Getting Started with TLS/SSL Port Number
SSL (Secure Sockets Layer) certificate ports play a crucial role in securing communication between a web browser and a web server. This comprehensive guide will explain what an SSL certificate port is, the common SSL ports used on the Internet, and how to change the default SSL port number on your web server.
Key Takeaways
- SSL certificate ports are used to establish secure HTTPS connections between browsers and servers. The default SSL port is 443.
- Other common SSL ports include 465 (SMTPs) and 993 (IMAPs). Some web servers also use non-standard ports like 8443.
- Your web server configuration can change the SSL port number. This may be done to avoid conflicts or for security through obscurity.
- Changing the SSL port can cause connectivity issues if it is not a recognized port. Port 443 is recommended for public websites.
- Firewalls, routers, and security groups must allow connections on new SSL port numbers.
What is an SSL Certificate Port?
An SSL certificate port is a TCP/IP port used by a website to establish secure HTTPS connections with web browsers.
When you access a website starting with https://, your web browser initiates a TLS/SSL handshake with the web server using a defined port number. This allows the client and server to establish an encrypted session, which secures all communication between them.
The default TCP port used for HTTPS traffic is 443. However, SSL can technically use any port according to the TLS specification.
How Does SSL Use Ports to Make Connections Secure?
Here is a simplified overview of how SSL ports enable secure browsing sessions:
- A user types https://example.com into their browser URL bar and hits enter.
- The browser makes a TCP connection to the web server on port 443.
- The browser and web server exchange SSL/TLS handshake messages to authenticate each other and negotiate encryption algorithms.
- An encrypted TLS tunnel is established over port 443 between the browser and the server.
- The browser and server can now exchange encrypted HTTP requests and responses securely through the TLS tunnel.
- The user views the encrypted website content delivered through port 443.
Common SSL Ports and Their Uses
Here are some of the most common SSL ports and their typical uses:
- 443: Default HTTPS SSL port for websites. All web browsers support them.
- 465: SMTP port for secure email connections using SSL/TLS. They are used to secure SMTP mail servers.
- 993: This is the IMAP port for secure IMAP email connections using SSL/TLS. Email clients use them email clients use it.
- 989/990: FTPS data and control ports for secure FTP transfers using TLS/SSL.
- 8443: A common alternative HTTPS port used by some web servers and network devices.
- 4444: Sometimes used as an alternative HTTPS port for web administration interfaces.
Many other registered and dynamic ports can also use SSL. However, ports 443, 465, and 993 are the most universally recognized SSL ports on the Internet.
Can You Change the Default SSL Certificate Port?
Yes, you can change your web server’s default HTTPS port from 443 to a custom port number by modifying the server configuration to listen for SSL connections on the new port.
Some reasons why you may want to change the default SSL port include:
- Avoid port conflicts: If you need to run multiple HTTPS websites or services on one server with a single IP address.
- Extra security: Non-standard ports are less subjected to automated attacks and port scans.
- Redirect traffic: You can redirect standard HTTPS traffic to a different internal port as part of network routing or load balancing.
- Obscurity: Using obscure ports instead of well-known ports can be perceived as security through obscurity measures.
However, there are some significant downsides to changing the default SSL port:
- Connectivity issues: Web browsers can fail to connect if they don’t recognize the non-standard SSL port.
- Compatibility problems: Many proxies, firewalls, antivirus, and filtering systems expect port 443 for HTTPS traffic.
- SEO impact: Web crawlers may not be able to index pages if unusual SSL ports are used.
As such, using the standard SSL port 443 is generally recommended, especially for public-facing websites.
How to Change the SSL Port in Apache
If you want to change your web server’s SSL port, here is how to do it in Apache:
- Open the Apache configuration file (httpd.conf or apache2.conf)
- Find the Listen 443. This specifies Apache’s listening port for HTTPS.
