{"id":4163,"date":"2026-01-04T21:27:57","date_gmt":"2026-01-04T18:27:57","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/ssl-tls-protokol-guncellemeleri-modern-https-icin-yol-haritasi\/"},"modified":"2026-01-04T21:27:57","modified_gmt":"2026-01-04T18:27:57","slug":"ssl-tls-protokol-guncellemeleri-modern-https-icin-yol-haritasi","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/ssl-tls-protokol-guncellemeleri-modern-https-icin-yol-haritasi\/","title":{"rendered":"SSL\/TLS Protokol G\u00fcncellemeleri: Modern HTTPS \u0130\u00e7in Yol Haritas\u0131"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>SSL\/TLS taraf\u0131nda her birka\u00e7 y\u0131lda bir yap\u0131lan k\u00fc\u00e7\u00fck bir ayar de\u011fi\u015fikli\u011finin, t\u00fcm altyap\u0131n\u0131z\u0131 etkileyebildi\u011fini muhtemelen deneyimlemi\u015fsinizdir. Bir yanda taray\u0131c\u0131lar\u0131n eski protokolleri agresif \u015fekilde devre d\u0131\u015f\u0131 b\u0131rakmas\u0131, di\u011fer yanda PCI DSS, KVKK gibi reg\u00fclasyonlar\u0131n minimum TLS s\u00fcr\u00fcm\u00fc ve \u015fifre tak\u0131m\u0131 (cipher suite) beklentileri\u2026 Sonu\u00e7: &#8220;HTTPS \u00e7al\u0131\u015f\u0131yor&#8221; demek art\u0131k yeterli de\u011fil; hangi <strong>SSL\/TLS protokol g\u00fcncellemelerini<\/strong> ne zaman, nas\u0131l uygulad\u0131\u011f\u0131n\u0131z kritik hale geldi.<\/p>\n<p>DCHost olarak bar\u0131nd\u0131rd\u0131\u011f\u0131m\u0131z y\u00fczlerce projede g\u00f6rd\u00fc\u011f\u00fcm\u00fcz ortak nokta \u015fu: Sorunlar\u0131n \u00e7o\u011fu sertifikadan de\u011fil, <strong>protokol ve \u015fifre ayarlar\u0131n\u0131n g\u00fcncel olmamas\u0131ndan<\/strong> kaynaklan\u0131yor. \u00d6zellikle eski TLS s\u00fcr\u00fcmlerinin a\u00e7\u0131k b\u0131rak\u0131lmas\u0131, zay\u0131f \u015fifrelerin devreye girmesi, HSTS ve OCSP Stapling gibi modern \u00f6zelliklerin eksikli\u011fi; hem g\u00fcvenlik hem de performans taraf\u0131nda sizi geriye \u00e7ekiyor. Bu yaz\u0131da, teoriden \u00e7ok prati\u011fe odaklanarak, modern HTTPS i\u00e7in net bir yol haritas\u0131 \u00e7\u0131karaca\u011f\u0131z: Hangi TLS s\u00fcr\u00fcmlerini kapatmal\u0131, hangilerini zorunlu k\u0131lmal\u0131, hangi \u015fifre tak\u0131mlar\u0131n\u0131 se\u00e7meli ve t\u00fcm bunlar\u0131 <a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a>, <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> ve <a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a> ortamlar\u0131nda nas\u0131l hayata ge\u00e7irmelisiniz?<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#SSL_ve_TLS_Kisaca_Neyi_Guncelliyoruz\"><span class=\"toc_number toc_depth_1\">1<\/span> SSL ve TLS K\u0131saca: Neyi G\u00fcncelliyoruz?<\/a><\/li><li><a href=\"#Protokol_Surumlerinin_Evrimi_SSL_208217dan_TLS_138217e\"><span class=\"toc_number toc_depth_1\">2<\/span> Protokol S\u00fcr\u00fcmlerinin Evrimi: SSL 2.0&#8217;dan TLS 1.3&#8217;e<\/a><ul><li><a href=\"#Artik_Kesinlikle_Kapatmaniz_Gereken_Eski_Surumler\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Art\u0131k Kesinlikle Kapatman\u0131z Gereken Eski S\u00fcr\u00fcmler<\/a><\/li><li><a href=\"#Bugunun_Gercek_Standardi_TLS_12_ve_TLS_13\"><span class=\"toc_number toc_depth_2\">2.2<\/span> Bug\u00fcn\u00fcn Ger\u00e7ek Standard\u0131: TLS 1.2 ve TLS 1.3<\/a><\/li><\/ul><\/li><li><a href=\"#Sifre_Takimlari_Cipher_Suites_ve_Guvenli_Varsayilanlar\"><span class=\"toc_number toc_depth_1\">3<\/span> \u015eifre Tak\u0131mlar\u0131 (Cipher Suites) ve G\u00fcvenli Varsay\u0131lanlar<\/a><ul><li><a href=\"#Guncel_Bir_Yapilandirmada_Olmasi_Gereken_Ozellikler\"><span class=\"toc_number toc_depth_2\">3.1<\/span> G\u00fcncel