TLS Cipher Suites

SSL certificates with key lengths under 2048 bits, or that use older hashing algorithms like MD5 or SHA-1, need to be replaced. Adequate hashing algorithms start with SHA-256 (SHA-2 with 256-bit hash values).

Symmetric encryption algorithm DES and stream cipher RC4 need to go away entirely.

Also no longer permissible are these TLS/SSL versions in their entirety:

• SSL v2
• SSL v3
• TLS 1.0
• TLS 1.1

A cipher suite consists of a key exchange algorithm, an authentication algorithm, a symmetric encryption algorithm, and a message authentication (hashing) algorithm. Currently (2025), the most secure and most recommended combination of these four is:

• Key exchange: Elliptic Curve Diffie-Hellman (ECDH)
• Authentication algorithm: Elliptic Curve Digital Signature Algorithm (ECDSA)
• Symmetric encryption algorithm: AES 256 operating in Galois Counter Mode (AES256-GCM)
• message authentication (hashing) algorithm: SHA384 (SHA-2 with 384-bit hash values)

The problem is one of both deprecating (and ideally removing) support for known-weak ciphers while still retaining compatibility with commodity Web browser software of the day. OWASP has recommendations, and Mozilla has a configuration generator. Acunetix has good guidelines.

• Limit the TLS layer to TLS 1.3 and 1.2 only, with the former preferred.
• Where possible, support only symmetric ciphers operating in GCM = Galois Counter Mode (but this may damage legacy client compatibility).
• At minimum, disable all null, anonymoyus, and EXPORT ciphers.

Mozilla provides as of April 2025 the following example Apache config for "intermediate" client compatibility:

<VirtualHost *:443>
SSLEngine on

SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key

# enable HTTP/2, if available
Protocols h2 http/1.1

# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Also, ensure that the right Diffie-Hellman group parameters are present in openssl.cnf:

openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_module
[ssl_module]
system_default = tls_system_default
[tls_system_default]
Groups = x25519:prime256v1:x448:ffdhe2048:ffdhe3072

An Apache configuration would look like

SSLOpenSSLConfCmd Groups x25519:secp256r1:ffdhe3072

TLS compression should be disabled in order to protect against a vulnerability nicknamed CRIME that could potentially allow an attacker to recover sensitive information such as session cookies.

# Disable TLS compression
SSLCompression off

Test the hardened configuration using one of the following online test tools

• SSL Labs Server Test
• CryptCheck
• ImmuniWeb
• Hardenize
• Mozilla Observatory
• Scanigma
• Stellastra

Add Certification Authority Authorization (CAA) DNS records to domain DNS to define which CAs are permitted to issue certificates for it.