TLS/SSL Configuration Best Practices: Securing Data in Transit

TLS/SSL Configuration Best Practices: Securing Data in Transit

Whitespots Team ·
tls
ssl
https
encryption

Introduction

Proper TLS/SSL configuration is essential for protecting data in transit. Misconfigured TLS exposes communications to interception and MITM attacks. This guide covers modern TLS configuration with best practices.

Nginx TLS Configuration

nginx
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    # Certificates
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;
    ssl_trusted_certificate /path/to/chain.pem;

    # Protocols - Only TLS 1.2 and 1.3
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    # Ciphers - Strong ciphers only
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';

    # ECDH curve
    ssl_ecdh_curve secp384r1;

    # Session cache
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;

    location / {
        proxy_pass http://backend;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

Apache TLS Configuration

apache
<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile /path/to/fullchain.pem
    SSLCertificateKeyFile /path/to/privkey.pem
    SSLCertificateChainFile /path/to/chain.pem

    # Protocols
    SSLProtocol -all +TLSv1.2 +TLSv1.3
    SSLHonorCipherOrder on

    # Ciphers
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384

    # OCSP Stapling
    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>

Node.js TLS Configuration

javascript
const https = require('https');
const fs = require('fs');

const options = {
  key: fs.readFileSync('/path/to/privkey.pem'),
  cert: fs.readFileSync('/path/to/fullchain.pem'),
  ca: fs.readFileSync('/path/to/chain.pem'),

  // TLS settings
  minVersion: 'TLSv1.2',
  maxVersion: 'TLSv1.3',

  // Cipher suites
  ciphers: [
    'ECDHE-ECDSA-AES128-GCM-SHA256',
    'ECDHE-RSA-AES128-GCM-SHA256',
    'ECDHE-ECDSA-AES256-GCM-SHA384',
    'ECDHE-RSA-AES256-GCM-SHA384'
  ].join(':'),

  honorCipherOrder: true,

  // Session resumption
  sessionTimeout: 300,

  // Require client cert (for mTLS)
  // requestCert: true,
  // rejectUnauthorized: true
};

https.createServer(options, app).listen(443);

Let’s Encrypt Automation

bash
# Install certbot
sudo apt-get install certbot python3-certbot-nginx

# Obtain certificate
sudo certbot --nginx -d example.com -d www.example.com

# Auto-renewal
sudo certbot renew --dry-run

# Cron job for automatic renewal
0 0 * * * certbot renew --quiet --post-hook "systemctl reload nginx"

Certificate Monitoring

javascript
const tls = require('tls');

function checkCertExpiry(hostname) {
  return new Promise((resolve, reject) => {
    const socket = tls.connect(443, hostname, () => {
      const cert = socket.getPeerCertificate();
      const validTo = new Date(cert.valid_to);
      const daysUntilExpiry = Math.floor(
        (validTo - new Date()) / (1000 * 60 * 60 * 24)
      );

      socket.end();

      if (daysUntilExpiry < 30) {
        sendAlert(`Certificate expiring in ${daysUntilExpiry} days`);
      }

      resolve({
        hostname,
        validTo,
        daysUntilExpiry
      });
    });

    socket.on('error', reject);
  });
}

TLS/SSL Best Practices

  • ✅ Use TLS 1.2 and 1.3 only
  • ✅ Disable SSL and TLS 1.0/1.1
  • ✅ Use strong cipher suites
  • ✅ Enable forward secrecy
  • ✅ Enable OCSP stapling
  • ✅ Implement HSTS
  • ✅ Regular certificate renewal
  • ✅ Monitor certificate expiration
  • ✅ Use proper certificate chains
  • ✅ Implement proper session resumption
  • ✅ Test with SSL Labs
  • ✅ Disable insecure renegotiation

Conclusion

Proper TLS/SSL configuration protects data in transit from interception and tampering. Use modern protocols, strong ciphers, and automated certificate management for robust transport security.

Recently Published
Digital Sovereignty in Application Security: Why Whitespots Makes It Real

Digital Sovereignty in Application Security: Why Whitespots Makes It Real

digital-sovereignty
EU
DSA
DMA
data-act
+2 more
·Whitespots Team
API Key Management: Secure Generation, Storage, and Rotation

API Key Management: Secure Generation, Storage, and Rotation

api
api-keys
authentication
secrets
+1 more
·Whitespots Team
AWS Cloud Security: Fundamental Best Practices and Configurations

AWS Cloud Security: Fundamental Best Practices and Configurations

aws
cloud
iam
infrastructure
+1 more
·Whitespots Team
← Blog home