Bir Yap\u0131land\u0131rmada Olmas\u0131 Gereken \u00d6zellikler<\/a><\/li><\/ul><\/li><li><a href=\"#Tarayici_ve_Uygulama_Ekosistemindeki_Guncellemeler\"><span class=\"toc_number toc_depth_1\">4<\/span> Taray\u0131c\u0131 ve Uygulama Ekosistemindeki G\u00fcncellemeler<\/a><\/li><li><a href=\"#Sunucu_Tarafinda_Yapmaniz_Gereken_Somut_Ayarlar\"><span class=\"toc_number toc_depth_1\">5<\/span> Sunucu Taraf\u0131nda Yapman\u0131z Gereken Somut Ayarlar<\/a><\/li><li><a href=\"#PCI_DSS_KVKK_ve_Regulasyon_Perspektifinden_TLS\"><span class=\"toc_number toc_depth_1\">6<\/span> PCI DSS, KVKK ve Reg\u00fclasyon Perspektifinden TLS<\/a><\/li><li><a href=\"#DCHost_Ortaminda_Guncel_TLS_Stratejisi\"><span class=\"toc_number toc_depth_1\">7<\/span> DCHost Ortam\u0131nda G\u00fcncel TLS Stratejisi<\/a><\/li><li><a href=\"#SSL_Sertifika_ve_TLS_Guncellemelerini_Otomatiklestirmek\"><span class=\"toc_number toc_depth_1\">8<\/span> SSL Sertifika ve TLS G\u00fcncellemelerini Otomatikle\u015ftirmek<\/a><\/li><li><a href=\"#Adim_Adim_TLS_Guncelleme_Plani_Nereden_Baslamali\"><span class=\"toc_number toc_depth_1\">9<\/span> Ad\u0131m Ad\u0131m TLS G\u00fcncelleme Plan\u0131: Nereden Ba\u015flamal\u0131?<\/a><\/li><li><a href=\"#Sonuc_TLS8217i_Bir_Defalik_Proje_Degil_Surekli_Bir_Surec_Olarak_Gormek\"><span class=\"toc_number toc_depth_1\">10<\/span> Sonu\u00e7: TLS&#8217;i Bir Defal\u0131k Proje De\u011fil, S\u00fcrekli Bir S\u00fcre\u00e7 Olarak G\u00f6rmek<\/a><\/li><\/ul><\/div>\n<h2><span id=\"SSL_ve_TLS_Kisaca_Neyi_Guncelliyoruz\">SSL ve TLS K\u0131saca: Neyi G\u00fcncelliyoruz?<\/span><\/h2>\n<p>\u00d6nce resme uzaktan bakal\u0131m. SSL\/TLS \u00fc\u00e7 temel i\u015fi yapar:<\/p>\n<ul>\n<li>Sunucunun ger\u00e7ekten iddia etti\u011fi alan ad\u0131na ait oldu\u011funu kan\u0131tlar (kimlik do\u011frulama)<\/li>\n<li>\u0130stemci ile sunucu aras\u0131ndaki trafi\u011fi \u015fifreler (gizlilik)<\/li>\n<li>Verinin yolda de\u011fi\u015ftirilmedi\u011fini garanti eder (b\u00fct\u00fcnl\u00fck)<\/li>\n<\/ul>\n<p>Bu mekanizman\u0131n nas\u0131l i\u015fledi\u011fini daha geni\u015f ba\u011flamda g\u00f6rmek isterseniz, <a href=\"https:\/\/www.dchost.com\/blog\/web-hosting-nedir-domain-dns-sunucu-ve-ssl-nasil-birlikte-calisir\/\">domain, DNS, sunucu ve SSL&#8217;in birlikte nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 anlatt\u0131\u011f\u0131m\u0131z rehbere<\/a> de g\u00f6z atabilirsiniz.<\/p>\n<p>Protokol g\u00fcncellemeleri dendi\u011finde asl\u0131nda \u00fc\u00e7 katmandan bahsediyoruz:<\/p>\n<ul>\n<li><strong>Protokol s\u00fcr\u00fcm\u00fc:<\/strong> SSL 2.0\/3.0, TLS 1.0\/1.1\/1.2\/1.3 gibi<\/li>\n<li><strong>\u015eifre tak\u0131mlar\u0131 (cipher suites):<\/strong> ECDHE-RSA-AES128-GCM-SHA256 gibi, anahtar de\u011fi\u015fimi + \u015fifreleme + \u00f6zet algoritmas\u0131n\u0131n kombinasyonu<\/li>\n<li><strong>Ek g\u00fcvenlik \u00f6zellikleri:<\/strong> HSTS, OCSP Stapling, HTTP\/2\u2013HTTP\/3, SNI, ALPN vb.<\/li>\n<\/ul>\n<p>Modern bir HTTPS yap\u0131land\u0131rmas\u0131; yaln\u0131zca ge\u00e7erli bir sertifikaya de\u011fil, <strong>g\u00fcncel protokol s\u00fcr\u00fcmleri ve do\u011fru se\u00e7ilmi\u015f \u015fifre tak\u0131mlar\u0131na<\/strong> dayan\u0131r. Bir\u00e7ok g\u00fcvenlik a\u00e7\u0131\u011f\u0131 (POODLE, BEAST, CRIME, ROBOT vb.) do\u011frudan bu katmanlardaki zay\u0131f noktalardan faydalan\u0131r.<\/p>\n<h2><span id=\"Protokol_Surumlerinin_Evrimi_SSL_208217dan_TLS_138217e\">Protokol S\u00fcr\u00fcmlerinin Evrimi: SSL 2.0&#8217;dan TLS 1.3&#8217;e<\/span><\/h2>\n<p>SSL\/TLS d\u00fcnyas\u0131nda &#8220;eski s\u00fcr\u00fcmleri kapat\u0131n&#8221; \u00f6nerisini duymu\u015fsunuzdur. Bunu ezberden de\u011fil, tarihsel geli\u015fimi anlayarak yapmak \u00e7ok daha sa\u011fl\u0131kl\u0131.