A+
The directives below should get you an A+ score:
Apache
Vanilla Apache 2.2 lacks support for Elliptic Curve cryptography, necessary for Forward Secrecy. This will affect your score: although the configuration below is still accepted, parts will be ignored. Use either a patched version or upgrade to Apache 2.4.
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/a-2048+-bit-rsa.key
SSLCertificateFile /etc/ssl/private/a-valid-certificate.crt
SSLCertificateChainFile /etc/ssl/chains/all-intermediate-certificates.pem
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
# Note: never send this header over http connections!
Header always set Strict-Transport-Security max-age=31556952
<IfVersion >= 2.3>
SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_staple_cache(512000)
</IfVersion>
nginx
# spdy only works in nginx 1.4+:
listen 443 default ssl spdy;
listen [::]:443 default ssl spdy ipv6only=on;
ssl_certificate_key /etc/ssl/private/a-2048+-bit-rsa.key;
ssl_certificate /etc/ssl/private/valid-certificate-and-all-intermediates.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=apps/dh409…">dh4096.pem</a>;
ssl_ecdh_curve secp384r1;
# Note: never send this header over http connections!
add_header Strict-Transport-Security max-age=31556952;
ssl_stapling on;
lighttpd
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/private/a-2048+-bit-rsa-key-and-a-valid-certificate.pem"
ssl.ca-file = "/etc/ssl/private/all-intermediate-certificates.pem"
ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA"
ssl.honor-cipher-order = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.disable-client-renegotiation = "enable"
ssl.dh-file = "/etc/lighttpd/dh4096.pem"
ssl.ec-curve = "secp384r1"
# Note: never send this header over http connections!
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=31556952")
Perfect score
The above configurations allow you to get a very decent score while maintaining compatibility with all common web browsers. But what if that is not enough for you? The configurations below will get you a 100% score on all categories:
Apache
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/a-4096-bit-rsa.key
SSLCertificateFile /etc/ssl/private/a-valid-certificate.crt
SSLCertificateChainFile /etc/ssl/chains/all-intermediate-certificates.pem
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
# Note: never send this header over http connections!
Header always set Strict-Transport-Security max-age=31556952
<IfVersion >= 2.3>
SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_staple_cache(512000)
</IfVersion>
nginx
# spdy only works in nginx 1.4+:
listen 443 default ssl spdy;
listen [::]:443 default ssl spdy ipv6only=on;
ssl_certificate_key /etc/ssl/private/a-4096-bit-rsa.key;
ssl_certificate /etc/ssl/private/valid-certificate-and-all-intermediates.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=apps/dh409…">dh4096.pem</a>;
ssl_ecdh_curve secp384r1;
# Note: never send this header over http connections!
add_header Strict-Transport-Security max-age=31556952;
ssl_stapling on;
lighttpd
Unfortunately, lighttpd does not have configuration parameters to disable TLSv1.0 and TLSv1.1. The only way to get a perfect score is to adjust the cipher list to only include TLSv1.2 ciphers. The side effect of that is that more browsers are excluded than strictly necessary.
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/private/a-4096-bit-rsa-key-and-a-valid-certificate.pem"
ssl.ca-file = "/etc/ssl/private/all-intermediate-certificates.pem"
ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:AES256-GCM-SHA384:AES256-SHA256"
ssl.honor-cipher-order = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.disable-client-renegotiation = "enable"
ssl.dh-file = "/etc/lighttpd/dh4096.pem"
ssl.ec-curve = "secp384r1"
# Note: never send this header over http connections!
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=31556952")
0 Praat mee