Configuring TLS ciphers used to involve copying a magic list from Mozilla SSL Configurator and moving on. In 2026 the landscape has shifted enough that revisiting is worth it.

What changed

  • TLS 1.3 is now supported by 95%+ of clients. Serving TLS 1.0 or 1.1 is an active liability.
  • OpenSSL 3.x became the default on most modern distros. Some older ciphers are simply gone.
  • Post-quantum hybrid key exchange (X25519-Kyber768) started rolling out in Chrome and Firefox.
  • Perfect Forward Secrecy is universally expected. No more RSA key exchange.
ssl_protocols TLSv1.2 TLSv1.3;

# TLS 1.3 cipher suites (nginx picks automatically)
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';

ssl_prefer_server_ciphers off;
ssl_ecdh_curve X25519:secp521r1:secp384r1;

ssl_prefer_server_ciphers off is correct for modern deployments — clients know better than servers which ciphers perform well on their hardware.

What to drop

  • TLS 1.0 and 1.1 (broken, legacy)
  • 3DES (slow, weak)
  • SHA1 MAC (deprecated)
  • Non-AEAD CBC modes in TLS 1.2 (vulnerable to padding oracle attacks)
  • RC4 (broken since forever)

Testing

Use sslyze or testssl.sh locally, then verify with ssllabs.com/ssltest. Target grade is A+. If you get A, check the penalty reason — usually missing HSTS preload or short DH params.

HSTS

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Only enable preload if you’re confident — it takes years to remove from the browser preload list. Start with shorter max-age, increase gradually.

OCSP stapling

Necessary for privacy and performance:

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

Without stapling, every client makes a separate OCSP request revealing which sites they visit.

Session tickets controversy

The recommendation oscillates. Session tickets speed up reconnection but have privacy implications if keys aren’t rotated. For high-privacy services: ssl_session_tickets off; and rely on session cache. For high-traffic CDNs with proper key rotation: enable tickets.