<\/p>\n<h3><span id=\"Artik_Kesinlikle_Kapatmaniz_Gereken_Eski_Surumler\">Art\u0131k Kesinlikle Kapatman\u0131z Gereken Eski S\u00fcr\u00fcmler<\/span><\/h3>\n<ul>\n<li><strong>SSL 2.0 ve SSL 3.0:<\/strong> Y\u0131llard\u0131r tamamen k\u0131r\u0131lm\u0131\u015f durumda. POODLE gibi sald\u0131r\u0131larla pratikte s\u00f6m\u00fcr\u00fclebiliyor. Her ortamda <strong>mutlaka kapal\u0131<\/strong> olmal\u0131.<\/li>\n<li><strong>TLS 1.0:<\/strong> BEAST, Lucky13 gibi sald\u0131r\u0131lara a\u00e7\u0131k; PCI DSS ve b\u00fcy\u00fck taray\u0131c\u0131lar taraf\u0131ndan terk edildi. E-ticaret ya da KVKK kapsam\u0131ndaki veriler i\u00e7in kesinlikle kabul edilemez.<\/li>\n<li><strong>TLS 1.1:<\/strong> TLS 1.0&#8217;dan daha iyi ama modern standartlara g\u00f6re zay\u0131f. B\u00fcy\u00fck taray\u0131c\u0131lar zaten devre d\u0131\u015f\u0131 b\u0131rakm\u0131\u015f durumda.<\/li>\n<\/ul>\n<p>\u00d6zetle: Bug\u00fcn yeni bir yap\u0131land\u0131rma yap\u0131yorsan\u0131z, <strong>SSLv2, SSLv3, TLS 1.0 ve TLS 1.1 kesinlikle devre d\u0131\u015f\u0131<\/strong> olmal\u0131. Eski bir kurumsal uygulama bu s\u00fcr\u00fcmleri istiyorsa, \u00e7\u00f6z\u00fcm bunlar\u0131 a\u00e7\u0131k b\u0131rakmak de\u011fil, uygulamay\u0131 g\u00fcncellemektir.<\/p>\n<h3><span id=\"Bugunun_Gercek_Standardi_TLS_12_ve_TLS_13\">Bug\u00fcn\u00fcn Ger\u00e7ek Standard\u0131: TLS 1.2 ve TLS 1.3<\/span><\/h3>\n<p>G\u00fcvenli ve performansl\u0131 bir HTTPS i\u00e7in odaklanman\u0131z gereken iki s\u00fcr\u00fcm var:<\/p>\n<ul>\n<li><strong>TLS 1.2:<\/strong> H\u00e2l\u00e2 fiili standart. Geni\u015f uyumluluk, g\u00fc\u00e7l\u00fc \u015fifreler, HTTP\/2 deste\u011fi sunuyor. Zay\u0131f \u015fifreleri kapatt\u0131\u011f\u0131n\u0131z s\u00fcrece g\u00fcvenli kabul ediliyor.<\/li>\n<li><strong>TLS 1.3:<\/strong> \u00c7ok daha h\u0131zl\u0131 el s\u0131k\u0131\u015fma (handshake), daha sade protokol, yaln\u0131zca modern \u015fifre tak\u0131mlar\u0131na izin verme gibi avantajlara sahip. HTTP\/3 i\u00e7in zorunlu.<\/li>\n<\/ul>\n<p>\u00d6nerilen minimum yap\u0131land\u0131rma:<\/p>\n<ul>\n<li><strong>Yaln\u0131zca TLS 1.2 ve TLS 1.3&#8217;\u00fc etkin b\u0131rakmak<\/strong><\/li>\n<li>Zay\u0131f TLS 1.2 \u015fifre tak\u0131mlar\u0131n\u0131 (CBC, 3DES, RC4 vb.) kapatmak<\/li>\n<li>M\u00fcmk\u00fcnse istemcileri otomatik olarak TLS 1.3&#8217;e y\u00f6nlendirecek \u015fekilde sunucu \u00f6nceli\u011fini ayarlamak<\/li>\n<\/ul>\n<p>TLS 1.3&#8217;\u00fcn pratik etkilerini, HTTP\/2 ve HTTP\/3 ile ili\u015fkisini daha detayl\u0131 incelemek isterseniz, <a href=\"https:\/\/www.dchost.com\/blog\/http-2-ve-http-3-destegi-seo-ve-core-web-vitalsi-nasil-etkiler-hosting-secerken-nelere-bakmali\/\">HTTP\/2 ve HTTP\/3 deste\u011finin SEO ve performansa etkilerini anlatt\u0131\u011f\u0131m\u0131z yaz\u0131<\/a> iyi bir tamamlay\u0131c\u0131 olacakt\u0131r.<\/p>\n<h2><span id=\"Sifre_Takimlari_Cipher_Suites_ve_Guvenli_Varsayilanlar\">\u015eifre Tak\u0131mlar\u0131 (Cipher Suites) ve G\u00fcvenli Varsay\u0131lanlar<\/span><\/h2>\n<p>Bir\u00e7ok g\u00fcvenlik denetiminde g\u00f6rd\u00fc\u011f\u00fcm\u00fcz ortak hata: Protokol s\u00fcr\u00fcmleri g\u00fcncel olsa da, zay\u0131f \u015fifre tak\u0131mlar\u0131n\u0131n a\u00e7\u0131k b\u0131rak\u0131lmas\u0131. \u00d6rne\u011fin TLS 1.2 kullan\u0131rken hala CBC modlu, PFS (Perfect Forward Secrecy) sunmayan \u015fifrelere izin vermek gibi.