Recommended TLS/SSL Settings

Secure your infrastructure with modern, expert-recommended TLS/SSL configurations. Select an application below for production-ready settings, cipher suite recommendations, and step-by-step instructions.

Web Servers & Proxies

Apache

The most widely deployed HTTP server.

Caddy

Modern web server with automatic HTTPS.

HAProxy

Reliable high-performance TCP/HTTP load balancer.

IIS

Microsoft web server for Windows Server.

Lighttpd

Lightweight and fast web server.

Nginx

High-performance web server and reverse proxy.

Squid

Caching proxy with HTTPS support.

Tomcat

Java servlet container and web server.

Databases

CockroachDB

Distributed SQL database built for scale.

Elasticsearch

Distributed search and analytics engine.

MariaDB

Community-developed MySQL fork.

MongoDB

Document-oriented NoSQL database.

MySQL

Popular open-source relational database.

PostgreSQL

Advanced open-source relational database.

Redis

In-memory data store and cache.

Message Brokers

Kafka

Distributed event streaming platform.

RabbitMQ

Widely deployed open-source message broker.

Mail Servers

Dovecot

Secure IMAP and POP3 mail server.

Postfix

High-performance SMTP mail server.

File Transfer

ProFTPD

Highly configurable FTP/FTPS server.

vsftpd

Secure and fast FTP server for Linux.

Communications & VPN

Asterisk

Open-source PBX and communications platform.

OpenSSH

Secure remote access and file transfer.

OpenVPN

Full-featured open-source VPN solution.

Infrastructure

Docker

Container runtime and platform.

Grafana

Open-source monitoring and dashboards.

Node.js

JavaScript runtime with built-in TLS.

OpenLDAP

Open-source LDAP directory server.

Vault

HashiCorp secrets management platform.

DNS

BIND

The most widely used DNS server.

PowerDNS

Authoritative DNS with built-in DNSSEC.

General TLS Best Practices

Regardless of your server software, these principles apply to every TLS configuration:

  • Use TLS 1.2 and TLS 1.3 only — Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. These older protocols have known vulnerabilities and are deprecated by RFC 8996.
  • Use strong cipher suites — Only allow AEAD ciphers (AES-GCM, ChaCha20-Poly1305) with ECDHE key exchange for forward secrecy. Avoid CBC mode, RSA key exchange, and anything using SHA-1.
  • Enable HSTS — HTTP Strict Transport Security tells browsers to always use HTTPS, preventing protocol downgrade attacks.
  • Use valid certificates — Obtain certificates from a trusted certificate authority. Let's Encrypt provides free, automated certificates.
  • Enable OCSP stapling — Improves TLS handshake performance and privacy by stapling the certificate revocation status directly to the connection.
  • Test your configuration — Use Qualys SSL Labs to verify your web server configuration achieves an A+ rating.