Tag Archives: tls

Scoring A+ 100 100 100 100 on SSL Labs

Scoring A+ 100 100 100 100 on SSL Labs

If you like to get 100% and A+ on SSL Labs, with Apache and Nginx. You should set the following options:

Apache

SSLEngine on

SSLCertificateFile /etc/apache2/ssl/www_safematix_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www_safematix_com.key

SSLCertificateChainFile /etc/apache2/ssl/chain.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off

Header always set Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

SSLCipherSuite 'AES256+EECDH:AES256+EDH:!aNULL'

Nginx

First you should create the dh (Diffie-Hellman) key file.

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;

ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;
ssl_trusted_certificate /etc/nginx/ssl/ca.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
add_header Strict-Transport-Security max-age=15768000; # six months

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

OpenSSL csr sha2 4096 bit – quick

OpenSSL csr sha2 4096 bit – quick

If you like to create quickly a csr with sha256 and 4096 bit

openssl req -new -newkey rsa:4096 -nodes -sha256 -out www_safematix_com_sha256.csr -keyout www_safematix_com.key -subj "/C=CH/ST=Zurich/L=Zurich/O=Safematix IT-Security & Service/CN=www.safematix.com"

If you like to create a dhparm file with OpenSSL

openssl dhparam -out www_safematix_com_dhparam.pem 4096

Nginx SSL Labs A+

Nginx SSL Labs A+

To get a high secure SSL installation on Nginx you should use the following config. With this settings you also get on A+.

SSL Labs A+
SSL Labs A+

It is important to create the Forward Secrecy & Diffie Hellman Ephemeral Parameters.

You can create the dhparm.pem with openssl

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;
ssl_certificate /etc/nginx/ssl/safematix/www_safematix_com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/www_safematix_com.key;
ssl_trusted_certificate /etc/nginx/ssl/safematix/ca.pem;

ssl_dhparam /etc/nginx/ssl/safematix/www_safematix_com_dhparam.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security max-age=15768000; # six months
# use this only if all subdomains support HTTPS!
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";