<\/p>\n<h3><span id=\"Guncel_Bir_Yapilandirmada_Olmasi_Gereken_Ozellikler\">G\u00fcncel Bir Yap\u0131land\u0131rmada Olmas\u0131 Gereken \u00d6zellikler<\/span><\/h3>\n<ul>\n<li><strong>PFS (Perfect Forward Secrecy):<\/strong> ECDHE veya DHE anahtar de\u011fi\u015fimi kullanan \u015fifreler tercih edilmeli. B\u00f6ylece uzun vadeli sunucu anahtar\u0131n\u0131z s\u0131zsa bile ge\u00e7mi\u015f oturumlar \u00e7\u00f6z\u00fclemez.<\/li>\n<li><strong>AEAD \u015fifreler:<\/strong> AES-GCM veya CHACHA20-POLY1305 gibi, hem \u015fifreleme hem b\u00fct\u00fcnl\u00fck sa\u011flayan modern algoritmalar kullan\u0131lmal\u0131.<\/li>\n<li><strong>SHA-1 yerine SHA-256+:<\/strong> \u00d6zet (hash) k\u0131sm\u0131nda SHA-1 de\u011fil, SHA-256 veya \u00fcst\u00fc tercih edilmeli.<\/li>\n<li><strong>RSA + ECDSA deste\u011fi:<\/strong> Uyumluluk i\u00e7in RSA, performans ve modernlik i\u00e7in ECDSA sertifikalar\u0131na izin veren karma yap\u0131land\u0131rmalar idealdir.<\/li>\n<\/ul>\n<p>Tipik, g\u00fcvenli bir TLS 1.2 \u015fifre listesi \u015fu \u00f6\u011feleri i\u00e7ermelidir (mant\u0131k d\u00fczeyinde):<\/p>\n<ul>\n<li>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256<\/li>\n<li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<\/li>\n<li>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256<\/li>\n<li>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256<\/li>\n<\/ul>\n<p>Ve mutlaka <strong>\u015funlar\u0131 d\u0131\u015far\u0131da b\u0131rakmal\u0131s\u0131n\u0131z<\/strong>:<\/p>\n<ul>\n<li>RC4 i\u00e7eren t\u00fcm \u015fifreler<\/li>\n<li>3DES\/DES tabanl\u0131 \u015fifreler<\/li>\n<li>CBC modlu, PFS olmayan eski kombinasyonlar<\/li>\n<\/ul>\n<p>TLS 1.3 taraf\u0131nda ise iyi haber \u015fu: Protokol kendi i\u00e7inde yaln\u0131zca modern \u015fifreleri destekleyecek \u015fekilde tasarland\u0131\u011f\u0131 i\u00e7in, yanl\u0131\u015f yapma alan\u0131n\u0131z \u00e7ok daha dar. Yine de Nginx\/Apache gibi sunucularda TLS 1.3 ve TLS 1.2 i\u00e7in \u015fifre listelerini ayr\u0131 ayr\u0131 tan\u0131mlay\u0131p test etmek \u00f6nemli.<\/p>\n<h2><span id=\"Tarayici_ve_Uygulama_Ekosistemindeki_Guncellemeler\">Taray\u0131c\u0131 ve Uygulama Ekosistemindeki G\u00fcncellemeler<\/span><\/h2>\n<p>SSL\/TLS protokol g\u00fcncellemelerini sadece &#8220;sunucu ayar\u0131&#8221; olarak g\u00f6rmek eksik olur. Taray\u0131c\u0131lar, mobil uygulama SDK&#8217;lar\u0131, API istemcileri ve hatta IoT cihazlar\u0131 bu ekosistemin par\u00e7as\u0131. Son y\u0131llardaki birka\u00e7 kritik de\u011fi\u015fiklik:<\/p>\n<ul>\n<li>B\u00fcy\u00fck taray\u0131c\u0131lar TLS 1.0 ve TLS 1.1 deste\u011fini varsay\u0131lan olarak kapatt\u0131<\/li>\n<li>HTTP\/2 i\u00e7in fiilen <strong>TLS 1.2+<\/strong> zorunlu hale geldi<\/li>\n<li>HTTP\/3 (QUIC) yaln\u0131zca <strong>TLS 1.3<\/strong> \u00fczerinde \u00e7al\u0131\u015f\u0131yor<\/li>\n<li>HSTS preload listeleri agresif \u015fekilde yayg\u0131nla\u015ft\u0131<\/li>\n<\/ul>\n<p>Bu da \u015fu anlama geliyor: Siteniz sadece g\u00fcvenlik i\u00e7in de\u011fil, <strong>performans ve SEO i\u00e7in de<\/strong> modern TLS konfig\u00fcrasyonuna ihtiya\u00e7 duyuyor. \u00d6rne\u011fin HTTP\/2 ve HTTP\/3 etkin de\u011filse, \u00f6zellikle mobil ba\u011flant\u0131larda <strong>Core Web Vitals<\/strong> metrikleriniz olumsuz etkilenebilir. Bu ili\u015fkiyi detayl\u0131 anlatt\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/core-web-vitalsi-hosting-tarafinda-iyilestirmek\/\">Core Web Vitals&#8217;\u0131 hosting taraf\u0131nda iyile\u015ftirme rehberimiz<\/a> de bu yaz\u0131n\u0131n do\u011fal bir devam\u0131 niteli\u011finde.