Configuring SSL/TLS with strong cryptography
Most vulnerability scans and pentests produce many findings related to SSL (TLS). Because cryptograhpy is complex and the requirements change quickly. But how do you set up your server so that at least no outdated versions or weak encryption is running? And what is reasonable compromise to not lose visitors with slightly older browsers?
On this page we want to give an overview of various types of server software and how to configure TLS (SSL) on them in a secure way.
Overall
Encryption of connections on the Internet is undergoing significant changes. New vulnerabilities are constantly being discovered that are, to a greater or lesser extent, practical problems. Also, the increasing computing power of computers poses new challenges: what could be considered reasonably strong encryption 10 years ago is now no longer sufficient because modern computers can try keys at high speed.
Because in many situations older versions of browsers, mail programs and other “consumers” of encrypted connections must be supported, you may not always be able to assume that the latest and best encryption methods and protocols can be provided. Therefore, on this page we try to keep two variants of our advice:
- top quality: you control the clients that connect to your server and you don’t have to deal with outdated clients. This is mostly about internal web and mail servers that are only visited with the latest version of a modern browser or mail program because on the workstations you always install the latest updates.
- compromise quality: you would like to have good encryption of the traffic, but you don’t want to keep out visitors who have a slightly older browser (for example, phones with an older Android version).
For compromise quality, we assume that visitors have at least the following software versions:
- Mozilla Firefox 27 (04−02−2014)
- Google Chrome 31 (12−11−2013)
- Microsoft Edge 12 or Internet Exporer 11 (Windows 7) (17−08−2013)
- Android 4.4.2 (09−12−2013)
- Apple Safari /IOS 9 (30−09−2015)
- Java applications at least on Java 8 (20−01−2015)
- Opera 20 (04−03−2014)
An overview of all the server software discussed on this page:
- Apache Httpd
- Microsoft Internet Information Server (IIS)/ Microsoft Exchange/Microsoft Remote Desktop Services (Terminal Services)
- nginx
- lighttpd
- Postfix
Apache HTTPD
The best configuration is to support TLS 1.3 only. Note that this only works with fully up-to-date clients.
The top quality configuration is simple:
The server then only supports the latest version of TLS (1.3) within which all encryption methods are currently considered very strong. Please check that your server is recent enough to support TLS 1.3. For this you need at least Apache version 2.4.39 with OpenSSL version 1.1.1.
If you still want to support slightly older clients, we recommend (in compromise quality) the following configuration:
You then only support TLS 1.2 and 1.3 with strong encryption methods.
The above rules must be included in your Apache configuration. How it is organized may vary from system to system. In general, it will be located in /etc/httpd/
or /etc/apache2/
. These directories often contain a subdirectory of configuration files, usually named conf.d/
. In it you will find a file with a name like10-ssl.conf
in which you can add or modify the above lines. After a restart of the Apache service, the new configuration is active.
Microsoft Internet Information Server (IIS)
Microsoft Exchange
Microsoft Remote Desktop Services (Terminal Services)
Microsoft servers do not yet support version 1.3 of TLS, so the top-quality configuration cannot be set on IIS, Exchange or other Microsoft server products, even on Windows Server 2019.
To get the best possible configuration on IIS, Exchange and Remote Desktop, it is necessary to make some changes in the Registry. Under the following entries, create a subkey with the name Enabled
and the value 0
:
Under the following Registry key, you then create a subkey Enabled
with the value 1
:
The server will now only provide HTTPS via TLS 1.2 which prevents you from many encryption vulnerabilities.
However, we want to tighten the configuration a bit more because even under TLS 1.2, a number of encryption methods are offered that are not all equally strong. Also in the compromise quality (see above) we can disable some of them. In particular, we want to disable methods that use Cipher Block Chaining (CBC).
You can use the following PowerShell command to query which algorithms with CBC are used by the server:
For all results of this command, you can disable the encryption method with:
Repeat for each method you want to disable, entering the appropriate name in quotation marks in the above command. After disabling the weak ciphers, the strong ciphers must also be enabled:
nginx
If you are using the web server nginx, you can adjust the SSL/TLS settings in the configuration file/etc/nginx/nginx.conf
.
For top quality HTTPS, enable only TLS 1.3 with the following configuration option:
To enable TLS 1.3 you need at least nginx version 1.13.0 with OpenSSL version 1.1.1.
For compromise quality, use the following settings:
lighttpd
For the simple web server lighttpd, include the following in the configuration file/etc/lighttpd/lighttpd.conf
:
(this is the top quality configuration with only TLS 1.3 — make sure your version of Lighttpd does support TLS 1.3 (at least version 1.4.53 with OpenSSL 1.1.1), otherwise you disable all SSL and TLS)
For compromise quality, you can add the following lines:
Postfix (SMTP)
Email can (and should) be sent over TLS as well, and again you face challenges with version of the protocol and encryption algorithms. Here we describe how to correctly configure SSL/TLS on the widely used mail transfer agent Postfix.
For top quality (Note: only use this to communicate with mail servers that you are sure also support TLS 1.3, otherwise the mail will be sent unencrypted!), set the following in/etc/postfix/main.cf
:
For compromise quality, set up Postfix as follows:
Again, e‑mail is different from web browsing: if the TLS connection cannot be established then (unless otherwise configured, but that is rarely the case) mail traffic will fall back to old-fashioned unencrypted sending of e‑mail. Even not so good encryption is preferable, because it is better than nothing. For this reason, we also provide a setting that is compatible with very old servers on the Internet:
Other
We will add server software on this page as soon as we encounter it in practice.