1. Support Center
  2. SSL / TLS Vulnerabilities
  3. Vulnerabilities requiring reconfiguration

Secure TLS Configuration

A correct configured TLS encryption makes sure, that your users only get content from your web application which is not tampered and cannot be eavesdropped. Learn here, how you can secure your TLS Configuration!

Security Assessment

Based on the specific cipher suite, the values can differ from one to another. For the exact value of each cipher suite see the table below.

Security_Assessment_TLS_Configuration-1

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Security_Assessment_TLS_TABLE-1

Vulnerability Information

A correct configured TLS encryption makes sure, that your users only get content from your web application which is not tampered and cannot be eavesdropped. In your SSL/TLS configuration, you should set the allowed protocol version and ciphers to recent values which are secure. In doubt take a look at the TLS configuration proposal offered by Mozilla or use the SSL Config Generator.

Guides

To configure the SSL/TLS encryption for your webserver, configure them based on these guides. Also make sure that you use strong and trusted certificates as described in Configure Trusted Certificates.

Apache

With apache, the SSL/TLS configuration is stored in /etc/apache2/mods-enabled/ssl.conf. If you use Let's Encrypt, the configuration may reside in /etc/letsencrypt/options-ssl-apache.conf. To enable only ciphers with high encryption and recent protocols set:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
SSLCompression off

Then reload the Apache server configuration.

Note, that this limits the cipher suites and protocol version to recent SSL/TLS versions which might exclude users with older browsers.

Nginx

For Nginx, update the configuration file which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS). Add the following directive to the server section:

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA38';
ssl_prefer_server_ciphers on;

Then restart the Nginx server.

Note, that this limits the cipher suites and protocol version to recent SSL/TLS versions which might exclude users with older browsers.

For more information about Crashtest Security visit crashtest-security.com