<\/p>\n<p>CDN arkas\u0131nda \u00e7al\u0131\u015fan sitelerde ise, CDN ile origin (kaynak sunucu) aras\u0131ndaki TLS ayarlar\u0131 ayr\u0131ca \u00f6nem kazan\u0131yor. &#8220;CDN zaten HTTPS sa\u011fl\u0131yor&#8221; diye d\u00fc\u015f\u00fcnmek yeterli de\u011fil; origin ba\u011flant\u0131s\u0131n\u0131n da TLS 1.2+ ve g\u00fcvenli \u015fifrelerle korunmas\u0131 kritik. Bu mimariyi u\u00e7tan uca ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/cdn-arkasinda-gercek-https-ve-full-strict-ssl-kurulumu\/\">CDN arkas\u0131nda ger\u00e7ek HTTPS ve Full (Strict) SSL kurulumu rehberine<\/a> mutlaka g\u00f6z atman\u0131z\u0131 \u00f6neririz.<\/p>\n<h2><span id=\"Sunucu_Tarafinda_Yapmaniz_Gereken_Somut_Ayarlar\">Sunucu Taraf\u0131nda Yapman\u0131z Gereken Somut Ayarlar<\/span><\/h2>\n<p>Teoriyi prati\u011fe d\u00f6kelim. Payla\u015f\u0131ml\u0131 hosting yerine kendi VPS veya dedicated sunucusunu y\u00f6netenler i\u00e7in, Nginx\/Apache\/LiteSpeed taraf\u0131nda genellikle \u015fu ba\u015fl\u0131klar\u0131 ayarlamak gerekir:<\/p>\n<ul>\n<li><strong>Protokol s\u00fcr\u00fcmleri:<\/strong> Sadece TLSv1.2 ve TLSv1.3 a\u00e7\u0131k olacak \u015fekilde yap\u0131land\u0131rma<\/li>\n<li><strong>\u015eifre listesi:<\/strong> Yukar\u0131da bahsetti\u011fimiz gibi PFS + AEAD odakl\u0131 modern \u015fifreler<\/li>\n<li><strong>Sunucu \u00f6nceli\u011fi:<\/strong> &#8220;server cipher preference&#8221; etkinle\u015ftirilerek istemcinin de\u011fil sunucunun s\u0131ralamas\u0131n\u0131n dikkate al\u0131nmas\u0131<\/li>\n<li><strong>OCSP Stapling:<\/strong> Sertifika ge\u00e7erlilik kontrol\u00fcn\u00fc h\u0131zland\u0131rmak ve gizlilik kazanmak i\u00e7in origin taraf\u0131nda etkinle\u015ftirmek<\/li>\n<li><strong>HSTS:<\/strong> HTTP&#8217;den HTTPS&#8217;e kal\u0131c\u0131 ge\u00e7i\u015fi zorunlu k\u0131lmak ve downgrade sald\u0131r\u0131lar\u0131n\u0131 \u00f6nlemek<\/li>\n<\/ul>\n<p>Nginx taraf\u0131nda TLS 1.3, OCSP Stapling ve s\u0131k\u0131\u015ft\u0131rma ayarlar\u0131n\u0131 detayl\u0131 anlatt\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/nginxte-tls-1-3-ocsp-stapling-ve-brotli-nasil-kurulur-hizli-ve-guvenli-httpsnin-sicacik-rehberi\/\">ad\u0131m ad\u0131m TLS 1.3 rehberi<\/a>, bu b\u00f6l\u00fcmde anlatt\u0131klar\u0131m\u0131z\u0131 uygulamaya d\u00f6kerken size olduk\u00e7a yard\u0131mc\u0131 olacakt\u0131r.<\/p>\n<p>Bunlara ek olarak, <strong>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/strong> (HSTS, CSP, X-Frame-Options, Referrer-Policy vb.) ile TLS yap\u0131land\u0131rman\u0131z\u0131 tamamlamak gerekiyor. Sadece protokol\u00fc g\u00fcncellemek de\u011fil, taray\u0131c\u0131n\u0131n bu protokole nas\u0131l davranaca\u011f\u0131n\u0131 da do\u011fru ba\u015fl\u0131klarla y\u00f6nlendirmek \u00f6nemli. Bunun i\u00e7in de <a href=\"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-x-frame-options-ve-referrer-policy-dogru-nasil-kurulur\/\">HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 rehberimize<\/a> mutlaka g\u00f6z atman\u0131z\u0131 tavsiye ederiz.<\/p>\n<h2><span id=\"PCI_DSS_KVKK_ve_Regulasyon_Perspektifinden_TLS\">PCI DSS, KVKK ve Reg\u00fclasyon Perspektifinden TLS<\/span><\/h2>\n<p>E-ticaret, \u00f6deme sistemleri veya hassas ki\u015fisel veri i\u015fleyen projelerde, TLS ayarlar\u0131 sadece &#8220;iyi niyetli bir g\u00fcvenlik \u00f6nlemi&#8221; de\u011fil, ayn\u0131 zamanda <strong>uyulmas\u0131 gereken bir y\u00fck\u00fcml\u00fcl\u00fck<\/strong> haline geliyor.<\/p>\n<ul>\n<li><strong>PCI DSS:<\/strong> \u00d6deme kart\u0131 verisi i\u015fleyen sistemler i\u00e7in TLS 1.0 ve 1.1 kullan\u0131m\u0131n\u0131 y\u0131llar \u00f6nce yasaklad\u0131. Pratikte TLS 1.2 minimum, TLS 1.3 ise tavsiye edilen seviye.