TLS Hardening

Avoid the use of deprecated TLS versions (e.g. 1.0 and 1.1) or weak cipher suites (e.g. RC4 or 3DES).

Test your TLS security using a third-party tool or running:

nmap --script ssl-enum-ciphers -p 443 {your.domain.com}

On Windows

This information applies to both the Gateway (HTTPS/WSS) and the Media Server (TURNS).

Ensure Windows is updated with the latest official patches.

To disable weak cipher suites:

  1. Click StartEdit Group Policy
  2. Browse to Local Computer PolicyComputer Configuration → Administrative Templates → Network → SSL Configuration Settings
  3. Double-click SSL Cipher Suite Order.
  4. Check Enabled.

  5. Set SSL Cipher Suites to a comma-delimited list of strong cipher suites that are valid your operating system, e.g.:

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  6. Restart Windows.

To verify, open PowerShell and run:

PS C:\Users\Administrator> Get-TlsCipherSuite | Format-Table Name

You should see output that looks something like:

Name
----
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

On Linux

This information only applies to the Media Server (TURNS). TLS hardening is not yet available for the Gateway (HTTPS/WSS) on Linux, so it is still recommended to perform TLS termination in front of the Gateway using a load balancer or reverse proxy.

Ensure Linux is updated with the latest official patches.

Weak ciphers suites are disabled automatically.

The following ciphers are enabled by default:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384