP_Stapling_ve_Sertifika_Iptal_Kontrolleri\"><span class=\"toc_number toc_depth_2\">8.2<\/span> OCSP Stapling ve Sertifika \u0130ptal Kontrolleri<\/a><\/li><li><a href=\"#HTTP2_ve_HTTP3_ile_Performans_ve_Guvenligi_Birlikte_Ele_Almak\"><span class=\"toc_number toc_depth_2\">8.3<\/span> HTTP\/2 ve HTTP\/3 ile Performans ve G\u00fcvenli\u011fi Birlikte Ele Almak<\/a><\/li><\/ul><\/li><li><a href=\"#DCHost_Altyapisinda_SSLTLS_Guvenlik_Stratejimiz\"><span class=\"toc_number toc_depth_1\">9<\/span> DCHost Altyap\u0131s\u0131nda SSL\/TLS G\u00fcvenlik Stratejimiz<\/a><\/li><li><a href=\"#Adim_Adim_Yol_Haritasi_Kendi_Sitenizde_Neleri_Kontrol_Etmelisiniz\"><span class=\"toc_number toc_depth_1\">10<\/span> Ad\u0131m Ad\u0131m Yol Haritas\u0131: Kendi Sitenizde Neleri Kontrol Etmelisiniz?<\/a><\/li><li><a href=\"#Sonuc_ve_DCHost_ile_Guvenli_HTTPS_Yolculugu\"><span class=\"toc_number toc_depth_1\">11<\/span> Sonu\u00e7 ve DCHost ile G\u00fcvenli HTTPS Yolculu\u011fu<\/a><\/li><\/ul><\/div>\n<h2><span id=\"SSLTLS_Protokol_Guncellemeleri_Neden_Bu_Kadar_Kritik\">SSL\/TLS Protokol G\u00fcncellemeleri Neden Bu Kadar Kritik?<\/span><\/h2>\n<p>Bir web sitesi ya da API yay\u0131na al\u0131rken \u00e7o\u011fumuzun akl\u0131nda ilk \u00f6nce performans, kaynak kullan\u0131m\u0131 veya \u00f6l\u00e7eklenebilirlik olur. Ancak g\u00fcvenlik denetimi, PCI DSS uyumu, KVKK s\u00fcreci ya da s\u0131zma testi g\u00fcndeme geldi\u011fi anda tablo h\u0131zla de\u011fi\u015fir: Konu bir anda <strong>SSL\/TLS protokol s\u00fcr\u00fcmleri, \u015fifre paketleri ve bilinen g\u00fcvenlik a\u00e7\u0131klar\u0131<\/strong> etraf\u0131nda d\u00f6nmeye ba\u015flar. Taraf\u0131m\u0131za gelen denetim raporlar\u0131nda en s\u0131k g\u00f6rd\u00fc\u011f\u00fcm\u00fcz bulgulardan baz\u0131lar\u0131; h\u00e2l\u00e2 a\u00e7\u0131k olan TLS 1.0\/1.1 deste\u011fi, zay\u0131f \u015fifre k\u00fcmeleri, devre d\u0131\u015f\u0131 b\u0131rak\u0131lmam\u0131\u015f eski protokoller ve yanl\u0131\u015f yap\u0131land\u0131r\u0131lm\u0131\u015f HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131d\u0131r.<\/p>\n<p>Bu yaz\u0131da, DCHost altyap\u0131s\u0131nda da her g\u00fcn pratikte uygulad\u0131\u011f\u0131m\u0131z perspektifle <strong>SSL\/TLS protokol g\u00fcncellemelerini<\/strong>, ge\u00e7mi\u015fte \u00e7\u0131km\u0131\u015f ve h\u00e2l\u00e2 raporlarda kar\u015f\u0131m\u0131za gelen <strong>kritik g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131<\/strong> ve kendi sunucular\u0131n\u0131zda atman\u0131z gereken somut ad\u0131mlar\u0131 anlataca\u011f\u0131z. Amac\u0131m\u0131z; hem teknik ekiplerin, hem de i\u015fin i\u015f taraf\u0131ndaki sahiplerinin &#8220;Taray\u0131c\u0131lar hangi s\u00fcr\u00fcmleri destekliyor? Eski m\u00fc\u015fteriyi kaybeder miyiz? PCI raporunda bu bulguyu nas\u0131l kapat\u0131r\u0131z?&#8221; gibi sorular\u0131na net ve uygulanabilir cevaplar sunmak. E\u011fer siteniz \u00f6deme al\u0131yor, kullan\u0131c\u0131 verisi i\u015fliyor ya da kurumsal bir marka imaj\u0131 ta\u015f\u0131yorsa, SSL\/TLS taraf\u0131n\u0131 &#8220;bir kere kurdum, bitti&#8221; diye b\u0131rakmak art\u0131k ger\u00e7ek\u00e7i de\u011fil.<\/p>\n<h2><span id=\"SSL039den_TLS039e_Protokol_Surumlerinin_Kisa_Tarihcesi\">SSL&#039;den TLS&#039;e: Protokol S\u00fcr\u00fcmlerinin K\u0131sa Tarih\u00e7esi<\/span><\/h2>\n<p>\u00d6nce tabloyu netle\u015ftirelim: Bug\u00fcn &#8220;SSL&#8221; diye konu\u015ftu\u011fumuz \u015feyin teknik ad\u0131 asl\u0131nda <strong>TLS (Transport Layer Security)<\/strong>. Eski SSL s\u00fcr\u00fcmleri art\u0131k g\u00fcvenli kabul edilmiyor ve tamamen devre d\u0131\u015f\u0131 b\u0131rak\u0131lm\u0131\u015f durumda. Buna ra\u011fmen ara\u00e7larda, panellerde ve dok\u00fcmanlarda &#8220;SSL ayarlar\u0131&#8221; ifadesini h\u00e2l\u00e2 s\u0131k\u00e7a g\u00f6r\u00fcyoruz; bu da kafa kar\u0131\u015f\u0131kl\u0131\u011f\u0131na neden olabiliyor.<\/p>\n<h3><span id=\"SSL_20_ve_SSL_30_Tarihin_Tozlu_Raflarinda_Kalmalari_Gereken_Surumler\">SSL 2.0 ve SSL 3.0: Tarihin Tozlu Raflar\u0131nda Kalmalar\u0131 Gereken S\u00fcr\u00fcmler<\/span><\/h3>\n<p><strong>SSL 2.0<\/strong> (1995 civar\u0131) ve <strong>SSL 3.0<\/strong> (1996) bug\u00fcnk\u00fc bak\u0131\u015f a\u00e7\u0131s\u0131yla son derece zay\u0131f g\u00fcvenlik \u00f6zelliklerine sahipti. Zaman i\u00e7inde ortaya \u00e7\u0131kan \u00e7e\u015fitli a\u00e7\u0131klar (\u00f6rne\u011fin, SSL 3.0 i\u00e7in \u00fcnl\u00fc <strong>POODLE<\/strong> sald\u0131r\u0131s\u0131) bu s\u00fcr\u00fcmlerin tamamen terk edilmesine yol a\u00e7t\u0131. G\u00fcncel hi\u00e7bir taray\u0131c\u0131 veya modern TLS k\u00fct\u00fcphanesi bu s\u00fcr\u00fcmleri art\u0131k desteklemiyor; yine de baz\u0131 eski k\u00fct\u00fcphaneler veya hatal\u0131 yap\u0131land\u0131r\u0131lm\u0131\u015f sunucular \u00fczerinden SSLv3 deste\u011finin &#8220;yanl\u0131\u015fl\u0131kla&#8221; a\u00e7\u0131k kalabildi\u011fini denetimlerde g\u00f6rebiliyoruz.