TLS Hardening

Warning

Don't use deprecated TLS versions, such as 1.0 and 1.1, or weak cipher suites, such as RC4 or 3DES.

Test your TLS security using a third-party tool or by running the following command:

nmap --script ssl-enum-ciphers -p 443 {your.domain.com}

• Windows
• Linux

These instructions apply to both the Gateway (HTTPS/WSS) and the Media Server (TURNS).

Do the following to harden your TLS security on Windows:

1. Ensure Windows is updated with the latest official patches.

2. Turn off weak cipher suites:

   1. Click Start > Edit Group Policy.
   2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
   3. Double-click SSL Cipher Suite Order.
   4. Select Enabled.
   5. Set SSL Cipher Suites to a comma-delimited list of strong cipher suites that are valid for your operating system. For example:

      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
      

   6. Restart Windows.

3. To verify, open PowerShell and run the following command:

   PS C:\Users\Administrator> Get-TlsCipherSuite | Format-Table Name
   

   The output should look like the following:

   Name
   ----
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384