In the past, securing a server meant disabling outdated protocols like SSLv3 (famous for the POODLE attack). Today, nearly all modern operating systems disable these by default.
Modern server security is about enabling the latest standards: TLS 1.2 and TLS 1.3.
Why TLS 1.3?
TLS 1.3 is not just more secure than TLS 1.2; it is also faster. It reduces the time it takes to establish a secure connection (handshake), improving website load times.
TLS 1.3 is not just more secure than TLS 1.2; it is also faster. It reduces the time it takes to establish a secure connection (handshake), improving website load times.
Prerequisites
To use TLS 1.3, your server must have OpenSSL 1.1.1 or newer. This is standard on modern OSs like:
- Ubuntu 20.04 LTS or newer
- Debian 10 (Buster) or newer
- CentOS / AlmaLinux / Rocky Linux 8 or newer
1. Nginx Configuration
Nginx is highly efficient at handling SSL/TLS. We will configure it to accept only TLS 1.2 and 1.3 with strong cipher suites.
- Open your main Nginx configuration file (usually
/etc/nginx/nginx.conf) or your specific site config block. - Find or add the
ssl_protocolsandssl_ciphersdirectives inside theserver { ... }block listening on port 443.
server {
listen 443 ssl http2;
server_name yourdomain.com;
# ... certificate paths here ...
# Enable TLS 1.2 and TLS 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Use strong, modern ciphers.
# This list follows Mozilla's "Intermediate" recommendations.
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# ... rest of your config ...
}- Test configuration and restart Nginx:
nginx -t && systemctl restart nginx
2. Apache (httpd) Configuration
For Apache, the configuration depends on your OS.
-
RHEL/CentOS: Usually
/etc/httpd/conf.d/ssl.conf -
Ubuntu/Debian: Usually
/etc/apache2/mods-enabled/ssl.conf
- Open the config file.
- Locate the
SSLProtocolandSSLCipherSuitedirectives and update them:
# Disable SSLv3, TLS 1.0, TLS 1.1. Enable TLS 1.2 and 1.3
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Use strong, modern ciphers (Mozilla Intermediate)
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off- Test configuration and restart Apache:
(Useapachectl configtest && systemctl restart apache2httpdinstead ofapache2on RHEL based systems).
3. Postfix (Mail Server)
Mail servers are often targeted. Ensure your Postfix only communicates securely.
- Open the main configuration file:
/etc/postfix/main.cf. - Add or modify the following lines to enforce TLS 1.2 or higher for receiving mail:
# Require TLS 1.2 or higher for incoming connections
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
# Recommended to also set for outgoing connections (smtp instead of smtpd)
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high- Restart Postfix:
systemctl restart postfix
Testing your Configuration
After applying these changes, it is vital to verify them.
- Public Web Servers: Use the free Qualys SSL Server Test. Aim for an A or A+ rating. It will clearly show if TLS 1.3 is enabled and if weak protocols are disabled.
-
Internal/Mail Servers: Use command-line tools like
nmaportestssl.sh.