TLS with its highest available security options

We have now hardened our TLS to the highest level of security possible using available options, without resorting to extreme measures such as forking the code.

Server components: Debian Stable, Nginx, Let’s Encrypt TLS.

The security enhancements include:

  • Removal of RSA ciphers, with a shift to ECC-only.
  • Modifying the TLS certificate key and signature to ECC (instead of RSA):
  • Disabling AES 128 in TLS 1.3 and 1.2, permitting only AES 256 (Note: there is no AES 512).


  • OCSP Stapling
  • HSTS

Questions you may ask:

  • Why didn’t you activate the OCSP Must-Staple certificate feature?

  • Why you didnt activate DANE TLSA?

  • Which TLS scanners do you usually use to check your TLS?

  • Why aren’t you achieving a 100% score on SSL Labs?

    • Check discussion here.

If you know any websites that have implemented similar measures, please share them here.

Note: Please refrain from asking how to do it here; instead, use a search engine.