Blog | G5 Cyber Security

TLS 1.2 & Specific Cipher Setup

G5 Cyber Security

TL;DR

This guide shows you how to configure your server (using OpenSSL as an example) to only use TLS version 1.2 and a specific cipher suite for enhanced cyber security.

Setting up TLS 1.2 & a Specific Cipher Suite

  1. Understand the Risks: Older TLS versions (like SSLv3, TLS 1.0, TLS 1.1) have known vulnerabilities. Using only TLS 1.2 or higher is best practice. Choosing a strong cipher suite is also crucial.
    • Cipher Suites: These define the algorithms used for encryption, authentication, and key exchange.
    • Example Cipher Suite: `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` (This is a strong choice but check current recommendations).
  2. Check Current TLS Version & Ciphers: Before making changes, see what your server currently supports.

    Use OpenSSL to connect to your server and display the negotiated version and ciphers.

    openssl s_client -connect yourdomain.com:443

    Look for lines like:

    • Protocol Version: Shows the TLS version being used.
    • Cipher Suite: Lists the negotiated cipher suite.
  3. Configure OpenSSL (Example): This example uses a configuration file.
    1. Create/Edit Configuration File: Typically named something like ssl.conf or yourdomain.conf.
    2. Add TLS Version Directive: Force TLS 1.2 only. 
      SSLProtocol -all +TLSv1_2
    3. Specify Cipher Suite: List the ciphers you want to allow (order matters – preferred ciphers first). 
      SSLCipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    4. Example Configuration Snippet: 
      <VirtualHost *:443>
  ServerName yourdomain.com
  SSLEngine on
  SSLProtocol -all +TLSv1_2
  SSLCipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  ... other configuration directives ...
</VirtualHost>
  4. Test Your Configuration: Always test before restarting your server.
    1. Use OpenSSL to Test: Connect as before and verify the TLS version and cipher suite are correct. 
      openssl s_client -connect yourdomain.com:443
    2. Online SSL Testing Tools: Use websites like SSL Labs to get a detailed report on your server’s configuration.
  5. Restart Your Server: After successful testing, restart your web server (e.g., Apache, Nginx) to apply the changes.

    The command varies depending on your operating system and web server.

    • Apache: sudo systemctl restart apache2
    • Nginx: sudo systemctl restart nginx
  6. Monitor & Update: Cyber security is ongoing.
    • Regularly review your configuration.
    • Keep OpenSSL and your web server updated to the latest versions.
    • Stay informed about new vulnerabilities and best practices for TLS and cipher suites.
Exit mobile version