This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

TLS Configuration Guide

TLS Configuration Guide

TLS Configuration Guide

TLS Configuration Guide

TLS Configuration Guide

TLS Configuration Guide

TLS Configuration Guide

TLS Configuration Guide

TLS Configuration Guide

Introduction

Transport Layer Security (TLS) is the foundation of secure internet communication. However, TLS is only as strong as its configuration. Weak cipher suites, outdated protocol versions, and missing security headers leave connections vulnerable to downgrade attacks, protocol flaws, and traffic interception.

Cipher Suites

A cipher suite defines the cryptographic algorithms used for key exchange, authentication, encryption, and message authentication.

Modern Nginx TLS configuration

server {

listen 443 ssl http2;

server_name example.com;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Modern cipher suite selection

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;

ssl_prefer_server_ciphers off; # Let client negotiate for TLS 1.3

Modern key exchange

ssl_ecdh_curve X25519:prime256v1:secp384r1;

OCSP stapling

ssl_stapling on;

ssl_stapling_verify on;

resolver 1.1.1.1 8.8.8.8 valid=300s;

resolver_timeout 5s;

}

Cipher Suite Breakdown

ECDHE - Ephemeral Diffie-Hellman (forward secrecy)

ECDSA - Elliptic Curve Digital Signature Algorithm (authentication)

AES128 - AES with 128-bit key (symmetric encryption)

GCM - Galois/Counter Mode (authenticated encryption)

SHA256 - SHA-256 HMAC (integrity)

Deprecated Ciphers

NEVER use these

ssl_protocols SSLv3 TLSv1 TLSv1.1; # All broken

ssl_ciphers RC4:3DES:EXPORT:NULL; # Weak or broken

HSTS (HTTP Strict Transport Security)

HSTS instructs browsers to always connect via HTTPS, preventing SSL stripping attacks.

Strict HSTS for production

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Explanation:

max-age=63072000 - 2 years in seconds

---

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.