Friday, August 28, 2015

https SSL cipher remediation for webservers 2015

I don’t know jack! I am NOT a security professional by trade, but please at least be aware that simply installing an SSL certificate on your server does NOT make it secure.

Thanks to Qualys SSL Labs (, testing your server for SSL security is dead simple. I recommend every public site you manage to be tested immediately!

Once you know your status, here are some invaluable information resources you will need for remediation:

Setup your [Windows] IIS for SSL Perfect Forward Secrecy and TLS 1.2 :

Additionally I had one server that used stunnel ( on Windows. I found the following was good settings for C:\Program Files (x86)\stunnel\stunnel.conf:
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3


Again, I am NOT a security expert, so please do not blindly reconfigure your settings without fully understanding what you are doing. I do not think my advice is wrong, but there absolutely might be better settings available.

Here is a good Mozilla resource for Server Side TLS ( including a link to Mozilla SSL Configuration Generator (

As Always, Good Luck! You can thank me with bitcoin.