SSL Tips for Site Owners – 5 Quick Checks

Sane defaults reduce attack surface and renewal surprises.

1. Disable legacy protocols
   Use TLS 1.2+ (ideally TLS 1.3); disable SSLv3/TLS 1.0/1.1.
   Check: curl -I --tlsv1.0 https://domain.tld should fail; confirm with an external scan (e.g., SSL Labs).
2. Modern cipher suites & Forward Secrecy
   Prefer TLS 1.3 defaults; remove weak/obsolete suites; ensure Perfect Forward Secrecy (PFS).
   Check: nmap --script ssl-enum-ciphers -p 443 domain.tld (no RC4/3DES; TLS 1.3 suites visible).
3. OCSP stapling + full certificate chain
   Serve the complete chain in the right order and enable stapling.
   Check: openssl s_client -status -showcerts -connect domain.tld:443 | openssl x509 -noout -issuer -subject (stapling status present; chain complete).
4. HSTS with preload (after testing)
   Header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
   Check: verify the header; validate at hstspreload.org / securityheaders.com.
5. Automate renewals and monitor expiry
   Use ACME (Let’s Encrypt, etc.) with auto-renew; alerts on failure/expiry.
   Check: echo | openssl s_client -servername domain.tld -connect domain.tld:443 2>/dev/null | openssl x509 -noout -enddate.