<\/li>\n<li><strong>KVKK \/ GDPR:<\/strong> Kanun do\u011frudan TLS s\u00fcr\u00fcm\u00fc s\u00f6ylemez; ancak &#8220;g\u00fcncel teknik \u00f6nlemler&#8221; ibaresi, zay\u0131f TLS s\u00fcr\u00fcmlerinin ve \u015fifrelerinin kullan\u0131lmas\u0131 halinde sorumlulu\u011fu size y\u00fckler.<\/li>\n<li><strong>Kurumsal g\u00fcvenlik politikalar\u0131:<\/strong> Bir\u00e7ok kurum dahili politika ve denetimlerinde, TLS 1.2+ zorunlulu\u011fu ve belirli zay\u0131f \u015fifrelerin tamamen yasaklanmas\u0131n\u0131 \u015fart ko\u015fuyor.<\/li>\n<\/ul>\n<p>Kart verisi i\u015fleyen projeler i\u00e7in haz\u0131rlad\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/pci-dss-uyumlu-e-ticaret-hosting-rehberi\/\">PCI DSS uyumlu e-ticaret hosting rehberinde<\/a>, TLS konfig\u00fcrasyonunun denetimlerde nas\u0131l de\u011ferlendirildi\u011fine dair sahadan \u00f6rnekler payla\u015f\u0131yoruz. TLS 1.0\/1.1&#8217;in a\u00e7\u0131k oldu\u011fu, RC4 veya 3DES&#8217;in hala listede bulundu\u011fu sistemler; \u00e7o\u011fu denetimde hi\u00e7 tart\u0131\u015fmas\u0131z &#8220;uyumsuz&#8221; olarak i\u015faretleniyor.<\/p>\n<h2><span id=\"DCHost_Ortaminda_Guncel_TLS_Stratejisi\">DCHost Ortam\u0131nda G\u00fcncel TLS Stratejisi<\/span><\/h2>\n<p>DCHost olarak hem payla\u015f\u0131ml\u0131 hosting hem de VPS\/dedicated altyap\u0131m\u0131zda TLS konusunu &#8220;sertifika var m\u0131 yok mu&#8221; seviyesinin olduk\u00e7a \u00f6tesinde ele al\u0131yoruz. Sahada edindi\u011fimiz tecr\u00fcbeyle benimsedi\u011fimiz temel prensipler:<\/p>\n<ul>\n<li>T\u00fcm yeni kurulumlarda <strong>yaln\u0131zca TLS 1.2 ve TLS 1.3<\/strong> deste\u011fi vermek<\/li>\n<li>Payla\u015f\u0131ml\u0131 hosting sunucular\u0131nda, zay\u0131f TLS 1.2 \u015fifre tak\u0131mlar\u0131n\u0131 varsay\u0131lan olarak devre d\u0131\u015f\u0131 b\u0131rakmak<\/li>\n<li>M\u00fcmk\u00fcn olan her yerde HTTP\/2 ve HTTP\/3 deste\u011fini aktif etmek<\/li>\n<li>Origin\u2013CDN aras\u0131 ba\u011flant\u0131larda da Full (Strict) TLS politikas\u0131 uygulamak<\/li>\n<li>VPS ve dedicated m\u00fc\u015fterilerimize, kendi Nginx\/Apache\/LiteSpeed yap\u0131land\u0131rmalar\u0131n\u0131 sertle\u015ftirmeleri i\u00e7in \u00f6rnek konfig\u00fcrasyon ve dan\u0131\u015fmanl\u0131k sa\u011flamak<\/li>\n<\/ul>\n<p>VPS, dedicated veya colocation taraf\u0131nda kendi TLS mimarinizi tasarlarken deste\u011fe ihtiya\u00e7 duyarsan\u0131z, DCHost ekibi olarak; sunucu boyutland\u0131rmas\u0131ndan ba\u015flayarak, <a href=\"https:\/\/www.dchost.com\/blog\/dedicated-sunucu-mu-vps-mi-hangisi-isinize-yarar\/\">dedicated mi VPS mi sorusunun<\/a> cevab\u0131ndan, canl\u0131ya \u00e7\u0131k\u0131\u015fta zero-downtime sertifika ge\u00e7i\u015fine kadar yan\u0131n\u0131zda olabiliyoruz.<\/p>\n<h2><span id=\"SSL_Sertifika_ve_TLS_Guncellemelerini_Otomatiklestirmek\">SSL Sertifika ve TLS G\u00fcncellemelerini Otomatikle\u015ftirmek<\/span><\/h2>\n<p>Protokol g\u00fcncellemeleri genelde bir defal\u0131k i\u015f gibi d\u00fc\u015f\u00fcn\u00fcl\u00fcr; oysa pratikte \u015f\u00f6yle olur: Sertifikalar yenilenir, yeni bir web sunucu versiyonuna ge\u00e7ilir, CDN politikalar\u0131 de\u011fi\u015fir ve her seferinde TLS ayarlar\u0131n\u0131z\u0131 tekrar g\u00f6zden ge\u00e7irmeniz gerekir. Bu y\u00fczden otomasyon, s\u00fcrd\u00fcr\u00fclebilir bir g\u00fcvenlik i\u00e7in kritik.<\/p>\n<ul>\n<li><strong>ACME tabanl\u0131 sertifika otomasyonu:<\/strong> Let\u2019s Encrypt ve benzeri CA&#8217;lerle otomatik sertifika yenileme (ACME) kullanmak, expir\u00e9 sertifika riskini ciddi bi\u00e7imde azalt\u0131r.<\/li>\n<li><strong>Otomatik testler:<\/strong> testssl.sh, sslscan gibi ara\u00e7larla periyodik tarama yapmak; yanl\u0131\u015fl\u0131kla a\u00e7\u0131lm\u0131\u015f eski protokolleri yakalaman\u0131z\u0131 sa\u011flar.