Best cipher suite

Help
1

Hi, I'm planning to switch to Let's Encrypt on a separate VPS for my domain frbg.me, but before I do, I wanted to set up the best cipher suites.

image
image959×791 55.4 KB

what is the appropriate cipher suite to set up in Nginx so that I only get the ciphers listed in green?
right now in my Nginx configuration, there's merely

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

and no cipher suite defined. (screenshot is from ssllabs for another domain hosted on my VPS already)

My domain is: frbg.me

I ran this command: N/A

It produced this output: N/A

My web server is (include version): latest Nginx mainline

The operating system my web server runs on is (include version): Debian Sid

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

2

I think the industry-standard advice for what cipher suites one should enable is from Mozilla:

https://wiki.mozilla.org/Security/Server_Side_TLS

https://ssl-config.mozilla.org/

1 Like
3

yeah but I'm concerned because it drops support for a few clients

4

Well, I think they describe which clients each recommended configuration is compatible with. If you want older clients, though, you may need to enable some of the not-as-recommended cipher suites. I'm not quite sure what specific advice you're looking for here.

1 Like
5

That's a trade-off you'll have to make a personal decision on. Older clients tend to not support newer ciphers.

1 Like
6

I understand. Thanks for your help

7

:smiley:

Would be a great feature to build into clients! Automatically upgradable internals without actually requiring the user to update the software itself.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.