University of Glasgow - MyGlasgow - IT - Information Security

TLS hardening for Servers

Introduction

TLS (transport layer security, formerly known as SSL) helps improve security by encrypting data whilst in transit over the network. Over time, however, a number of flaws have been found in the cipher suites utilised, and in the protocol itself, and as a result, newer versions of the protocol and stronger ciphers have been introduced.

In order to fully benefit from the improvements, and ensure the flaws cannot be exploited, it's necessary to turn off the old / weak components on servers, because vendor-shipped default configurations are typically extremely slow at keeping up.

What needs done

New for 2017, 3DES is now considered a weak cipher and should be disabled.

IT Services currently recommends turning off:

SSLv2 protocol
SSLv3 protocol (so TLS1.0 or better must be used)
RC4 & 3DES ciphers
MD5 hash

We have found this strikes a sensible balance between blocking insecure protocols and ciphers, whilst still allowing older browsers, apps and devices to connect.

How to achieve it

Settings for common servers:

We use cookies

Necessary cookies

Analytics cookies

Hotjar and Clarity

TLS hardening for Servers

TLS hardening for Servers

Introduction

What needs done

How to achieve it