<\/p>\n<p>\u00d6zetle: <strong>SSL 2.0 ve SSL 3.0&#039;\u0131 her ko\u015fulda kapal\u0131 tutmal\u0131s\u0131n\u0131z<\/strong>. Bunlar\u0131 a\u00e7mak i\u00e7in ger\u00e7ek\u00e7i hi\u00e7bir sebep yok; sadece sald\u0131r\u0131 y\u00fczeyini b\u00fcy\u00fctm\u00fc\u015f olursunuz.<\/p>\n<h3><span id=\"TLS_10_ve_TLS_11_Yetersiz_Guvenlik_Artik_Resmen_Kullanim_Disi\">TLS 1.0 ve TLS 1.1: Yetersiz G\u00fcvenlik, Art\u0131k Resmen Kullan\u0131m D\u0131\u015f\u0131<\/span><\/h3>\n<p><strong>TLS 1.0 (1999)<\/strong> ve <strong>TLS 1.1 (2006)<\/strong> uzun s\u00fcre web&#039;in omurgas\u0131n\u0131 olu\u015fturdu. Ancak zamanla hem protokol tasar\u0131m\u0131 hem de kullan\u0131lan \u015fifre paketleriyle ilgili zafiyetler birikti. <strong>BEAST<\/strong> gibi TLS 1.0 \u00fczerine in\u015fa edilen sald\u0131r\u0131lar ve <strong>RC4<\/strong>, <strong>3DES<\/strong> gibi zay\u0131f \u015fifrelerin kullan\u0131m\u0131, bu s\u00fcr\u00fcmlerin art\u0131k modern tehdit modelini kar\u015f\u0131lamad\u0131\u011f\u0131n\u0131 net bi\u00e7imde ortaya koydu.<\/p>\n<p>Taray\u0131c\u0131 geli\u015ftiricileri, standart kurulu\u015flar\u0131 ve \u00f6deme end\u00fcstrisi (PCI SSC) TLS 1.0 ve 1.1&#039;i <strong>resmen kullan\u0131mdan kald\u0131rd\u0131<\/strong>. Bir\u00e7ok taray\u0131c\u0131 bu s\u00fcr\u00fcmleri devre d\u0131\u015f\u0131 b\u0131rakm\u0131\u015f durumda; PCI DSS denetimlerinde TLS 1.0 deste\u011fi a\u00e7\u0131k olan bir \u00f6deme sayfas\u0131n\u0131n rapordan temiz \u00e7\u0131kmas\u0131 pek m\u00fcmk\u00fcn de\u011fil. Bu konuyu detayl\u0131 i\u015f y\u00fck\u00fc perspektifiyle ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/ssl-tls-guvenlik-guncellemeleri-ne-zaman-nasil-ve-neyi-degistirmelisiniz\/\">SSL\/TLS g\u00fcvenlik g\u00fcncellemeleri ne zaman ve nas\u0131l yap\u0131lmal\u0131?<\/a> yaz\u0131m\u0131z\u0131 da ayr\u0131ca inceleyebilirsiniz.<\/p>\n<h3><span id=\"TLS_12_Halen_Omurgayi_Tasiyan_Surum\">TLS 1.2: Halen Omurgay\u0131 Ta\u015f\u0131yan S\u00fcr\u00fcm<\/span><\/h3>\n<p><strong>TLS 1.2 (2008)<\/strong> bug\u00fcn h\u00e2l\u00e2 pek \u00e7ok web sitesinin ve API&#039;nin temelini olu\u015fturuyor. Modern <strong>AEAD \u015fifreleri (AES-GCM, ChaCha20-Poly1305)<\/strong> deste\u011fi, g\u00fc\u00e7l\u00fc anahtar de\u011fi\u015fim mekanizmalar\u0131 (ECDHE) ve zengin \u015fifre paketi yelpazesiyle uzun s\u00fcre &#8220;g\u00fcvenli tercih&#8221; olarak kald\u0131 ve uygun yap\u0131land\u0131r\u0131ld\u0131\u011f\u0131nda h\u00e2l\u00e2 gayet g\u00fcvenli.<\/p>\n<p>Pratikte pek \u00e7ok projede izledi\u011fimiz strateji \u015fu:<\/p>\n<ul>\n<li><strong>TLS 1.3 + TLS 1.2<\/strong> birlikte a\u00e7\u0131k<\/li>\n<li>TLS 1.2 i\u00e7in sadece <strong>g\u00fc\u00e7l\u00fc \u015fifre paketleri<\/strong> (ECDHE + AES-GCM \/ CHACHA20) aktif<\/li>\n<li>RC4, 3DES, CBC tabanl\u0131 ve export s\u0131n\u0131f\u0131 \u015fifreler tamamen kapal\u0131<\/li>\n<\/ul>\n<p>B\u00f6ylece hem g\u00fcncel taray\u0131c\u0131larla maksimum g\u00fcvenli\u011fi, hem de nispeten eski ama TLS 1.2 destekleyen istemcilerle uyumlulu\u011fu korumu\u015f oluyorsunuz.<\/p>\n<h3><span id=\"TLS_13_Sadelik_Hiz_ve_Varsayilan_Olarak_Guvenlik\">TLS 1.3: Sadelik, H\u0131z ve Varsay\u0131lan Olarak G\u00fcvenlik<\/span><\/h3>\n<p><strong>TLS 1.3 (2018)<\/strong>, protokol tasar\u0131m\u0131nda radikal bir sadele\u015ftirme getirdi. Karma\u015f\u0131k ve hataya a\u00e7\u0131k k\u0131s\u0131mlar (\u00f6zellikle eski anahtar de\u011fi\u015fim y\u00f6ntemleri ve zay\u0131f \u015fifre paketleri) tamamen kald\u0131r\u0131ld\u0131. Temel farklar:<\/p>\n<ul>\n<li>El s\u0131k\u0131\u015fma (handshake) ad\u0131mlar\u0131 azalt\u0131ld\u0131\u011f\u0131 i\u00e7in <strong>ba\u011flant\u0131 kurulumu daha h\u0131zl\u0131<\/strong><\/li>\n<li>Protokol sadece <strong>g\u00fc\u00e7l\u00fc \u015fifre paketleriyle<\/strong> geliyor; zay\u0131f \u015fifre se\u00e7me riski ortadan kalk\u0131yor<\/li>\n<li><strong>Perfect Forward Secrecy (PFS)<\/strong> fiilen zorunlu hale geliyor<\/li>\n<li>0-RTT gibi \u00f6zelliklerle belirli senaryolarda daha d\u00fc\u015f\u00fck gecikme sa\u011flanabiliyor (do\u011fru yap\u0131land\u0131rma \u015fart\u0131yla)<\/li>\n<\/ul>\n<p>Sunucu taraf\u0131nda TLS 1.3 ge\u00e7i\u015finin detaylar\u0131n\u0131, Nginx\/Apache ayarlar\u0131n\u0131n nas\u0131l yap\u0131lmas\u0131 gerekti\u011fini ve OCSP stapling, HSTS gibi ek g\u00fc\u00e7lendirmeleri <a href=\"https:\/\/www.dchost.com\/blog\/tls-1-3-ve-modern-sifrelerin-sicacik-mutfagi-nginx-apachede-ocsp-stapling-hsts-preload-ve-pfs-nasil-kurulur\/\">TLS 1.3 ve modern \u015fifreler rehberimizde<\/a> olduk\u00e7a detayl\u0131 anlatt\u0131k. Bu yaz\u0131da ise daha \u00e7ok <strong>protokol g\u00fcncellemeleri ve g\u00fcvenlik a\u00e7\u0131klar\u0131<\/strong> perspektifine odaklanaca\u011f\u0131z.