TLS Configuration
Learning Focus
By the end of this lesson you will know how to disable outdated TLS protocols, configure modern cipher suites, and enforce HTTPS.
Recommended TLS Configuration
| Setting | Recommended | Why |
|---|---|---|
| TLS 1.0 | ❌ Disabled | Known vulnerabilities |
| TLS 1.1 | ❌ Disabled | Deprecated, weak |
| TLS 1.2 | ✅ Enabled | Strong, widely compatible |
| TLS 1.3 | ✅ Enabled | Fastest and most secure |
| SSLv3 | ❌ Disabled | Fundamentally broken (POODLE) |
Configuring in WebAdmin
- Navigate to Listeners → SSL listener → SSL tab
- Set Protocol Version to allow only TLS 1.2 and TLS 1.3
- Configure Cipher Suite to prefer strong ciphers
- Save and Graceful Restart
Enforcing HTTPS
Redirect all HTTP traffic to HTTPS:
# In .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Or configure in the HTTP listener to redirect to HTTPS.
Verifying TLS Configuration
# Check supported protocols
nmap --script ssl-enum-ciphers -p 443 localhost
# Quick check with openssl
openssl s_client -connect localhost:443 -tls1_2 < /dev/null 2>/dev/null | head -5
openssl s_client -connect localhost:443 -tls1_3 < /dev/null 2>/dev/null | head -5
# These should fail (disabled):
openssl s_client -connect localhost:443 -tls1 < /dev/null 2>/dev/null | head -5
openssl s_client -connect localhost:443 -tls1_1 < /dev/null 2>/dev/null | head -5
warning
Disabling TLS 1.0 and 1.1 may break very old clients. For modern public websites, this is acceptable and recommended.
Key Takeaways
- Enable TLS 1.2 and 1.3 only — disable everything older.
- Always enforce HTTPS with redirects from HTTP.
- Verify with
openssl s_clientandnmapcipher scanning.
What's Next
- Continue to Auto Renewal for automated certificate management.