<\/li>\n<li><strong>Konfig\u00fcrasyon y\u00f6netimi:<\/strong> Birden \u00e7ok sunucunuz varsa, TLS ayarlar\u0131n\u0131 elle de\u011fil; Ansible, Terraform gibi ara\u00e7larla y\u00f6netmek daha g\u00fcvenli ve tekrarlanabilir olur.<\/li>\n<\/ul>\n<p>Bu alandaki g\u00fcncel yakla\u015f\u0131mlar\u0131 ve \u00e7ok kirac\u0131l\u0131 ortamlarda SSL\/TLS otomasyonunu nas\u0131l \u00f6l\u00e7eklendirebilece\u011finizi, <a href=\"https:\/\/www.dchost.com\/blog\/ssl-sertifika-otomasyonu-inovasyonlari-acme-dns-01-ve-cok-kiracili-mimariler\/\">SSL sertifika otomasyonu inovasyonlar\u0131<\/a> yaz\u0131m\u0131zda detayl\u0131 olarak anlatt\u0131k. Oradaki pratikler, bu yaz\u0131da bahsetti\u011fimiz protokol g\u00fcncellemelerini tekrar tekrar elle yapmak zorunda kalmaman\u0131z i\u00e7in \u00e7ok \u00f6nemli.<\/p>\n<h2><span id=\"Adim_Adim_TLS_Guncelleme_Plani_Nereden_Baslamali\">Ad\u0131m Ad\u0131m TLS G\u00fcncelleme Plan\u0131: Nereden Ba\u015flamal\u0131?<\/span><\/h2>\n<p>Teorik olarak her \u015fey net g\u00f6r\u00fcnebilir, ama canl\u0131da \u00e7al\u0131\u015fan bir sistemde &#8220;TLS 1.0\/1.1&#8217;i kapatal\u0131m, \u015fifreleri sertle\u015ftirelim&#8221; demek \u00e7o\u011fu ekip i\u00e7in riskli hissettirir. DCHost&#8217;ta sahada kulland\u0131\u011f\u0131m\u0131z pratik bir yol haritas\u0131n\u0131 \u00f6zetleyelim:<\/p>\n<ol>\n<li><strong>Envanter \u00e7\u0131kar\u0131n:<\/strong> Hangi alan adlar\u0131, hangi sunucular, hangi paneller (cPanel, DirectAdmin, Plesk vb.) ve hangi TLS s\u00fcr\u00fcmlerini kullan\u0131yor, listeleyin.<\/li>\n<li><strong>Mevcut durumu \u00f6l\u00e7\u00fcn:<\/strong> testssl.sh, SSL Labs gibi ara\u00e7larla her host i\u00e7in rapor al\u0131n. Hangi protokoller a\u00e7\u0131k, hangi \u015fifreler kullan\u0131l\u0131yor, not edin.<\/li>\n<li><strong>Uyumluluk risklerini belirleyin:<\/strong> \u00c7ok eski taray\u0131c\u0131 veya g\u00f6m\u00fcl\u00fc cihaz kullanan kritik bir m\u00fc\u015fteri kitleniz varsa, \u00f6nceden haberdar edin; alternatif eri\u015fim (\u00f6r. yaln\u0131zca i\u00e7 a\u011fdan eri\u015filen eski endpoint) tasarlay\u0131n.<\/li>\n<li><strong>\u00d6nce TLS 1.0\/1.1&#8217;i devre d\u0131\u015f\u0131 b\u0131rak\u0131n:<\/strong> \u00c7o\u011fu projede bu de\u011fi\u015fiklik sorunsuz ge\u00e7er. Problemler genelde \u00f6zelle\u015ftirilmi\u015f eski API istemcilerinde ortaya \u00e7\u0131kar.<\/li>\n<li><strong>\u015eifre listesini temizleyin:<\/strong> RC4, 3DES, zay\u0131f CBC \u015fifrelerini kapat\u0131n; PFS + AEAD odakl\u0131 modern bir setle devam edin.<\/li>\n<li><strong>TLS 1.3&#8217;\u00fc etkinle\u015ftirin:<\/strong> Web sunucunuz destekliyorsa, TLS 1.3&#8217;\u00fc a\u00e7\u0131n ve HTTP\/2\u2013HTTP\/3 ile entegrasyonunu test edin.<\/li>\n<li><strong>G\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 ekleyin:<\/strong> HSTS, X-Content-Type-Options, Referrer-Policy ve m\u00fcmk\u00fcnse temel bir CSP ile taray\u0131c\u0131 taraf\u0131n\u0131 sertle\u015ftirin.<\/li>\n<li><strong>Sonu\u00e7lar\u0131 izleyecek metrik kurun:<\/strong> Hata loglar\u0131, eri\u015fim loglar\u0131 ve monitoring ara\u00e7lar\u0131yla (\u00f6rne\u011fin Uptime monit\u00f6rleri) de\u011fi\u015fiklik sonras\u0131 hata oranlar\u0131n\u0131 takip edin.<\/li>\n<\/ol>\n<p>\u00d6zellikle VPS veya dedicated sunucu kullan\u0131yorsan\u0131z, bu plan\u0131 uygularken <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-nasil-saglanir-kapiyi-acik-birakmadan-yasamanin-sirri\/\">VPS sunucu g\u00fcvenli\u011fi kontrol listeleri<\/a> gibi tamamlay\u0131c\u0131 rehberlerden yararlanman\u0131z, sadece TLS de\u011fil, t\u00fcm sald\u0131r\u0131 y\u00fczeyinizi k\u00fc\u00e7\u00fcltmenize yard\u0131mc\u0131 olur.