<\/p>\n<h2><span id=\"Tarihi_Guvenlik_Aciklari_Hangi_Dersleri_Cikardik\">Tarihi G\u00fcvenlik A\u00e7\u0131klar\u0131: Hangi Dersleri \u00c7\u0131kard\u0131k?<\/span><\/h2>\n<p>SSL\/TLS tarihine bakt\u0131\u011f\u0131n\u0131zda onlarca isimle an\u0131lan sald\u0131r\u0131 g\u00f6receksiniz: <strong>BEAST, CRIME, BREACH, POODLE, FREAK, Logjam, DROWN, SWEET32, ROBOT<\/strong> ve daha niceleri. Bunlar\u0131n hepsini ezberlemeniz gerekmiyor; as\u0131l \u00f6nemli olan, bu a\u00e7\u0131klar\u0131n bize ne \u00f6\u011fretti\u011fi ve sunucu yap\u0131land\u0131rmalar\u0131m\u0131za nas\u0131l yans\u0131mas\u0131 gerekti\u011fi.<\/p>\n<h3><span id=\"BEAST_CRIME_BREACH_Tasarim_ve_Sikistirma_Hatalarinin_Bedeli\">BEAST, CRIME, BREACH: Tasar\u0131m ve S\u0131k\u0131\u015ft\u0131rma Hatalar\u0131n\u0131n Bedeli<\/span><\/h3>\n<p><strong>BEAST<\/strong>, \u00f6zellikle TLS 1.0&#039;daki <strong>CBC modundaki blok \u015fifreleme hatalar\u0131n\u0131<\/strong> istismar eden bir sald\u0131r\u0131yd\u0131. \u00c7\u00f6z\u00fcm\u00fc; TLS 1.1\/1.2 kullan\u0131m\u0131na ge\u00e7mek ve CBC yerine GCM gibi modern modlara a\u011f\u0131rl\u0131k vermek oldu. <strong>CRIME<\/strong> ve <strong>BREACH<\/strong> ise <strong>TLS veya HTTP s\u0131k\u0131\u015ft\u0131rmas\u0131<\/strong> \u00fczerinden hassas verilerin (\u00f6rne\u011fin oturum \u00e7erezleri) s\u0131zd\u0131r\u0131lmas\u0131n\u0131 hedefliyordu.<\/p>\n<p>Bu sald\u0131r\u0131lar bize \u015funlar\u0131 \u00f6\u011fretti:<\/p>\n<ul>\n<li>Protokol seviyesinde <strong>s\u0131k\u0131\u015ft\u0131rma<\/strong> tehlikeli olabilir; m\u00fcmk\u00fcnse devre d\u0131\u015f\u0131 b\u0131rak\u0131lmal\u0131<\/li>\n<li>Uygulama katman\u0131nda (\u00f6rne\u011fin HTTP) yap\u0131lan s\u0131k\u0131\u015ft\u0131rma, hassas verilerle ayn\u0131 yan\u0131t i\u00e7inde verildi\u011finde risk yaratabilir<\/li>\n<li>\u015eifreleme sadece algoritma de\u011fil, <strong>kullan\u0131m bi\u00e7imi<\/strong> ile de g\u00fcvenli veya g\u00fcvensiz h\u00e2le gelebilir<\/li>\n<\/ul>\n<h3><span id=\"POODLE_SSL_30039in_Sonunu_Getiren_Saldiri\">POODLE: SSL 3.0&#039;\u0131n Sonunu Getiren Sald\u0131r\u0131<\/span><\/h3>\n<p><strong>POODLE<\/strong> (Padding Oracle On Downgraded Legacy Encryption), SSL 3.0&#039;daki padding i\u015fleme hatalar\u0131ndan faydalanan bir sald\u0131r\u0131yd\u0131. Ayr\u0131ca baz\u0131 istemci\/sunucu kombinasyonlar\u0131nda <strong>protokol d\u00fc\u015f\u00fcrme (downgrade)<\/strong> zorlanarak TLS ba\u011flant\u0131s\u0131n\u0131n SSL 3.0&#039;a geri \u00e7ekilmesi de m\u00fcmk\u00fcn olabiliyordu. \u00c7\u00f6z\u00fcm \u00e7ok netti: <strong>SSL 3.0 tamamen kapat\u0131ld\u0131<\/strong> ve protokol d\u00fc\u015f\u00fcrme \u00f6nleme mekanizmalar\u0131 (\u00f6rne\u011fin TLS_FALLBACK_SCSV) devreye girdi.<\/p>\n<h3><span id=\"FREAK_Logjam_DROWN_ve_SWEET32_Zayif_ve_Export_Sifreler\">FREAK, Logjam, DROWN ve SWEET32: Zay\u0131f ve \u201cExport\u201d \u015eifreler<\/span><\/h3>\n<p>Bu sald\u0131r\u0131lar\u0131n \u00f6nemli bir k\u0131sm\u0131, <strong>tarihte geride kalmas\u0131 gereken ama bir k\u00f6\u015fede a\u00e7\u0131k unutulan zay\u0131f \u015fifre paketlerini<\/strong> hedefliyordu. \u00d6rne\u011fin:<\/p>\n<ul>\n<li><strong>FREAK<\/strong>: Eski <strong>export-grade RSA<\/strong> \u015fifre paketlerini istismar etti<\/li>\n<li><strong>Logjam<\/strong>: Zay\u0131f Diffie\u2013Hellman parametreleri (\u00f6zellikle 512 bit) \u00fczerinden sald\u0131r\u0131 imk\u00e2n\u0131 sundu<\/li>\n<li><strong>DROWN<\/strong>: Ayn\u0131 \u00f6zel anahtar\u0131 kullanan <strong>SSLv2 destekli hizmetler<\/strong> \u00fczerinden TLS ba\u011flant\u0131lar\u0131n\u0131 da tehlikeye att\u0131<\/li>\n<li><strong>SWEET32<\/strong>: 64 bit blok \u015fifreler (\u00f6zellikle 3DES) \u00fczerinde \u00e7ok veri aktar\u0131ld\u0131\u011f\u0131nda pratik sald\u0131r\u0131 imk\u00e2n\u0131 sa\u011flad\u0131<\/li>\n<\/ul>\n<p>Bu deneyimlerin sonucu olarak bug\u00fcn art\u0131k \u015fu prensipleri neredeyse ezbere uyguluyoruz:<\/p>\n<ul>\n<li><strong>Export s\u0131n\u0131f\u0131 t\u00fcm \u015fifre paketleri<\/strong> kapal\u0131 olmal\u0131<\/li>\n<li><strong>3DES gibi 64 bit blok \u015fifreler<\/strong> kullan\u0131m d\u0131\u015f\u0131 b\u0131rak\u0131lmal\u0131<\/li>\n<li>Diffie\u2013Hellman parametreleri yeterince g\u00fc\u00e7l\u00fc se\u00e7ilmeli (2048 bit ve \u00fczeri)<\/li>\n<li>Ayn\u0131 \u00f6zel anahtar farkl\u0131 protokoller ve servisler aras\u0131nda payla\u015ft\u0131r\u0131lmamal\u0131<\/li>\n<\/ul>\n<h3><span id=\"Heartbleed_Protokol_Degil_Uygulama_Kutuphane_Seviyesi_Acik\">Heartbleed: Protokol De\u011fil, Uygulama (K\u00fct\u00fcphane) Seviyesi A\u00e7\u0131k<\/span><\/h3>\n<p><strong>Heartbleed<\/strong>, protokol\u00fcn kendisinden ziyade <strong>OpenSSL k\u00fct\u00fcphanesindeki bir bellek okuma hatas\u0131yd\u0131<\/strong>. Ancak etkisi o kadar b\u00fcy\u00fckt\u00fc ki, SSL\/TLS konu\u015fulurken ismi h\u00e2l\u00e2 ilk an\u0131lanlardan biri. Sunucular\u0131n \u00f6zel anahtarlar\u0131 ve hassas oturum verileri uzaktan okunabiliyordu.