Get stronger security and higher SSL score by installing TLS 1.3, HTTP/2 and Diffie-Hellman

Having stronger security is always better than not.  Definitely nothing to lose.  I believe Google may even rank your website higher for having stronger encryption security.

This article provide instruction how to install TLS version 1.3, HTTP/2 and Diffie-Hellman key exchange.

Also as a bonus, we will specify a specific list of ciphers that we prefer to use.

This article will assume you are using Ubuntu 18.04 or above and NGINX 1.15 or above.

STEP 1 - CONFIGURING NGINX TO USE TLS 1.3

ssl_protocols TLSv1.3 TLSv1.2;


STEP 2 - Specify cipher suites using ECDHE (Ephemeral) Elliptic-Curve and Diffie-Hellman key exchange


ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";


STEP 3 - CONFIGURING NGINX TO USE HTTP/2



Enable HTTP v2 by adding 'http2' at the end of the listen directive inside your nginx server block.




server {


listen 80;
listen 443 ssl http2;


}





STEP 4 - GENERATE DIFFIE-HELLMAN CERTIFICATE

cd /etc/ssl
openssl dhparam -out dhparams.pem 4096
chown root:nginx dhparams.pem


STEP 5 - CONFIGURE NGINX TO USE DIFFIE-HELLMAN


# Use Diffie-Hellman and DHE cipher suites
ssl_dhparam /etc/ssl/dhparams.pem;




Once all of the above steps have been performed, restart your NGINX server using




systemctl restart nginx




or check the syntax first using command




nginx -t




Your server should now be using TLS 1.3, HTTP v2 and Diffie-Hellman which are the strongest SSL settings as of 5/11/19.






Post a Comment

Mới hơn Cũ hơn