- Change Listen 443 to the new SSL port you want to use, like Listen 1443
- Save and close the file
- Restart the Apache service to apply the new listening SSL port
- Update your firewall rules to allow the new port
How to Change the SSL Port in Nginx
If you want to change your web server’s SSL port, here is how to do it in Nginx:
- Open the Nginx configuration file (usually located at /etc/nginx/nginx.conf)
- Find the ssl_port 443 directive under the SSL section
- Change ssl_port 443; to ssl_port 1443; (or your desired port)
- Save and close the file
- Restart Nginx sudo systemctl restart nginx
- Update firewall rules to allow the new SSL port
Additionally, if you are using name-based virtual hosts, you will need to update the listen and server_name directives for each HTTPS host to specify the new SSL port.
Things to Consider When Changing the SSL Port
Here are some important considerations when changing your web server’s default SSL port:
- Use recognized port numbers between 1024-49151. Trying obscure ports below 1024 may cause issues.
- Please update any references to the old SSL port number in server configs, scripts, databases, bookmarks, documentation, etc.
- Grant firewall access to the new port number on servers, routers, load balancers, and other network devices.
- Specify the non-standard port in HTTPS links on your website if needed for connectivity. For example, use https://example.com:1443/page instead of just https://example.com/page
- Before moving off the standard port 443, consider the impact on SEO, as crawlers may not be able to index all pages.
- Redirect existing traffic from port 443 to the new SSL port for a seamless transition.
- Test extensively from various clients to detect and troubleshoot any connectivity issues.
Migrating from the default HTTPS port 443 to a custom SSL port requires careful planning and testing to avoid disruption. While it may theoretically provide some extra security, it can also cause headaches if not done properly.
Conclusion
SSL certificate ports are the gateways that allow encrypted HTTPS connections to be established between browsers and web servers. While port 443 is the universal standard used for websites, in some cases, web servers can be configured to listen to alternative ports for specific purposes. However, diverging from the expected SSL port 443 comes with drawbacks like reduced compatibility and SEO issues that should be considered. Changing SSL ports can only be recommended for niche use cases, not general public websites.
With careful planning and rigorous testing, non-standard SSL ports may occasionally have utility for hosting multiple HTTPS sites or obscuring traffic. However, for most web servers, adhering to the tried-and-true default of port 443 for SSL remains the wisest approach.
Frequently Asked Questions (FAQ) About SSL Ports
What is port 443 used for?
Port 443 is the standard TCP port used for HTTPS (HTTP over SSL/TLS) connections. It allows web browsers to access websites over a secured, encrypted connection.
Is changing the SSL port a good idea?
Changing your SSL port from the common standard 443 is generally not recommended, as it can cause compatibility issues and connectivity problems. However, when done properly, it may have limited security benefits in some use cases.
Can you use SSL on port 80?
No, SSL cannot run on port 80, as it is reserved strictly for unencrypted HTTP traffic by standards. Attempting to use SSL over port 80 will result in errors. Port 443 must be used for HTTPS.
What is SSL port 465 used for?
Port 465 is reserved for SMTPs: encrypted SMTP mail transmissions using SSL/TLS. Mail servers use port 465 for secure email connections to prevent snooping or modification of emails in transit.
Why does my website use port 8443 for HTTPS?
Some web servers use port 8443 instead of 443 for HTTPS connections. This non-standard port provides the benefits of SSL without conflicting with standard HTTPS on port 443. However, browser compatibility issues can occur.
How do I open an SSL port in my firewall?
To open an SSL port in your firewall, create a new rule allowing inbound TCP connections on the SSL port you want to use. For example, to open port 1443, allow TCP 1443 inbound. Apply this rule to enable SSL traffic through.
Can I run multiple SSL websites on one IP address?
Yes, you can host multiple SSL websites on a single IP by using different non-standard SSL ports for each one. This allows you to host several HTTPS sites on the same server without requiring dedicated IPs for each.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.