<\/p>\n<p>Heartbleed, bize \u015fu ger\u00e7e\u011fi tekrar hat\u0131rlatt\u0131:<\/p>\n<ul>\n<li>G\u00fcvenli bir protokol kullan\u0131yor olman\u0131z yetmez; <strong>k\u00fct\u00fcphaneleri g\u00fcncel tutman\u0131z<\/strong> \u015fart<\/li>\n<li>OpenSSL, GnuTLS, wolfSSL vb. k\u00fct\u00fcphaneler i\u00e7in d\u00fczenli g\u00fcvenlik g\u00fcncellemeleri takip edilmeli<\/li>\n<li>Kritik a\u00e7\u0131k sonras\u0131 sadece paket g\u00fcncellemesi yetmez; <strong>sertifika ve anahtar yenilemesi<\/strong> de gerekebilir<\/li>\n<\/ul>\n<h2><span id=\"Bugun_Icin_Guvenli_SSLTLS_Yapilandirmasinin_Temel_Taslari\">Bug\u00fcn \u0130\u00e7in G\u00fcvenli SSL\/TLS Yap\u0131land\u0131rmas\u0131n\u0131n Temel Ta\u015flar\u0131<\/span><\/h2>\n<p>Teoriyi kenara b\u0131rak\u0131p prati\u011fe inelim. DCHost taraf\u0131nda yeni bir web sunucusu, <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> veya <a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a> yap\u0131land\u0131r\u0131rken SSL\/TLS i\u00e7in a\u015fa\u011f\u0131daki \u00e7er\u00e7eveyi esas al\u0131yoruz:<\/p>\n<h3><span id=\"1_Sadece_TLS_12_ve_TLS_13_Acik_Olsun\">1. Sadece TLS 1.2 ve TLS 1.3 A\u00e7\u0131k Olsun<\/span><\/h3>\n<p>Genel kural\u0131m\u0131z:<\/p>\n<ul>\n<li><strong>TLS 1.3<\/strong>: A\u00e7\u0131k ve \u00f6ncelikli<\/li>\n<li><strong>TLS 1.2<\/strong>: A\u00e7\u0131k, fakat sadece g\u00fc\u00e7l\u00fc \u015fifrelerle<\/li>\n<li><strong>TLS 1.0, TLS 1.1, SSLv3, SSLv2<\/strong>: Tamamen kapal\u0131<\/li>\n<\/ul>\n<p>Eski kurumsal istemciler, g\u00f6m\u00fcl\u00fc cihazlar veya \u00e7ok eski i\u015fletim sistemleriyle uyumluluk gerek\u00e7esiyle TLS 1.0\/1.1&#039;i a\u00e7\u0131k b\u0131rakmak h\u00e2l\u00e2 baz\u0131 ortamlar i\u00e7in tart\u0131\u015f\u0131l\u0131yor. Ancak \u00f6zellikle <strong>\u00f6deme alan sitelerde<\/strong> ve <strong>hassas veri i\u015fleyen uygulamalarda<\/strong> bu yakla\u015f\u0131m\u0131 savunmak zor. PCI DSS perspektifini ayr\u0131nt\u0131l\u0131 ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/pci-dss-uyumlu-e-ticaret-hosting-rehberi\/\">PCI DSS uyumlu e-ticaret hosting rehberimize<\/a> mutlaka g\u00f6z atman\u0131z\u0131 \u00f6neririz.<\/p>\n<h3><span id=\"2_Modern_ve_Guclu_Sifre_Paketleri_Kullanin\">2. Modern ve G\u00fc\u00e7l\u00fc \u015eifre Paketleri Kullan\u0131n<\/span><\/h3>\n<p>\u015eifre paketlerini (cipher suites) se\u00e7erken ama\u00e7; hem <strong>g\u00fcvenlik<\/strong>, hem de makul d\u00fczeyde <strong>uyumluluk<\/strong> sa\u011flamak. \u00d6nerdi\u011fimiz genel hatlar:<\/p>\n<ul>\n<li><strong>Anahtar De\u011fi\u015fimi<\/strong>: ECDHE (veya en az\u0131ndan DHE) \u2013 b\u00f6ylece Perfect Forward Secrecy sa\u011flan\u0131r<\/li>\n<li><strong>\u015eifreleme<\/strong>: AES-GCM veya ChaCha20-Poly1305 gibi AEAD modlar<\/li>\n<li><strong>\u0130mza Algoritmas\u0131<\/strong>: RSA 2048+ veya ECDSA P-256\/P-384<\/li>\n<li><strong>Kapal\u0131 Olmas\u0131 Gerekenler<\/strong>: RC4, 3DES, IDEA, export s\u0131n\u0131f\u0131 t\u00fcm \u015fifreler, d\u00fcz RSA anahtar de\u011fi\u015fimi (forward secrecy yok)<\/li>\n<\/ul>\n<p>\u00d6zellikle mobil cihaz yo\u011fun bir kitleye hitap ediyorsan\u0131z, baz\u0131 durumlarda <strong>ChaCha20-Poly1305<\/strong> \u015fifre paketlerinin performans avantaj\u0131 belirgin olabiliyor.<\/p>\n<h3><span id=\"3_Sertifika_Anahtar_Uzunlugu_ve_Turu\">3. Sertifika Anahtar Uzunlu\u011fu ve T\u00fcr\u00fc<\/span><\/h3>\n<p>Bug\u00fcn pratikte en yayg\u0131n kullan\u0131lan anahtar t\u00fcr\u00fc h\u00e2l\u00e2 <strong>RSA<\/strong>. G\u00fcvenli bir ba\u015flang\u0131\u00e7 noktas\u0131 i\u00e7in:<\/p>\n<ul>\n<li>En az <strong>RSA 2048 bit<\/strong> anahtar uzunlu\u011fu kullan\u0131n<\/li>\n<li>Y\u00fcksek g\u00fcvenlik gereksinimli ortamlarda 3072 veya 4096 bit tercih edilebilir (performans maliyetiyle birlikte)<\/li>\n<li>Performans kritik ortamlarda <strong>ECDSA<\/strong> sertifikalarla ikili (RSA + ECDSA) kurulum, hem h\u0131z hem uyumluluk a\u00e7\u0131s\u0131ndan iyi sonu\u00e7 verir<\/li>\n<\/ul>\n<p>\u0130kili sertifika kullan\u0131m\u0131n\u0131, taray\u0131c\u0131 uyumlulu\u011funu ve Nginx\/Apache yap\u0131land\u0131rmas\u0131n\u0131 pratik \u00f6rneklerle anlatt\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/nginx-apachede-ecdsa-rsa-ikili-ssl-uyumluluk-mu-hiz-mi-ikisini-birden-nasil-alirsin\/\">ECDSA + RSA ikili SSL rehberimiz<\/a> bu konuda eli g\u00fc\u00e7lendirmek isteyen ekipler i\u00e7in faydal\u0131 olacakt\u0131r.