Skip to content

Recommended TLS/SSL Settings

Secure your infrastructure with modern, expert-recommended TLS/SSL configurations. Select an application below for production-ready settings, cipher suite recommendations, and step-by-step instructions.

Web Servers & Proxies

Databases

Message Brokers

Mail Servers

File Transfer

Communications & VPN

Infrastructure

DNS

TLS Concepts

General TLS Best Practices

Regardless of your server software, these principles apply to every TLS configuration:

  • Use TLS 1.2 and TLS 1.3 only: Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. These older protocols have known vulnerabilities and are deprecated by RFC 8996.
  • Use strong cipher suites: Only allow AEAD ciphers (AES-GCM, ChaCha20-Poly1305) with ECDHE key exchange for forward secrecy. Avoid CBC mode, RSA key exchange, and anything using SHA-1.
  • Enable HSTS: HTTP Strict Transport Security tells browsers to always use HTTPS, preventing protocol downgrade attacks.
  • Use valid certificates: Obtain certificates from a trusted certificate authority. Let's Encrypt provides free, automated certificates.
  • Enable OCSP stapling: Improves TLS handshake performance and privacy by stapling the certificate revocation status directly to the connection.
  • Serve IPv4 and IPv6: The configurations on this site bind dual-stack by default rather than silently listening on IPv4 only, so IPv6 clients are not left behind. Where a service cannot bind both families in a single instance, the guide notes the alternative.
  • Test your configuration: Use Qualys SSL Labs to verify your web server configuration achieves an A+ rating.