DEV Community

Sharon
Sharon

Posted on

SafeLine WAF: SSL/TLS Protocol and Cipher Suite Guide

#safeline #waf #ssl #tls

Enabling HTTPS and properly configuring SSL/TLS settings are essential steps in securing any modern web application.
In this guide, we'll walk through how to configure SSL certificates, protocol versions, and cipher suites in SafeLine WAF—an open-source web application firewall designed for high performance and ease of use. Whether you're aiming for stronger encryption or need to meet compliance standards, SafeLine makes SSL customization straightforward and flexible.

SSL Certificate Configuration

If a site needs to enable HTTPS access, simply enable SSL configuration for the corresponding port when configuring the site (SSL certificate upload required).

Image description

SSL Protocol Version Configuration

To modify the SSL version of the HTTPS protocol, you can make selections in the SSL Protocol section.

SafeLine currently supports: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, SSLv2, SSLv3

Image description

SSL Cipher Algorithm Configuration

In certain scenarios, web services may have specific security requirements for SSL encryption algorithms, or certain encryption algorithms may have security vulnerabilities. In such cases, modifying the SSL encryption algorithm can help resolve these issues.

SafeLine provides customization functionality for SSL encryption Ciphers in the SSL Protocol section.

Image description

Some Common SSL Cipher Combinations

  • Nginx official example: AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
  • Cloudflare recommended: [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES
  • Mozilla recommended (Modern compatibility TLS 1.3): TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  • Mozilla recommended (Intermediate compatibility TLS 1.3): TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  • Mozilla recommended (Intermediate compatibility TLS 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
  • [Mozilla recommended (Old backward compatibility TLS 1.3)]: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  • [Mozilla recommended (Old backward compatibility TLS 1.0 - 1.2)]: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
  • Mozilla recommended: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
  • Cipherli recommended: EECDH+AESGCM:EDH+AESGCM
  • High strength cipher suite: HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4:!RSA;

Join the SafeLine Community

Want to try a powerful, open source WAF?

Top comments (0)