A correctly configured TLS encryption ensures that your users only get content from your web application that does not tamper with and cannot be eavesdropped on. Learn here how you can secure your TLS Configuration.

Table of contents
  1. Secure TLS Configuration Security Assessment
  2. Secure TLS Configuration Vulnerability Information
  3. How to Secure TLS Configuration

Secure TLS Configuration Security Assessment

Based on the specific cipher suite, the values can differ from one to another. For the exact value of each cipher suite, see the table below.

Security Assessment TLS Configuration

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Security Assessment TLS TABLE

Secure TLS Configuration Vulnerability Information

A correctly configured TLS encryption ensures that your users only get content from your web application that does not tamper with and cannot be eavesdropped on. In your SSL/TLS configuration, you should set the allowed protocol version and ciphers to recent values which are secure. In doubt, take a look at the TLS configuration proposal offered by Mozilla or use the SSL Config Generator.

Check your TLS Vulnerabilities

SCAN FOR FREE NOW

How to Secure TLS Configuration

To configure the SSL/TLS encryption for your web server, configure them based on these guides. Also, make sure that you use strong and trusted certificates as described in Configure Trusted Certificates.

Apache

With apache, the SSL/TLS configuration is stored in /etc/apache2/mods-enabled/ssl.conf. If you use Let’s Encrypt, the configuration may reside in /etc/letsencrypt/options-ssl-apache.conf. To enable only ciphers with high encryption and recent protocols set:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder     on
SSLCompression          off

Then reload the Apache server configuration.

Note that this limits the cipher suites and protocol version to recent SSL/TLS versions, which might exclude users with older browsers.

Nginx

For Nginx, update the configuration file which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS). Add the following directive to the server section:

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA38';
ssl_prefer_server_ciphers on;

Then restart the Nginx server.

Note that this limits the cipher suites and protocol version to recent SSL/TLS versions, which might exclude users with older browsers.

See if Your Web App or API Has Security Vulnerabilities

SCAN FOR FREE NOW