SSL/TLS Configuration
Configure and manage Transport Layer Security for your CloudNexus infrastructure. Enforce modern encryption standards, automate certificate lifecycle, and secure edge connections.
โ Automatically Updated ๐ Last revised: Nov 2025Overview
CloudNexus enforces strong cryptographic defaults across all edge nodes and origin servers. TLS termination occurs at the global edge, ensuring minimal latency and maximum security. You can customize cipher suites, enforce protocol versions, and manage certificates via the API, CLI, or infrastructure-as-code templates.
All traffic to CloudNexus endpoints defaults to TLS 1.3 when client and server support it. TLS 1.2 is maintained for backward compatibility with strict cipher enforcement.
Supported Protocols
Only modern, vetted TLS versions are enabled by default. Older protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1) are permanently disabled and cannot be enabled due to known cryptographic vulnerabilities.
| Protocol | Status | Notes |
|---|---|---|
TLS 1.3 | Default / Recommended | 0-RTT available, forward secrecy enforced |
TLS 1.2 | Enabled (Fallback) | Restricted to AEAD cipher suites only |
TLS 1.1 & Older | Disabled | Deprecated per RFC 8996 |
Default Cipher Suites
CloudNexus uses a curated cipher suite order prioritizing forward secrecy, AEAD encryption, and hardware acceleration. Custom cipher lists are supported via configuration overrides.
TLS 1.3
| Cipher Suite | IETF Name | PFS |
|---|---|---|
TLS_AES_256_GCM_SHA384 | aes_256_gcm | โ X25519 |
TLS_CHACHA20_POLY1305_SHA256 | chacha20_poly1305 | โ X25519 |
TLS_AES_128_GCM_SHA256 | aes_128_gcm | โ X25519 |
TLS 1.2 (Fallback)
| Cipher Suite | Key Exchange | Encryption |
|---|---|---|
ECDHE-ECDSA-AES256-GCM-SHA384 | ECDHE (P-256) | AES-256-GCM |
ECDHE-RSA-AES256-GCM-SHA384 | ECDHE (P-256) | AES-256-GCM |
ECDHE-ECDSA-CHACHA20-POLY1305 | ECDHE (P-256) | ChaCha20-Poly1305 |
RC4, 3DES, CBC mode ciphers, and static RSA key exchange are permanently disabled. Custom configurations attempting to enable them will be rejected by the edge gateway.
Certificate Management
Automate certificate provisioning, renewal, and validation across all edge locations.
ACME v2 Automation
CloudNexus integrates natively with Let's Encrypt and ZeroSSL via ACME v2. Enable auto-provisioning to receive valid certificates for any domain pointing to your infrastructure.
Custom Certificates
Upload your own CA-signed or enterprise certificates in PEM or PKCS#12 format. Wildcard and SAN certificates are fully supported.
| Feature | Auto (ACME) | Custom Upload |
|---|---|---|
| Auto-Renewal | โ 30 days before expiry | Manual / Cron required |
| Wildcard Support | โ DNS-01 challenge | โ Full support |
| Certificate Transparency | โ Logged automatically | โ Validated on upload |
| OCSP Stapling | โ Enabled | โ Enabled |
Configuration Examples
Define TLS behavior via API, CLI, or infrastructure-as-code. Choose your preferred format:
# Enforce TLS 1.2+ and set custom cipher order cloudnexus tls configure \ --protocol-min tls12 \ --ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" \ --hsts true \ --hsts-max-age 31536000 # Enable ACME auto-provisioning for a domain cloudnexus cert provision \ --domain app.example.com \ --provider letsencrypt \ --challenge http-01
Content-Type: application/json Authorization: Bearer <token> { "protocol_minimum": "TLSv1.2", "cipher_suite_mode": "custom", "cipher_order": [ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384" ], "http_strict_transport_security": { "enabled": true, "max_age": 31536000, "include_subdomains": true }, "ocsp_stapling": true }
tls: minimum_version: TLSv1.2 cipher_suites: mode: recommended override: [] hsts: enabled: true max_age_seconds: 31536000 preload: false certificates: auto_renew: true provider: acme challenge_type: http
Security Headers
CloudNexus automatically injects modern security headers when TLS is enabled. You can customize or disable them per endpoint.
| Header | Default Value | Description |
|---|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains | Forces HTTPS for all future requests |
X-Content-Type-Options | nosniff | Prevents MIME-type sniffing |
Referrer-Policy | strict-origin-when-cross-origin | Controls referrer information leaks |
Permissions-Policy | geolocation=(), microphone=() | Restricts browser feature access |
HSTS preload lists are not automatically managed. Ensure your domain passes validation at hstspreload.org before submitting.
Testing & Validation
Verify your TLS configuration using built-in diagnostics or external validators.
Internal Validation Endpoint
Run a quick cryptographic audit against your edge node:
cloudnexus tls audit --domain app.example.com --verbose # Returns JSON report with cipher compatibility, HSTS status, and CT logging
External Validators
- SSL Labs Server Test (Target score: A+)
- BrowserLeaks SSL Checker
- Certificate Transparency Search
Troubleshooting
Common Issues
Certificate not trusted on older devices? CloudNexus uses cross-signed CA bundles. iOS 9/Android 5.0+ are minimum supported. Legacy OS requires TLS 1.2 fallback with ECDHE ciphers.
ACME validation failing? Ensure port 80/443 are open at your origin, DNS resolves to CloudNexus edge IPs, and no upstream WAF blocks /.well-known/acme-challenge/ paths.
HSTS lockout during development? Use the --hsts-mode conditional flag or set max_age to 86400 during staging. Never enable preload until tested thoroughly.