TLS Hardening
Avoid the use of deprecated TLS versions (e.g. 1.0 and 1.1) or weak cipher suites (e.g. RC4 or 3DES).
Test your TLS security using a third-party tool or running:
nmap --script ssl-enum-ciphers -p 443 {your.domain.com}
On Windows
This information applies to both the Gateway (HTTPS/WSS) and the Media Server (TURNS).
Ensure Windows is updated with the latest official patches.
To disable weak cipher suites:
- Click Start → Edit Group Policy
- Browse to Local Computer Policy → Computer Configuration → Administrative Templates → Network → SSL Configuration Settings
- Double-click SSL Cipher Suite Order.
- Check Enabled.
Set SSL Cipher Suites to a comma-delimited list of strong cipher suites that are valid your operating system, e.g.:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Restart Windows.
To verify, open PowerShell and run:
PS C:\Users\Administrator> Get-TlsCipherSuite | Format-Table Name
You should see output that looks something like:
Name ---- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
On Linux
This information only applies to the Media Server (TURNS). TLS hardening is not yet available for the Gateway (HTTPS/WSS) on Linux, so it is still recommended to perform TLS termination in front of the Gateway using a load balancer or reverse proxy.
Ensure Linux is updated with the latest official patches.
Weak ciphers suites are disabled automatically.
The following ciphers are enabled by default:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384