<\/p>\n<h2><span id=\"Sonuc_TLS8217i_Bir_Defalik_Proje_Degil_Surekli_Bir_Surec_Olarak_Gormek\">Sonu\u00e7: TLS&#8217;i Bir Defal\u0131k Proje De\u011fil, S\u00fcrekli Bir S\u00fcre\u00e7 Olarak G\u00f6rmek<\/span><\/h2>\n<p>SSL\/TLS taraf\u0131nda &#8220;sertifikam var, ye\u015fil kilit \u00e7\u0131k\u0131yor&#8221; d\u00f6nemi \u00e7oktan kapand\u0131. Bug\u00fcn oyun \u015f\u00f6yle oynan\u0131yor: Taray\u0131c\u0131lar ve g\u00fcvenlik standartlar\u0131 belirli aral\u0131klarla protokol ve \u015fifre beklentilerini yukar\u0131 \u00e7ekiyor, siz de altyap\u0131n\u0131z\u0131 buna uyumlu tutmak zorundas\u0131n\u0131z. TLS 1.0\/1.1&#8217;i kapatmak, TLS 1.3&#8217;e ge\u00e7mek, zay\u0131f \u015fifreleri listeden \u00e7\u0131karmak, HSTS ve OCSP Stapling eklemek; birer l\u00fcks de\u011fil, modern bir web projesinin <strong>asgari hijyen kurallar\u0131<\/strong> haline geldi.<\/p>\n<p>DCHost olarak biz, bu hijyeni sa\u011flamak i\u00e7in bar\u0131nd\u0131rma altyap\u0131m\u0131z\u0131 d\u00fczenli aral\u0131klarla g\u00f6zden ge\u00e7iriyoruz: Payla\u015f\u0131ml\u0131 hosting sunucular\u0131nda varsay\u0131lan TLS politikalar\u0131n\u0131 g\u00fcncelliyor, VPS ve dedicated m\u00fc\u015fterilerimize \u00f6rnek konfig\u00fcrasyonlar ve denetim \u00f6nerileri sunuyoruz. Sizin tarafta da &#8220;Bu ay TLS ile ilgili neyi iyile\u015ftirdik?&#8221; sorusunu sormay\u0131 al\u0131\u015fkanl\u0131k haline getirmenizi \u00f6neririz.<\/p>\n<p>E\u011fer kendi projeniz i\u00e7in somut bir aksiyon plan\u0131 \u00e7\u0131karmak isterseniz, \u00f6nce mevcut durumu tespit edip, ard\u0131ndan bu yaz\u0131daki ad\u0131mlar\u0131 DCHost \u00fczerindeki hosting paketinize, VPS&#8217;inize veya dedicated sunucunuza uygulayabiliriz. \u0130htiyac\u0131n\u0131z ister basit bir web sitesi olsun, ister yo\u011fun trafikli bir e-ticaret altyap\u0131s\u0131; <strong>g\u00fcncel SSL\/TLS protokol ayarlar\u0131<\/strong> konusunda yan\u0131n\u0131zday\u0131z. Bir sonraki bak\u0131m penceresinde, bu yaz\u0131y\u0131 checklist gibi a\u00e7\u0131p madde madde ilerlemeniz bile, g\u00fcvenlik ve performans anlam\u0131nda sizi bir nesil ileri ta\u015f\u0131yacakt\u0131r.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>SSL\/TLS taraf\u0131nda her birka\u00e7 y\u0131lda bir yap\u0131lan k\u00fc\u00e7\u00fck bir ayar de\u011fi\u015fikli\u011finin, t\u00fcm altyap\u0131n\u0131z\u0131 etkileyebildi\u011fini muhtemelen deneyimlemi\u015fsinizdir. Bir yanda taray\u0131c\u0131lar\u0131n eski protokolleri agresif \u015fekilde devre d\u0131\u015f\u0131 b\u0131rakmas\u0131, di\u011fer yanda PCI DSS, KVKK gibi reg\u00fclasyonlar\u0131n minimum TLS s\u00fcr\u00fcm\u00fc ve \u015fifre tak\u0131m\u0131 (cipher suite) beklentileri\u2026 Sonu\u00e7: &#8220;HTTPS \u00e7al\u0131\u015f\u0131yor&#8221; demek art\u0131k yeterli de\u011fil; hangi SSL\/TLS protokol g\u00fcncellemelerini ne zaman, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4164,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,33,25],"tags":[],"class_list":["post-4163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hosting","category-nasil-yapilir","category-sunucu"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=4163"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4163\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/4164"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=4163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=4163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=4163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}