Hardening ssl ciphers

Hardening ssl ciphers. I wrote a post previously about disabling sslv2 and enabling sslv3 and tlsv1. Times have changed since then, its been best-practice for a long time now to only use tlsv1.1 and tlsv1.2 with forward secrecy. This post replaces the previous post, and will be updated with the latest best-practices as they appear.

This Post Has 2 Comments

  1. Brandon Martin

    I’ve added these configs to my nginx servers to harden the ssl:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_prefer_server_ciphers on;

    Place them in the http block. Generate the dhparam with openssl: openssl dhparam -out dhparam.pem 4096

Leave a Reply