<\/p>\n<h2><span id=\"Sunucu_Tarafinda_Protokol_Guncellemelerini_Nasil_Yonetmelisiniz\">Sunucu Taraf\u0131nda Protokol G\u00fcncellemelerini Nas\u0131l Y\u00f6netmelisiniz?<\/span><\/h2>\n<p>Teoride her \u015fey net; peki prati\u011fe geldi\u011fimizde i\u015fletim sistemi, web sunucusu, kontrol paneli ve sertifika taraf\u0131n\u0131 nas\u0131l ayn\u0131 hizada tutaca\u011f\u0131z? DCHost taraf\u0131nda izlemenizi \u00f6nerdi\u011fimiz yakla\u015f\u0131m\u0131 ad\u0131m ad\u0131m \u00f6zetleyelim.<\/p>\n<h3><span id=\"1_Isletim_Sistemi_ve_TLS_Kutuphanelerini_Guncel_Tutun\">1. \u0130\u015fletim Sistemi ve TLS K\u00fct\u00fcphanelerini G\u00fcncel Tutun<\/span><\/h3>\n<p>Bir\u00e7ok Linux da\u011f\u0131t\u0131m\u0131nda <strong>TLS s\u00fcr\u00fcmleri ve \u015fifre paketleri<\/strong> b\u00fcy\u00fck \u00f6l\u00e7\u00fcde <strong>OpenSSL veya benzeri k\u00fct\u00fcphanelerin<\/strong> sistemdeki s\u00fcr\u00fcm\u00fcne ba\u011fl\u0131d\u0131r. Bu nedenle:<\/p>\n<ul>\n<li>Destek s\u00fcresi bitmemi\u015f (LTS) da\u011f\u0131t\u0131mlar kullan\u0131n<\/li>\n<li>G\u00fcvenlik g\u00fcncellemelerini d\u00fczenli olarak \u00e7ekin ve test edip yay\u0131na al\u0131n<\/li>\n<li>\u00d6zellikle OpenSSL g\u00fcncellemelerini yak\u0131ndan takip edin<\/li>\n<\/ul>\n<p>Yeni bir VPS a\u00e7t\u0131\u011f\u0131n\u0131zda ilk 24 saat i\u00e7inde hangi ad\u0131mlar\u0131 atman\u0131z gerekti\u011fini <a href=\"https:\/\/www.dchost.com\/blog\/yeni-vpste-ilk-24-saat-guncelleme-guvenlik-duvari-ve-kullanici-hesaplari\/\">yeni VPS&#039;te ilk 24 saat rehberimizde<\/a> ayr\u0131nt\u0131l\u0131 \u015fekilde anlatt\u0131k; TLS g\u00fcvenli\u011fini de mutlaka bu s\u00fcrecin bir par\u00e7as\u0131 yap\u0131n.<\/p>\n<h3><span id=\"2_Web_Sunucusu_NginxApache_Yapilandirmasini_Merkezilestirin\">2. Web Sunucusu (Nginx\/Apache) Yap\u0131land\u0131rmas\u0131n\u0131 Merkez\u00eele\u015ftirin<\/span><\/h3>\n<p>E\u011fer birden fazla siteyi ayn\u0131 sunucuda bar\u0131nd\u0131r\u0131yorsan\u0131z, TLS ayarlar\u0131n\u0131 her vhost&#039;ta ayr\u0131 ayr\u0131 y\u00f6netmek yerine, <strong>ortak bir ssl.conf veya include dosyas\u0131<\/strong> \u00fczerinden merkezi h\u00e2le getirmeniz, hem hata riskini hem de bak\u0131m maliyetini azalt\u0131r. \u00d6nerimiz:<\/p>\n<ul>\n<li>T\u00fcm sitelerde kullan\u0131lan ortak bir <strong>SSL\/TLS profil dosyas\u0131<\/strong> tan\u0131mlay\u0131n<\/li>\n<li>Burada protokol s\u00fcr\u00fcmlerini, \u015fifre paketlerini, OCSP stapling ve HSTS gibi ayarlar\u0131 belirleyin<\/li>\n<li>Yeni site eklerken sadece sertifika\/y\u00f6nlendirme k\u0131sm\u0131n\u0131 \u00f6zelle\u015ftirin<\/li>\n<\/ul>\n<p>Bu yakla\u015f\u0131m \u00f6zellikle ajanslar ve \u00e7oklu proje y\u00f6neten ekipler i\u00e7in hayat kurtar\u0131c\u0131. 20+ WordPress sitesini tek altyap\u0131da y\u00f6netirken TLS ve di\u011fer g\u00fcvenlik ayarlar\u0131n\u0131 nas\u0131l konsolide etti\u011fimizi <a href=\"https:\/\/www.dchost.com\/blog\/ajanslar-ve-freelancerlar-icin-hosting-mimarisi-20-wordpress-sitesini-tek-altyapida-guvenle-yonetmek\/\">ajanslar i\u00e7in hosting mimarisi rehberimizde<\/a> ger\u00e7ek\u00e7i \u00f6rneklerle payla\u015ft\u0131k.<\/p>\n<h3><span id=\"3_Kontrol_Panellerinde_cPanel_DirectAdmin_vb_TLS_Profillerini_Dogru_Secin\">3. Kontrol Panellerinde (cPanel, DirectAdmin vb.) TLS Profillerini Do\u011fru Se\u00e7in<\/span><\/h3>\n<p>Bir\u00e7ok kontrol paneli, aray\u00fcz \u00fczerinden <strong>&#8220;Modern&#8221;, &#8220;Intermediate&#8221;, &#8220;Legacy&#8221;<\/strong> gibi TLS profilleri se\u00e7menize izin veriyor. Bizim genel yakla\u015f\u0131m\u0131m\u0131z:<\/p>\n<ul>\n<li>Varsay\u0131lan olarak <strong>Modern veya Intermediate<\/strong> profili kullanmak<\/li>\n<li>Ger\u00e7ekten mecbur kalmad\u0131k\u00e7a &#8220;Legacy&#8221; veya &#8220;Eski istemcileri destekle&#8221; gibi se\u00e7enekleri tercih etmemek<\/li>\n<li>Eski istemci gereksinimi varsa bunu <strong>ayr\u0131 bir alt alan ad\u0131 veya ayr\u0131 bir sunucuya<\/strong> izole etmek<\/li>\n<\/ul>\n<p>DCHost \u00fczerinde y\u00f6netilen hosting paketlerinde, bu profilleri reg\u00fclasyonlara ve en g\u00fcncel g\u00fcvenlik rehberlerine g\u00f6re periyodik olarak g\u00f6zden ge\u00e7iriyor ve g\u00fcncelliyoruz.