Remediating Weak Ciphers in Nginx & Apache

Published: November 15, 2025

After identifying weak ciphers with the tester, the next step is remediation. Here are battle-tested configurations for Nginx and Apache to achieve A+ security.

Nginx: Modern Cipher Suite

Update your SSL config:


ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

Key Directives

TLSv1.2 TLSv1.3 – Disable TLS 1.0/1.1
ECDHE – Ensures forward secrecy
GCM or CHACHA20 – AEAD only
No RSA, CBC, 3DES, RC4

Apache: Secure Configuration

In ssl.conf or virtual host:


SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on

Validation

After changes:

Restart web server
Rescan with nmap or sslyze
Paste into Weak Cipher Tester

FAQ

Will this break old browsers?

Yes — IE8 on XP, Android 4.3. Use a fallback vhost if needed.

Should I include AES-CBC?

No. It’s vulnerable and unnecessary with GCM.

What about HSTS?

Add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Secure today. Sleep soundly tonight.