ssl-config.fyi

SSL/TLS reference

What each part of a TLS configuration does and how to set it. Open the generator →

Getting started

Compatibility profiles

Modern, Intermediate, or Old — pick the one that matches the clients you must support.

Protocols & ciphers

TLS protocol versions

Enable TLS 1.2 and 1.3; disable SSLv3, TLS 1.0, and TLS 1.1.

Cipher suites & forward secrecy

Prefer ECDHE key exchange with AES-GCM or ChaCha20-Poly1305 AEAD ciphers.

Server vs client cipher preference

Let modern clients choose (off); force server order only for the Old profile.

Hardening

HTTP Strict Transport Security (HSTS)

Tell browsers to only ever use HTTPS for your domain.

OCSP stapling

Have the server fetch and attach the certificate revocation proof.

Diffie-Hellman parameters

If you use DHE ciphers, supply a strong, known DH group (ffdhe2048).

Session resumption & tickets

Speed up reconnections without weakening forward secrecy.

Certificates

Certificates & key types

Serve the full chain; ECDSA keys are smaller and faster than RSA.

Performance

HTTP/2, HTTP/3 & ALPN

Negotiate modern HTTP versions over the same TLS connection.