TLS hardening for Servers

TLS hardening for Servers


TLS (transport layer security, formerly known as SSL) helps improve security by encrypting data whilst in transit over the network. Over time, however, a number of flaws have been found in the cipher suites utilised, and in the protocol itself, and as a result, newer versions of the protocol and stronger ciphers have been introduced.

In order to fully benefit from the improvements, and ensure the flaws cannot be exploited, it's necessary to turn off the old / weak components on servers, because vendor-shipped default configurations are typically extremely slow at keeping up.

What needs done

New for 2017, 3DES is now considered a weak cipher and should be disabled.

IT Services currently recommends turning off:

  • SSLv2 protocol
  • SSLv3 protocol (so TLS1.0 or better must be used)
  • RC4 & 3DES ciphers
  • MD5 hash

We have found this strikes a sensible balance between blocking insecure protocols and ciphers, whilst still allowing older browsers, apps and devices to connect.

How to achieve it

Settings for common servers: