Best cipher suite

Hi, I'm planning to switch to Let's Encrypt on a separate VPS for my domain, but before I do, I wanted to set up the best cipher suites.

what is the appropriate cipher suite to set up in Nginx so that I only get the ciphers listed in green?
right now in my Nginx configuration, there's merely

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

and no cipher suite defined. (screenshot is from ssllabs for another domain hosted on my VPS already)

My domain is:

I ran this command: N/A

It produced this output: N/A

My web server is (include version): latest Nginx mainline

The operating system my web server runs on is (include version): Debian Sid

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

I think the industry-standard advice for what cipher suites one should enable is from Mozilla:

1 Like

yeah but I'm concerned because it drops support for a few clients

Well, I think they describe which clients each recommended configuration is compatible with. If you want older clients, though, you may need to enable some of the not-as-recommended cipher suites. I'm not quite sure what specific advice you're looking for here.

1 Like

That's a trade-off you'll have to make a personal decision on. Older clients tend to not support newer ciphers.

1 Like

I understand. Thanks for your help


Would be a great feature to build into clients! Automatically upgradable internals without actually requiring the user to update the software itself.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.