Do's and Don'ts

What should you do and what shouldn't you do?

DO'S

Start with a clean installation of your server and install the updates.

1. Make a backup.
2. Keep a log of changes after the backup.
3. Back to 1. etc...

Always make changes one at a time and check after each change whether everything is working correctly.

DON'TS

• Making too many changes at once. (Read: more than 1)
  This way you won't be able to figure out which change caused a problem if something goes wrong.
• Skipping steps.
  Sometimes things need to change in an exact order. If you deviate from this, it won't work properly, will fail, or worse.
• Making changes that cause your website or webserver to become unreachable.
  Not convenient, but you might learn something from it.

Good luck!!

And One More Thing

Use Only TLSv1.2 and TLSv1.3

TLSv1.2 has existed since 2008 and all browsers after 2012 support it. TLSv1.3 is the latest version and is supported by Mozilla Firefox and Google Chrome.

Cipher Suites

For TLSv1.2

In Apache

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES256-SHA

In IIS 10

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

For TLSv1.3

Edit the configuration file: nano /etc/openssl/openssl.conf

Add at the bottom:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

This is not according to RFC 8446 Section 9.1:

"A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 cipher suite"

The fact is that the TLS_AES_128_GCM_SHA256 cipher suite is not required for TLS handshakes. By no longer requiring this for RFC 8446 Section 9.1, TLSv1.3 can also meet the requirement of AES256 encryption.