<\/p>\n<h2><span id=\"Tarayici_ve_Uygulama_Uyumlulugu_Eski_Musteriyi_Kaybetmeden_Guvenligi_Artirmak\">Taray\u0131c\u0131 ve Uygulama Uyumlulu\u011fu: Eski M\u00fc\u015fteriyi Kaybetmeden G\u00fcvenli\u011fi Art\u0131rmak<\/span><\/h2>\n<p>Pratikte en \u00e7ok kafa kar\u0131\u015ft\u0131ran soru: <strong>&#8220;TLS 1.0 ve 1.1&#039;i kapat\u0131rsam ka\u00e7 ziyaret\u00e7i kaybederim?&#8221;<\/strong> Bu sorunun tek bir global cevab\u0131 yok; hedef kitlenize g\u00f6re de\u011fi\u015fiyor. Ancak g\u00fcncel veriler \u015funu g\u00f6steriyor:<\/p>\n<ul>\n<li>Modern masa\u00fcst\u00fc taray\u0131c\u0131lar\u0131n neredeyse tamam\u0131 <strong>en az TLS 1.2 destekliyor<\/strong><\/li>\n<li>Ak\u0131ll\u0131 telefonlar\u0131n b\u00fcy\u00fck \u00e7o\u011funlu\u011fu (\u00f6zellikle son 5\u20137 y\u0131l i\u00e7inde \u00e7\u0131kanlar) TLS 1.2 ve 1.3&#039;le uyumlu<\/li>\n<li>As\u0131l riskli segment, g\u00fcncelleme almayan \u00e7ok eski Android s\u00fcr\u00fcmleri ve g\u00f6m\u00fcl\u00fc cihazlar<\/li>\n<\/ul>\n<p>E\u011fer m\u00fc\u015fteri kitlenizde bu t\u00fcr eski cihazlar\u0131n yo\u011fun oldu\u011funu d\u00fc\u015f\u00fcn\u00fcyorsan\u0131z, izleyebilece\u011finiz strateji:<\/p>\n<ol>\n<li>\u00d6nce sadece <strong>istatistik<\/strong> toplay\u0131n (\u00f6rne\u011fin, eri\u015fim loglar\u0131ndan TLS s\u00fcr\u00fcmlerini analiz edin)<\/li>\n<li>G\u00f6rd\u00fc\u011f\u00fcn\u00fcz tabloya g\u00f6re bir <strong>ge\u00e7i\u015f plan\u0131<\/strong> olu\u015fturun (kademeli devre d\u0131\u015f\u0131 b\u0131rakma)<\/li>\n<li>Gerekirse <strong>\u00f6zel bir alt alan ad\u0131<\/strong> \u00fczerinden sadece eski istemcilere y\u00f6nelik daha esnek bir profil sunun<\/li>\n<\/ol>\n<p>Bu tip teknik d\u00f6n\u00fc\u015f\u00fcmleri planlarken, HTTP seviyesindeki g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 da unutmay\u0131n. HSTS, CSP, X-Frame-Options gibi ba\u015fl\u0131klar\u0131n do\u011fru kurgulanmas\u0131, TLS g\u00fcncellemeleriyle birle\u015fti\u011finde ciddi bir g\u00fcvenlik kazan\u0131m\u0131 sa\u011flar. Detayl\u0131 ayarlar\u0131 <a href=\"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-x-frame-options-ve-referrer-policy-dogru-nasil-kurulur\/\">HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 rehberimizde<\/a> ad\u0131m ad\u0131m anlatt\u0131k.<\/p>\n<h2><span id=\"Regulasyon_ve_Standartlar_PCI_DSS_KVKK_ve_Kurumsal_Gereksinimler\">Reg\u00fclasyon ve Standartlar: PCI DSS, KVKK ve Kurumsal Gereksinimler<\/span><\/h2>\n<p>Teknik a\u00e7\u0131dan ikna olsan\u0131z bile, \u00e7o\u011fu zaman as\u0131l tetikleyici unsur <strong>denetim raporlar\u0131<\/strong> ve <strong>uyumluluk gereksinimleri<\/strong> oluyor. \u00d6zellikle:<\/p>\n<ul>\n<li><strong>PCI DSS<\/strong>: Kredi kart\u0131 verisi i\u015fleyen veya saklayan siteler i\u00e7in TLS 1.0\/1.1 kullan\u0131m\u0131n\u0131 pratikte kabul etmiyor<\/li>\n<li><strong>KVKK \/ GDPR<\/strong>: \u00dcst d\u00fczeyde &#8220;makul g\u00fcvenlik \u00f6nlemleri&#8221; al\u0131nmas\u0131n\u0131 \u015fart ko\u015fuyor; TLS taraf\u0131ndaki a\u00e7\u0131klar ihl\u00e2l sonras\u0131 ciddi soru i\u015faretleri yaratabiliyor<\/li>\n<li><strong>Kurumsal denetimler<\/strong>: B\u00fcy\u00fck i\u015fletmelerin kendi i\u00e7 g\u00fcvenlik politikalar\u0131 \u00e7o\u011fu zaman reg\u00fclasyonlardan bile daha kat\u0131 olabiliyor<\/li>\n<\/ul>\n<p>DCHost \u00fczerinde bar\u0131nd\u0131rd\u0131\u011f\u0131n\u0131z PCI-DSS kapsam\u0131nda siteler i\u00e7in; TLS profillerinin, HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131n ve sertifika yenileme s\u00fcre\u00e7lerinin denetime haz\u0131r bir \u015fekilde kurgulanmas\u0131na \u00f6zellikle dikkat ediyoruz. G\u00fcvenlik g\u00fcncellemelerini, <a href=\"https:\/\/www.dchost.com\/blog\/ssl-sertifika-guvenlik-guncellemeleri-net-ve-uygulanabilir-yol-haritasi\/\">SSL sertifika g\u00fcvenlik g\u00fcncellemeleri yol haritam\u0131zda<\/a> anlatt\u0131\u011f\u0131m\u0131z gibi, tek seferlik bir operasyon de\u011fil, <strong>s\u00fcrekli bir s\u00fcre\u00e7<\/strong> olarak ele almak gerekiyor.<\/p>\n<h2><span id=\"Protokol_Seviyesinin_Otesi_HSTS_OCSP_Stapling_HTTP2_ve_HTTP3\">Protokol Seviyesinin \u00d6tesi: HSTS, OCSP Stapling, HTTP\/2 ve HTTP\/3<\/span><\/h2>\n<p>G\u00fcvenli bir HTTPS deneyimi i\u00e7in sadece TLS s\u00fcr\u00fcm\u00fcn\u00fc se\u00e7mek yeterli de\u011fil. Protokol seviyesini tamamlayacak birka\u00e7 \u00f6nemli bile\u015feni de do\u011fru yap\u0131land\u0131rman\u0131z gerekiyor.