SSLLabs rating: pimp yours

The Qualys SSLLabs SSL server test is a site that allows you to verify whether your https server is configured correctly. I’m not aware of any web server software that ships with defaults that can’t be improved. Test your site! The remainder of this blog post consists of configuration snippets for popular UNIX web servers (Apache, nginx, lighttpd) to improve the SSL Labs rating. As with all code snippets online, don’t use these without looking up each directive to see what it does.

A+

The directives below should get you an A+ score:

Apache

Vanilla Apache 2.2 lacks support for Elliptic Curve cryptography, necessary for Forward Secrecy. This will affect your score: although the configuration below is still accepted, parts will be ignored. Use either a patched version or upgrade to Apache 2.4.

SSLEngine on

SSLCertificateKeyFile /etc/ssl/private/a-2048+-bit-rsa.key
SSLCertificateFile /etc/ssl/private/a-valid-certificate.crt
SSLCertificateChainFile /etc/ssl/chains/all-intermediate-certificates.pem

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
SSLHonorCipherOrder on

SSLProtocol all -SSLv2 -SSLv3

# Note: never send this header over http connections!
Header always set Strict-Transport-Security max-age=31556952
<IfVersion >= 2.3>
SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_staple_cache(512000)
</IfVersion>

nginx

# spdy only works in nginx 1.4+:
listen 443 default ssl spdy;
listen [::]:443 default ssl spdy ipv6only=on;
ssl_certificate_key /etc/ssl/private/a-2048+-bit-rsa.key;
ssl_certificate /etc/ssl/private/valid-certificate-and-all-intermediates.pem;
 
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA;
ssl_prefer_server_ciphers on;
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
ssl_session_cache shared:SSL:10m;
 
ssl_dhparam /etc/nginx/<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=apps/dh409…">dh4096.pem</a>;
ssl_ecdh_curve secp384r1;
 
# Note: never send this header over http connections!
add_header Strict-Transport-Security max-age=31556952;
 
ssl_stapling on;

lighttpd

ssl.engine = "enable"

ssl.pemfile = "/etc/ssl/private/a-2048+-bit-rsa-key-and-a-valid-certificate.pem"
ssl.ca-file = "/etc/ssl/private/all-intermediate-certificates.pem"

ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA"
ssl.honor-cipher-order = "enable"

ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

ssl.disable-client-renegotiation = "enable"

ssl.dh-file = "/etc/lighttpd/dh4096.pem"
ssl.ec-curve = "secp384r1"

# Note: never send this header over http connections!
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=31556952")

Perfect score

The above configurations allow you to get a very decent score while maintaining compatibility with all common web browsers. But what if that is not enough for you? The configurations below will get you a 100% score on all categories:

Apache

SSLEngine on

SSLCertificateKeyFile /etc/ssl/private/a-4096-bit-rsa.key
SSLCertificateFile /etc/ssl/private/a-valid-certificate.crt
SSLCertificateChainFile /etc/ssl/chains/all-intermediate-certificates.pem

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
SSLHonorCipherOrder on

SSLProtocol TLSv1.2

# Note: never send this header over http connections!
Header always set Strict-Transport-Security max-age=31556952

<IfVersion >= 2.3>
SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_staple_cache(512000)
</IfVersion>

nginx

# spdy only works in nginx 1.4+:
listen 443 default ssl spdy;
listen [::]:443 default ssl spdy ipv6only=on;
 
ssl_certificate_key /etc/ssl/private/a-4096-bit-rsa.key;
ssl_certificate /etc/ssl/private/valid-certificate-and-all-intermediates.pem;
 
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA;
ssl_prefer_server_ciphers on;
 
ssl_protocols TLSv1.2;
 
ssl_session_cache shared:SSL:10m;
 
ssl_dhparam /etc/nginx/<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=apps/dh409…">dh4096.pem</a>;
ssl_ecdh_curve secp384r1;
 
# Note: never send this header over http connections!
add_header Strict-Transport-Security max-age=31556952;
 
ssl_stapling on;

lighttpd

Unfortunately, lighttpd does not have configuration parameters to disable TLSv1.0 and TLSv1.1. The only way to get a perfect score is to adjust the cipher list to only include TLSv1.2 ciphers. The side effect of that is that more browsers are excluded than strictly necessary.

ssl.engine = "enable"

ssl.pemfile = "/etc/ssl/private/a-4096-bit-rsa-key-and-a-valid-certificate.pem"
ssl.ca-file = "/etc/ssl/private/all-intermediate-certificates.pem"

ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:AES256-GCM-SHA384:AES256-SHA256"

ssl.honor-cipher-order = "enable"

ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

ssl.disable-client-renegotiation = "enable"

ssl.dh-file = "/etc/lighttpd/dh4096.pem"
ssl.ec-curve = "secp384r1"

# Note: never send this header over http connections!
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=31556952")

Author

Comments

Dit artikel heeft 0 reacties