SSL/TLS Configuration: 5 Best Practices for Securing Servers

You are currently viewing SSL/TLS Configuration: 5 Best Practices for Securing Servers

SSL/TLS Configuration: 5 Best Practices for Securing Servers

Image by: Brett Sayles

Why SSL/TLS security can’t be ignored

Did you know 39% of websites still support vulnerable TLS 1.0? This startling statistic from SSL Labs’ Pulse Report highlights why proper SSL/TLS configuration remains critical. When misconfigured, your encryption becomes a false shield – exposing sensitive data to POODLE, BEAST, and other attacks. This guide gives sysadmins and DevOps engineers actionable steps to eliminate weak protocols, select robust ciphers, and achieve A+ security ratings across Nginx, Apache, and cloud platforms. You’ll learn to automate renewals, implement HSTS, and maintain bulletproof configurations that satisfy PCI DSS and GDPR requirements. Let’s transform your web server from vulnerable to fortress-grade.

Disabling outdated TLS protocols

Legacy protocols like TLS 1.0 and 1.1 contain critical vulnerabilities. The PCI Security Standards Council mandated their deprecation in 2018, yet many servers remain exposed. Disabling them reduces attack surfaces immediately:

  • Nginx: Add ssl_protocols TLSv1.2 TLSv1.3; in server blocks
  • Apache: Set SSLProtocol -all +TLSv1.2 +TLSv1.3 in httpd.conf
  • CloudFront: Use “TLSv1.2_2021” security policy in distributions

Microsoft reported 58% of attacks against financial services target TLS 1.0 weaknesses. Always verify changes with SSL Server Test and monitor traffic using Wireshark filters like tls.handshake.version == 0x0301.

Choosing modern cipher suites

Cipher selection dictates encryption strength. Prioritize AEAD ciphers like ChaCha20-Poly1305 and AES-GCM that resist timing attacks. Avoid NULL, EXPORT, or CBC-based ciphers vulnerable to Lucky13 attacks. Mozilla’s recommended configurations provide excellent templates:

Cipher suite Security Speed Compatibility
TLS_AES_256_GCM_SHA384 Excellent Fast (HW accelerated) Modern browsers
TLS_CHACHA20_POLY1305_SHA256 Excellent Fast on mobile Android 7.0+, iOS 11+
ECDHE-RSA-AES128-SHA Weak (CBC vulnerability) Medium Legacy systems

For Nginx, use: ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';. Rotate keys using elliptic curve cryptography for better performance.

Enforcing security with HSTS

HTTP Strict Transport Security prevents SSL stripping attacks by forcing browsers to use HTTPS. The Strict-Transport-Security header tells clients to remember your site as HTTPS-only:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Implementation varies by server:

  • Apache: Add Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  • Nginx: Include add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Submit domains to the HSTS Preload List for built-in browser enforcement. Note: Include preload only after thorough testing.

Automating certificate renewal

Manual certificate renewals cause 42% of outages according to Venafi research. Let’s Encrypt with Certbot solves this through ACME protocol automation:

  1. Install Certbot: sudo snap install certbot --classic
  2. Run: certbot --nginx -d yourdomain.com
  3. Add cron job: 0 0 */60 * * certbot renew --quiet

For Kubernetes, use cert-manager with ClusterIssuer resources. Monitor expiration with Prometheus and Grafana dashboards – critical for enterprise compliance frameworks.

Advanced hardening techniques

OCSP stapling

Reduces latency by embedding revocation status in TLS handshakes. Enable in Nginx with:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;

Certificate transparency

Detect misissued certificates via CT logs. Configure using ct directive in OpenSSL 1.1.1+.

Key rotation strategies

Rotate ECDSA keys every 90 days using automated scripts. Always generate 384-bit curves for maximum security.

Testing and ongoing maintenance

Continuous monitoring prevents configuration drift. Essential tools:

  • Qualys SSL Test: Comprehensive grading with remediation tips
  • testssl.sh: Command-line checks for vulnerabilities
  • OWASP ZAP: Automated vulnerability scanning

Schedule monthly scans and integrate checks into CI/CD pipelines. Bookmark our DevOps security checklist for quarterly audits.

Frequently asked questions

Should I disable TLS 1.2 after enabling TLS 1.3?

No. Maintain TLS 1.2 compatibility for legacy clients while prioritizing TLS 1.3 connections. Over 18% of global traffic still uses TLS 1.2 according to Cloudflare metrics. Phase out TLS 1.2 only when analytics show negligible usage.

How often should I rotate my cipher suites?

Review cipher configurations quarterly, but avoid unnecessary changes to maintain compatibility. Rotate only when vulnerabilities emerge – like the 2020 ROCA attack affecting RSA keys. Subscribe to the OpenSSL blog for critical updates.

Can HSTS cause accessibility issues?

Yes, if misconfigured. Setting extremely long max-age without testing can lock out users during configuration errors. Start with max-age=300 (5 minutes), gradually increasing to 1 year after verification. Always maintain HTTP access to your domain’s HSTS status checker.

What’s the biggest mistake in automated certificate renewal?

Forgetting to restart web servers. Certbot updates certificate files but doesn’t reload services. Always include --deploy-hook "systemctl reload nginx" in renewal commands. Monitor processes using ps aux | grep nginx to confirm reloads.

Conclusion

Securing SSL/TLS configurations demands ongoing vigilance – from eliminating TLS 1.0 to enforcing modern ciphers and HSTS. By automating renewals and implementing the hardening techniques outlined here, you’ll achieve and maintain A+ security ratings while preventing costly breaches. Remember: Security isn’t a one-time project but a continuous process. Start today by testing your configuration with SSL Labs and exploring our DevOps security resources for deeper implementation guides. Your encrypted infrastructure starts now.