Skip to content

SSL Ciphers

Strong Ciphers for NginxApache and more.

Maintaining a set of strong ciphers for your web server, whether you’re running Nginx or Apache (httpd), is an important step to hardening your server security. It’s not common for the default settings of any application to be secure – Nginx and Apache are no exception. Changing the ciphers that they support can mean that you don’t support older browsers but this is rarely a problem.

Nginx

# Don't use TLSv1 if PCI compliance is required.
# TLSv1.3 may not be available with your version of nginx / openssl.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# Use the server's cipher list instead of the client's.
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_dhparam /etc/ssl/dhparam.pem;

Apache

SSLCipherSuite HIGH:!aNULL:!MD5
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"

Generating dhparams.pem

openssl dhparam -out /etc/ssl/dhparam.pem 4096