<\/p>\n<h3><span id=\"HSTS_HTTP_Strict_Transport_Security\">HSTS (HTTP Strict Transport Security)<\/span><\/h3>\n<p><strong>HSTS<\/strong>, taray\u0131c\u0131ya belirli bir s\u00fcre boyunca sitenize <strong>yaln\u0131zca HTTPS \u00fczerinden ba\u011flanmas\u0131n\u0131<\/strong> s\u00f6yleyen bir HTTP ba\u015fl\u0131\u011f\u0131d\u0131r. B\u00f6ylece:<\/p>\n<ul>\n<li>HTTP&#039;den HTTPS&#039;e y\u00f6nlendirme s\u00fcrecindeki baz\u0131 sald\u0131r\u0131 vekt\u00f6rleri kapan\u0131r<\/li>\n<li>Kullan\u0131c\u0131 elle &#8220;http:\/\/&#8221; yazd\u0131\u011f\u0131nda bile taray\u0131c\u0131 otomatik olarak HTTPS&#039;e gider<\/li>\n<\/ul>\n<p>Ancak HSTS s\u00fcrelerini ve <code>includeSubDomains<\/code> se\u00e7ene\u011fini dikkatli ayarlamak gerekir; yanl\u0131\u015f kurgulanm\u0131\u015f bir HSTS politikas\u0131, hatal\u0131 sertifika veya yanl\u0131\u015f yap\u0131land\u0131r\u0131lm\u0131\u015f alt alan adlar\u0131yla birle\u015fti\u011finde eri\u015fim sorunlar\u0131na yol a\u00e7abilir.<\/p>\n<h3><span id=\"OCSP_Stapling_ve_Sertifika_Iptal_Kontrolleri\">OCSP Stapling ve Sertifika \u0130ptal Kontrolleri<\/span><\/h3>\n<p>Bir sertifikan\u0131n h\u00e2l\u00e2 ge\u00e7erli olup olmad\u0131\u011f\u0131n\u0131 (\u00f6rne\u011fin anahtar s\u0131zd\u0131ysa iptal edilmi\u015f olabilir) taray\u0131c\u0131lar <strong>OCSP<\/strong> ile kontrol eder. <strong>OCSP stapling<\/strong>, bu sorgunun sunucu taraf\u0131ndan \u00f6nceden al\u0131narak TLS el s\u0131k\u0131\u015fmas\u0131na &#8220;z\u0131mbalanmas\u0131&#8221; anlam\u0131na gelir. B\u00f6ylece:<\/p>\n<ul>\n<li>\u0130stemcinin do\u011frudan sertifika otoritesine sorgu g\u00f6ndermesine gerek kalmaz<\/li>\n<li>Gecikme azal\u0131r, gizlilik artar<\/li>\n<\/ul>\n<p>Nginx ve Apache \u00fczerinde OCSP stapling ayarlar\u0131n\u0131, TLS 1.3 yap\u0131land\u0131rmas\u0131yla birlikte pratik \u00f6rneklerle <a href=\"https:\/\/www.dchost.com\/blog\/nginxte-tls-1-3-ocsp-stapling-ve-brotli-nasil-kurulur-hizli-ve-guvenli-httpsnin-sicacik-rehberi\/\">Nginx&#039;te TLS 1.3 rehberimizde<\/a> g\u00f6sterdik.<\/p>\n<h3><span id=\"HTTP2_ve_HTTP3_ile_Performans_ve_Guvenligi_Birlikte_Ele_Almak\">HTTP\/2 ve HTTP\/3 ile Performans ve G\u00fcvenli\u011fi Birlikte Ele Almak<\/span><\/h3>\n<p><strong>HTTP\/2<\/strong> ve <strong>HTTP\/3 (QUIC)<\/strong> do\u011frudan TLS \u00fczerine in\u015fa edildi\u011fi i\u00e7in, protokol g\u00fcncellemeleri performans taraf\u0131n\u0131 da etkiliyor. \u00d6rne\u011fin:<\/p>\n<ul>\n<li>HTTP\/2 i\u00e7in modern TLS profilleri fiilen bir gereklilik<\/li>\n<li>HTTP\/3, QUIC \u00fczerinden TLS 1.3 kullan\u0131yor ve ba\u011flant\u0131 kurulumu s\u00fcre\u00e7leri farkl\u0131<\/li>\n<\/ul>\n<p>Yani &#8220;Sadece TLS s\u00fcr\u00fcm\u00fcn\u00fc g\u00fcncelleyelim, performans eskisi gibi kals\u0131n&#8221; demek \u00e7o\u011fu zaman m\u00fcmk\u00fcn de\u011fil; g\u00fczel olan taraf, <strong>do\u011fru yap\u0131land\u0131r\u0131lm\u0131\u015f bir TLS 1.3 + HTTP\/2\/3 kombinasyonu<\/strong> ile hem g\u00fcvenli\u011fi hem h\u0131z\u0131 birlikte kazanabiliyor olman\u0131z.<\/p>\n<h2><span id=\"DCHost_Altyapisinda_SSLTLS_Guvenlik_Stratejimiz\">DCHost Altyap\u0131s\u0131nda SSL\/TLS G\u00fcvenlik Stratejimiz<\/span><\/h2>\n<p>DCHost olarak, ister <a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a>, ister VPS, ister dedicated veya colocation olsun; t\u00fcm katmanlarda <strong>&#8220;varsay\u0131lan olarak g\u00fcvenli&#8221;<\/strong> bir SSL\/TLS profili sunmay\u0131 hedefliyoruz. Pratikte neler yap\u0131yoruz?<\/p>\n<ul>\n<li>Yeni sunucularda <strong>minimum TLS 1.2, tercih edilen TLS 1.3<\/strong> yap\u0131land\u0131rmas\u0131n\u0131 esas al\u0131yoruz<\/li>\n<li>\u015eifre paketleri; ECDHE + AES-GCM \/ ChaCha20-Poly1305 ekseninde, zay\u0131f \u015fifrelere yer b\u0131rakmayacak \u015fekilde kurgulan\u0131yor<\/li>\n<li>cPanel\/DirectAdmin gibi panellerde, g\u00fcvenlik ve uyumluluk dengesine g\u00f6re optimize edilmi\u015f profil ayarlar\u0131n\u0131 varsay\u0131lan yap\u0131yoruz<\/li>\n<li>SSL sertifika yenileme ve otomasyon s\u00fcre\u00e7lerini, <a href=\"https:\/\/www.dchost.com\/blog\/ssl-sertifika-otomasyonu-inovasyonlari-acme-dns-01-ve-cok-kiracili-mimariler\/\">ACME tabanl\u0131 otomasyon rehberimizde<\/a> anlatt\u0131\u011f\u0131m\u0131z yakla\u015f\u0131ma benzer \u015fekilde y\u00f6netiyoruz<\/li>\n<\/ul>\n<p>Buna ek olarak, kritik i\u015f y\u00fckleri i\u00e7in (e-ticaret, \u00f6deme ge\u00e7idi, hassas veri i\u00e7eren paneller vb.) m\u00fc\u015fterilerimizle birlikte \u00f6zel TLS profilleri tasarl\u0131yor, staging ortamlar\u0131nda test edip, sonra canl\u0131ya al\u0131yoruz.<\/p>\n<h2><span id=\"Adim_Adim_Yol_Haritasi_Kendi_Sitenizde_Neleri_Kontrol_Etmelisiniz\">Ad\u0131m Ad\u0131m Yol Haritas\u0131: Kendi Sitenizde Neleri Kontrol Etmelisiniz?<\/span><\/h2>\n<p>Teoriyi okuduktan sonra &#8220;Peki \u015fimdi tam olarak ne yapmam laz\u0131m?