Cipher Suites in OpenSSL 1.1.1 tm OpenSSL 3.0.15 voor TLSv1.3
Guide to configuring secure Cipher Suites for OpenSSL 1.1.1 through 3.0+ to ensure strong encryption and compatibility.
TLS 1.3 Ciphers
In TLS 1.3, cipher suites are simplified and generally secure by default. You often don't need to configure them explicitly, but if you do:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256TLS 1.2 Ciphers (Legacy Compatibility)
For TLS 1.2, you must carefully select ciphers to avoid weak ones (like CBC, RC4, 3DES).
Recommended String (Mozilla Intermediate):
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384Breakdown of a Strong Cipher
Example: ECDHE-RSA-AES256-GCM-SHA384
- ECDHE: Key Exchange (Elliptic Curve Diffie-Hellman Ephemeral) - Provides Forward Secrecy.
- RSA: Authentication (Certificate type).
- AES256: Encryption Algorithm (Strong).
- GCM: Mode of Operation (Galois/Counter Mode) - Authenticated encryption.
- SHA384: Hashing Algorithm for HMAC.
Configuration Examples
Apache
Edit /etc/apache2/mods-enabled/ssl.conf:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets offNginx
Edit /etc/nginx/nginx.conf or site config:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;Testing Your Configuration
After applying changes and restarting your server, test it:
-
Use
opensslcommand:openssl s_client -connect yourdomain.com:443 -cipher "ECDHE-RSA-AES256-GCM-SHA384" -
Use Qualys SSL Labs: https://www.ssllabs.com/ssltest/
- Aim for an "A" rating.
