SSL Labs 100%

Scoring A+ 100 100 100 100 on SSL Labs

Scoring A+ 100 100 100 100 on SSL Labs

If you like to get 100% and A+ on SSL Labs, with Apache and Nginx. You should set the following options:


SSLEngine on

SSLCertificateFile /etc/apache2/ssl/www_safematix_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www_safematix_com.key

SSLCertificateChainFile /etc/apache2/ssl/chain.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off

Header always set Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

SSLCipherSuite 'AES256+EECDH:AES256+EDH:!aNULL'


First you should create the dh (Diffie-Hellman) key file.

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;

ssl_certificate /etc/nginx/ssl/safematix/;
ssl_certificate_key /etc/nginx/ssl/safematix/;

ssl_dhparam /etc/nginx/ssl/safematix/;
ssl_trusted_certificate /etc/nginx/ssl/ca.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
add_header Strict-Transport-Security max-age=15768000; # six months

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

3 thoughts on “Scoring A+ 100 100 100 100 on SSL Labs”

  1. Hello,

    Thanks for this good post. But i would like to know how i can make the same on a WHM cPanel server ? Can you help me ?

    Best regards,


  2. Hello,

    I believe this configuration no longer scores 100 on both key exchange and cipher suite. Multiple HSTS headers also results in “Strict Transport Security (HSTS) Invalid Server provided more than one HSTS header”.

    As a small side note, because this relies on strict usage of EECDH-only cipher suites (recommended), a static DH parameter file is no longer necessary.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.