Just a reminder for myself which cipher suites to use to be compliant with PCI DSS, NIST, and HIPAA guidelines. The configuration below also excludes weak cipher suites.

/etc/nginx/dhparams.pem is the pre-defined DH group ffdhe2048 (see RFC 7919 and Mozilla Wiki).

This configuration differs from Mozilla SSL Configuration Generator’s Intermediate Profile in the following:

  1. TLS 1.0 is disabled (PCI compliance).
  2. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ECDHE-RSA-CHACHA20-POLY1305) is disabled to comply with HIPAA and NIST guidelines.
  3. TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ECDHE-RSA-DES-CBC3-SHA), TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (EDH-RSA-DES-CBC3-SHA), TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA) are disabled to comply with PCI DSS, HIPAA, and NIST guidelines.
  4. TLS_RSA_WITH_AES_128_GCM_SHA256 (AES128-GCM-SHA256), TLS_RSA_WITH_AES_256_GCM_SHA384 (AES256-GCM-SHA384), TLS_RSA_WITH_AES_128_CBC_SHA256 (AES128-SHA256), TLS_RSA_WITH_AES_256_CBC_SHA256 (AES256-SHA256), TLS_RSA_WITH_AES_128_CBC_SHA (AES128-SHA), and TLS_RSA_WITH_AES_256_CBC_SHA (AES256-SHA) are disabled, because those cipher suites are weak according to SSL Labs.

Note: when using certbot, for the certificate to include ‘OCSP Must Staple’ flag, --must-staple command line option should be used.

TLS Configuration for nginx to Get A+ in HTBridge and SSL Labs Tests
Tagged on:                     

Leave a Reply

Your email address will not be published. Required fields are marked *