SSL Configuration Generator

Generate Mozilla-grade TLS cipher suites and secure SSL configurations for any engine.

SSL/TLS Settings

Core Settings

nginx-ssl.conf
Valid
1
0
Overall Score

Configuration Health

TLS analysis for Mozilla Intermediate profile.

Detailed Analysis

Best Practice Analysis

  • Do not use the 'Old' profile unless you absolutely must support legacy devices (e.g. IE8).
  • Ensure your certificate chain file contains the intermediates.
  • Use HSTS only when you are certain all subdomains support HTTPS.

Production Readiness

  • Cert Paths Provided
  • Valid Profile Selected

Overview

The SSL/TLS Configuration Generator produces highly secure, Mozilla-compliant server blocks for NGINX, Apache, and HAProxy.

Configuring SSL/TLS correctly is critical for passing compliance audits (PCI-DSS, HIPAA) and achieving an A+ on the Qualys SSL Labs test. The cryptographic landscape changes rapidly; older protocols like TLS 1.0 and TLS 1.1 are now deprecated, and many ciphers are vulnerable to attacks like POODLE or BEAST. This generator abstracts these complexities by providing Modern, Intermediate, and Old configurations based on the latest Mozilla Server Side TLS guidelines.

How It Works

1. Select Server Profile: Choose between NGINX, Apache, or HAProxy to generate the correct syntax for your specific web server.

2. Choose a Mozilla Profile: Select Modern (for clients released within the last 5 years), Intermediate (recommended general-purpose, supports older clients), or Old (if you must support legacy systems like Windows XP).

3. Configure Certificates: Provide the absolute file paths to your server certificate (the `.crt` or `.pem`) and your private key.

4. Advanced Security: Toggle features like Strict-Transport-Security (HSTS), OCSP Stapling, and HTTP/2 to maximize performance and security.

Best Practices

  • Use the **Intermediate** profile unless you have strict requirements to drop all traffic from older, yet still somewhat common, clients. Intermediate is considered the safest default for public-facing websites.
  • Enable OCSP Stapling (`ssl_stapling on;`). This allows your server to cache the certificate revocation status, saving the client's browser from having to make a slow, privacy-leaking request to the Certificate Authority.
  • Generate a strong Diffie-Hellman (DH) parameter file using `openssl dhparam -out dhparam.pem 2048` and reference it in your configuration. This hardens your server against Logjam attacks.
  • Always enable HTTP to HTTPS redirection globally to ensure no traffic is sent in plaintext.

Common Mistakes

  • Leaving TLS 1.0 or TLS 1.1 enabled. These protocols are officially deprecated by the IETF and will cause modern browsers to show a security warning.
  • Pointing the certificate directive to the wrong file. For NGINX and Apache 2.4.8+, you must use a 'Fullchain' certificate bundle that includes your site's certificate AND the intermediate certificates.
  • Enabling HSTS with `includeSubDomains` before testing. If you have subdomains that are not yet protected by SSL, enabling this directive will instantly break them for all users.

Security Recommendations

  • Implement a strict HSTS policy: `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`.
  • Use `ssl_prefer_server_ciphers on;`. This forces the client to respect your server's chosen cipher suite order, preventing attackers from forcing the use of weaker ciphers.
  • Ensure your private key (`.key` or `.pem`) has strict file permissions (`chmod 600`) and is owned by `root`.

Production Tips

  • Enable SSL Session Caching (`ssl_session_cache shared:SSL:10m;`). A 10MB cache can store roughly 40,000 sessions, drastically reducing the CPU overhead of full TLS handshakes for returning visitors.
  • Set `ssl_session_tickets off;` if you are using a multi-server setup behind a load balancer, as session tickets require synchronizing the ticket key across all servers to be effective securely.
  • Use HTTP/2 (or HTTP/3). HTTP/2 multiplexes multiple requests over a single TCP connection, significantly reducing latency compared to HTTP/1.1 over TLS.

Frequently Asked Questions

What is the difference between Modern and Intermediate profiles?
The Modern profile only supports TLS 1.3 and drops support for older browsers and operating systems (like older Androids or IE11). The Intermediate profile supports TLS 1.2 and 1.3, making it compatible with almost all devices in use today.
What is HSTS?
HTTP Strict Transport Security (HSTS) is a response header that tells the browser it must only communicate with your domain over HTTPS. Even if a user types `http://`, the browser will internally upgrade it before sending the request.
Why do I need a Diffie-Hellman (DH) parameter?
DH parameters dictate the strength of the key exchange process. Standard web servers often ship with weak 1024-bit defaults. Generating a custom 2048-bit or 4096-bit DH parameter ensures Perfect Forward Secrecy (PFS).

Related Generators