HTTPS is no longer optional, it's the baseline. But "SSL enabled" isn't enough; modern TLS configuration is critical for both security and performance. This article covers what's different in TLS 1.3, cipher suite selection, extra headers like HSTS/OCSP, and the SSL Labs A+ configuration.
TLS 1.3: What Changed?
- 1-RTT handshake (vs 2-RTT in TLS 1.2) — the first connection is cut in half
- 0-RTT resumption — no handshake on repeat visits
- Weak ciphers removed: RC4, 3DES, CBC, MD5, SHA1
- Only AEAD ciphers: AES-GCM, ChaCha20-Poly1305
- Perfect Forward Secrecy (PFS) is mandatory — past traffic stays safe even if the private key leaks
Modern Configuration for Nginx
# /etc/nginx/conf.d/ssl.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
# Modern cipher suite (Mozilla recommendation)
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# Session tickets & cache
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
# DH params (2048 bit)
ssl_dhparam /etc/nginx/dhparams.pem;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;# Generate dhparams.pem (one-time, 5-10 minutes)
sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048HSTS (HTTP Strict Transport Security)
HSTS tells the browser "only reach this domain over HTTPS". Starting with the first response, HTTP connections aren't even attempted for a year — defending against SSL strip attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# max-age: 1 year (in seconds)
# includeSubDomains: all subdomains included
# preload: request to be added to Chrome's HSTS preload listOCSP Stapling
The browser checks whether a certificate has been revoked (via CRL or OCSP). With OCSP Stapling, the server delivers its own OCSP response alongside the certificate — the browser never has to reach the CA, saving 50-200ms.
Handshake Time Analysis
# Measure TLS handshake time
curl -w "dns: %{time_namelookup}\ntcp: %{time_connect}\ntls: %{time_appconnect}\nttfb: %{time_starttransfer}\ntotal: %{time_total}\n" -o /dev/null -s https://example.com
# Debug with OpenSSL
openssl s_client -connect example.com:443 -tls1_3 -servername example.comCipher Suite Breakdown
A cipher suite consists of four components: ECDHE (key exchange) + RSA/ECDSA (authentication) + AES-GCM/ChaCha20 (symmetric encryption) + SHA-256 (MAC). TLS 1.3 simplified it — only the symmetric+MAC part is specified, the rest is implicit.
ECDSA Certificates
Using an ECDSA P-256 certificate instead of RSA 2048-bit speeds up the TLS handshake by 30-50% and shrinks signature sizes. Let's Encrypt supports ECDSA — use the --key-type ecdsa flag in Certbot.
sudo certbot --nginx --key-type ecdsa --elliptic-curve secp256r1 -d example.comMixed Content
If an HTTPS page loads resources (img, js, css) over HTTP, modern browsers block them. Make all URLs protocol-relative (//cdn.example.com) or explicitly https://.
Content-Security-Policy: upgrade-insecure-requestsChecklist for SSL Labs A+
- TLS 1.2 + TLS 1.3
- Weak protocols disabled (TLS 1.0, 1.1, SSLv3)
- Forward Secrecy
- HSTS header, max-age ≥ 6 months
- Strong ciphers only
- OCSP stapling
- Valid certificate chain
- Correct SNI
- DNS CAA record
# DNS CAA record
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 iodef "mailto:security@example.com"Performance: HTTP/2 and HTTP/3
Once HTTPS is enabled, HTTP/2 is basically free: listen 443 ssl http2;. HTTP/3 (QUIC) is newer — requires Nginx 1.25+ and UDP 443 open. It makes a noticeable difference under packet loss, especially on mobile.
Certificate Renewal Automation
# Check the Certbot timer
systemctl list-timers | grep certbot
# Hook — reload nginx after renewal
echo '#!/bin/bash
systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/deploy/reload.sh
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload.sh
# Monitor: alert within 14 days of expiry
# Prometheus blackbox exporter + alertConclusion
A modern HTTPS configuration boosts not only security but also performance. TLS 1.3 + ECDSA + HTTP/2 together typically speeds up a site by 20-30%. Getting an A+ on SSL Labs is a 10-minute job; it's a standard that has become a requirement.
Reach out to KEYDAL for SSL Labs A+ configuration, HTTP/3 setup and certificate management. Contact us