Modern TLS Cipher Configuration in 2026

Mon, 05 Aug 2024 00:00:00 +0000

Configuring TLS ciphers used to involve copying a magic list from Mozilla SSL Configurator and moving on. In 2026 the landscape has shifted enough that revisiting is worth it.

What changed

TLS 1.3 is now supported by 95%+ of clients. Serving TLS 1.0 or 1.1 is an active liability.
OpenSSL 3.x became the default on most modern distros. Some older ciphers are simply gone.
Post-quantum hybrid key exchange (X25519-Kyber768) started rolling out in Chrome and Firefox.
Perfect Forward Secrecy is universally expected. No more RSA key exchange.

Recommended nginx config

ssl_protocols TLSv1.2 TLSv1.3;
# TLS 1.3 cipher suites (nginx picks automatically)
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:secp521r1:secp384r1;

ssl_prefer_server_ciphers off is correct for modern deployments — clients know better than servers which ciphers perform well on their hardware.

SSH Hardening Checklist for Public VPS

Mon, 01 Apr 2024 00:00:00 +0000

Every public-facing server gets port-scanned within minutes of going online. Default SSH settings are decent but not great. Here is the checklist I run through on every new VPS.

Disable password authentication

In /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no

PermitRootLogin prohibit-password

This allows root login with key but not password, which is fine for automation. For stricter setups, use no and sudo from an unprivileged user.

Security on Besterry — Linux & DevOps Notes

Modern TLS Cipher Configuration in 2026

What changed

Recommended nginx config

SSH Hardening Checklist for Public VPS

Disable password authentication

Restrict root login