SSL/TLS Config Generator

Configure secure TLS profiles, cipher suites, and modern encryption standards for web servers.

HTTP Strict Transport Security (HSTS)

- Enforce HTTPS connections.

31536000 = 1 Year

- Improves performance and privacy by avoiding client requests to the CA.

Path to a 2048+ bit DH parameter file (not needed for Modern profile).

ssl-config.conf
1

SSL/TLS Hardening Guide

Configuring your web server's SSL/TLS settings correctly is critical to protecting data in transit. Outdated protocols and weak cipher suites expose your application to downgrade attacks, decryption, and interception.

Security Profiles

We base our configurations on the industry-standard [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/).

  • Modern: For services that don't need backward compatibility. Requires TLS 1.3 only.
  • Intermediate (Recommended): The sweet spot. Supports TLS 1.2 and TLS 1.3, providing excellent security while allowing nearly all modern browsers and clients to connect.
  • Old: Supports TLS 1.0 and 1.
  • DO NOT USE THIS unless you have a strict requirement to support obsolete systems (like Windows XP / IE8).
  • TLS 1.3 vs TLS 1.2

    TLS 1.3 is the newest standard. It removes support for outdated cryptography algorithms and reduces the handshake time, resulting in faster and more secure connections. In TLS 1.3, cipher suites are vastly simplified and you generally do not need to configure them manually.

    OCSP Stapling

    When a client connects to your server via HTTPS, it usually contacts your Certificate Authority (CA) to check if your certificate has been revoked. OCSP Stapling allows your server to periodically download this revocation status and "staple" it to the initial TLS handshake.

    This:

  • Improves Performance: The client doesn't have to make an extra DNS lookup and HTTP request to the CA.
  • Improves Privacy: The CA doesn't see which IP addresses are visiting your site.