SSL protocol can protect our transport security, it also have different levels. ssllabs.com provide a tester to check the security level in your server. I have to add some configuration to achieve A+. So I used nginx as example.
First we need a valid SSL certificate, we can use Free certificate like Let’s Encrypt, and also premium one. Note: if you want to get 100 score in Key Exchange, you need a 4096bit cert.
Contents
Choose Protocols:
The default setting of nginx can support most of the protocols. but we need to disable some of the protocols, it means we should neglect a small percentage of users who use very old OS(e.g. Windows XP need old ssl protocol). We can use TLS1.0-1.2, and if We want more secure, we can only choose TLS1.2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Choose Ciphers
We also need to choose which ciphers used in our server. We cannot keep compatible and security at the same time. This time I only choose 256-bit encryption schemes. (If you want to add more ciphers, It is important to note that these values are in order of specificity, so the ordering is from best security to worst.)
ssl_prefer_server_ciphers on; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
if you want to improve compatible, you can use this code
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on;
Setting Forward Secrecy
With Forward Secrecy, if an attacker gets a hold of the server’s private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.
latest Nginx will use DH, but it will use a 1024-bit default key for the key-exchange, We can generate a stronger DHE parameter for it:
openssl dhparam -out dhparam.pem 4096
We should add this code to nginx configuration.
ssl_dhparam /your/path/to/dhparam.pem;
HSTS(HTTP Strict Transport Security)
instructs browsers to communicate with your website only over SSL.If we visit a http url, the browsers will automatically redirect to https url.
# Enable HSTS add_header Strict-Transport-Security max-age=63072000; # Do not allow this site to be displayed in iframes add_header X-Frame-Options DENY; # Do not permit Content-Type sniffing. add_header X-Content-Type-Options nosniff;
OCSP Stapling
When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record.but sometimes, it takes to much time, which can cause security problem. through this code, server will send a OCSP cache when TLS handshake.
ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8 valid=300s; resolver_timeout 10s;
so the final Configuration like this
ssl on; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; ssl_prefer_server_ciphers on; ssl_certificate /etc/ssl/website.com.crt; ssl_certificate_key /etc/ssl/website.com.key; ssl_dhparam /etc/ssl/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8 valid=300s; resolver_timeout 10s; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;
Read more from :https://www.sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/