&#8221; noktas\u0131na geldiyseniz, a\u015fa\u011f\u0131daki kontrol listesini ad\u0131m ad\u0131m uygulayabilirsiniz:<\/p>\n<ol>\n<li><strong>Mevcut durumu taray\u0131n:<\/strong> SSL Labs gibi ara\u00e7larla sitenizin TLS s\u00fcr\u00fcmlerini, \u015fifre paketlerini ve sertifika zincirini analiz edin.<\/li>\n<li><strong>TLS 1.0\/1.1&#039;i kapat\u0131n:<\/strong> G\u00fcvenli oldu\u011funuzdan emin olduktan sonra bu s\u00fcr\u00fcmleri a\u015famal\u0131 veya do\u011frudan devre d\u0131\u015f\u0131 b\u0131rak\u0131n.<\/li>\n<li><strong>G\u00fc\u00e7l\u00fc \u015fifre paketlerine ge\u00e7in:<\/strong> ECDHE + AES-GCM \/ ChaCha20 tabanl\u0131 bir liste olu\u015fturun, zay\u0131f \u015fifreleri kapat\u0131n.<\/li>\n<li><strong>TLS 1.3&#039;\u00fc etkinle\u015ftirin:<\/strong> \u0130\u015fletim sistemi ve web sunucunuz destekliyorsa TLS 1.3&#039;\u00fc aktif h\u00e2le getirin.<\/li>\n<li><strong>HSTS ve OCSP stapling ekleyin:<\/strong> HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 ve sertifika iptal kontrollerini do\u011fru \u015fekilde devreye al\u0131n.<\/li>\n<li><strong>Otomatik sertifika yenileme kurun:<\/strong> Let&#039;s Encrypt veya ticari sertifikalar i\u00e7in ACME tabanl\u0131 otomasyon s\u00fcre\u00e7leri olu\u015fturun.<\/li>\n<li><strong>D\u00fczenli tarama planlay\u0131n:<\/strong> Y\u0131lda en az 2\u20134 kez TLS yap\u0131land\u0131rman\u0131z\u0131 yeniden taray\u0131n ve \u00e7\u0131kan bulgular\u0131 takip edin.<\/li>\n<li><strong>Uygulama katman\u0131n\u0131 unutmay\u0131n:<\/strong> Mixed content sorunlar\u0131, insecure cookie ayarlar\u0131 gibi uygulama seviyesindeki hatalar\u0131 da giderin.<\/li>\n<\/ol>\n<h2><span id=\"Sonuc_ve_DCHost_ile_Guvenli_HTTPS_Yolculugu\">Sonu\u00e7 ve DCHost ile G\u00fcvenli HTTPS Yolculu\u011fu<\/span><\/h2>\n<p>SSL\/TLS protokol\u00fc, bir kez kurup unutabilece\u011finiz statik bir yap\u0131 de\u011fil; <strong>s\u00fcrekli evrilen<\/strong>, yeni sald\u0131r\u0131lara g\u00f6re d\u00fczenlenen ve taray\u0131c\u0131 ekosistemiyle birlikte g\u00fcncellenen canl\u0131 bir sistem. SSL 2.0\/3.0&#039;dan TLS 1.3&#039;e uzanan s\u00fcre\u00e7te g\u00f6rd\u00fc\u011f\u00fcm\u00fcz her g\u00fcvenlik a\u00e7\u0131\u011f\u0131, bug\u00fcn daha sade, daha h\u0131zl\u0131 ve varsay\u0131lan olarak daha g\u00fcvenli bir protokol d\u00fcnyas\u0131 kurmam\u0131za yard\u0131mc\u0131 oldu. Ancak bu kazan\u0131mlar\u0131n sizin sitenize yans\u0131mas\u0131, sunucu taraf\u0131nda ataca\u011f\u0131n\u0131z somut ad\u0131mlara ba\u011fl\u0131.<\/p>\n<p>DCHost olarak, ister k\u00fc\u00e7\u00fck bir blog, ister y\u00fcksek trafikli bir e-ticaret sitesi, ister \u00f6zel bir SaaS uygulamas\u0131 \u00e7al\u0131\u015ft\u0131r\u0131yor olun; <strong>modern TLS profilleri, otomatik sertifika yenileme s\u00fcre\u00e7leri ve denetime haz\u0131r g\u00fcvenlik ayarlar\u0131<\/strong> ile altyap\u0131n\u0131z\u0131 desteklemeye odaklan\u0131yoruz. Mevcut hosting ortam\u0131n\u0131z\u0131 g\u00f6zden ge\u00e7irmek, yeni bir VPS veya dedicated sunucu planlamak ya da colocation altyap\u0131n\u0131z\u0131n TLS taraf\u0131n\u0131 modernize etmek istiyorsan\u0131z, teknik ekibimizle birlikte somut bir yol haritas\u0131 \u00e7\u0131karmaktan memnuniyet duyar\u0131z. G\u00fcvenli, h\u0131zl\u0131 ve s\u00fcrd\u00fcr\u00fclebilir bir HTTPS mimarisi i\u00e7in bir sonraki ad\u0131m\u0131 ertelemeyin; protokol g\u00fcncellemeleri ve g\u00fcvenlik a\u00e7\u0131klar\u0131 zamanla birikmeden, kontroll\u00fc \u015fekilde y\u00f6netildi\u011finde ger\u00e7ekten korkulacak konu olmaktan \u00e7\u0131k\u0131yor.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 SSL\/TLS Protokol G\u00fcncellemeleri Neden Bu Kadar Kritik?2 SSL&#039;den TLS&#039;e: Protokol S\u00fcr\u00fcmlerinin K\u0131sa Tarih\u00e7esi2.1 SSL 2.0 ve SSL 3.0: Tarihin Tozlu Raflar\u0131nda Kalmalar\u0131 Gereken S\u00fcr\u00fcmler2.2 TLS 1.0 ve TLS 1.1: Yetersiz G\u00fcvenlik, Art\u0131k Resmen Kullan\u0131m D\u0131\u015f\u01312.3 TLS 1.2: Halen Omurgay\u0131 Ta\u015f\u0131yan S\u00fcr\u00fcm2.4 TLS 1.3: Sadelik, H\u0131z ve Varsay\u0131lan Olarak G\u00fcvenlik3 Tarihi G\u00fcvenlik A\u00e7\u0131klar\u0131: Hangi Dersleri [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3443,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,33,25],"tags":[],"class_list":["post-3442","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hosting","category-nasil-yapilir","category-sunucu"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=3442"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3442\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/3443"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=3442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=3442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=3442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}