Getting A+ on SSLLabs and HTBridge SSL test.

Shaiffulnizam Mohamad · Sep 21, 2016

Using latest Nginx 1.11.4 and LibreSSL 2.4.2 I have managed to score A+ on both SSLLabs and HTBridge SSL test and got PCI-DSS also NIST

This is what I have in my vhost.

Code:

ssl_dhparam /usr/xyz/ssl/apasaja.my/dhparam.pem;
ssl_certificate      /usr/xyz/ssl/apasaja.my/ssl/ssl-bundle.crt;
ssl_certificate_key  /usr/xyz/ssl/apasaja.my/ssl/apasaja.my.key;
include /usr/local/nginx/conf/ssl-include.conf;

# mozilla recommended
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
 
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers   on;
ssl_buffer_size 1400;
ssl_session_tickets on;

# HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
# add_header Public-Key-Pins-Report-Only
# 'pin-sha256="QD8rIMTbLeqoXDiYxYZAfZvNuYw7E9WuhXdKxyCpOe4=";
#  max-age=5184000';

add_header Public-Key-Pins 'pin-sha256="your certificate pin="; 
pin-sha256="your certificate pin="; pin-sha256="your certificate pin="; max-age=15768000'; #must be more than 2 month

#HSTS long duration
add_header Strict-Transport-Security "max-age=31536000; preload;";
 
# enable ocsp stapling
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/xyz/ssl/apasaja.my/ssl/trusted-ssl-bundle.crt;

Hoping that, this would help other people as well.

[IMG]

eva2000 · Sep 21, 2016

thanks for sharing

diff between A and A+ on ssllabs is enabling HSTS in centmin mod lemp stack's nginx HTTP/2 setup configs
Code:
#HSTS long duration
add_header Strict-Transport-Security "max-age=31536000; preload;";
be careful with HSTS enabling and HTTP Public Key pinning both can DDOS your own site if set incorrectly

HSTS tells web browsers to force HTTPS when visits visit your site and cache in browser permanently (though there's ways to get out of it and for yourself). So make sure working HTTPS before enabling. Hence, why HSTS is disabled out of box for Centmin Mod Nginx HTTPS setups first as some folks might need to be able to test HTTP and HTTPS versions of their site.

HPKP also needs special care Public Key Pinning - Web security | MDN as it requires creating backup ssl private key/csr pairs for your HPKP and pin against current ssl private key/csr pairs and backup. So when comes time to renew ssl cert, need to use that backup private key/csr pair for generate the renewed cert and then rotating through and creating a new backup private key/csr pair again and so forth. If you accidentally use a new ssl private key/csr pair instead of your backup set for renewaling ssl certificate. You will deny any visitors to be able to load and visit your site for the duration of HPKP max-age which in your case is 15768000 seconds or ~6 months !
Code (Text):
add_header Public-Key-Pins 'pin-sha256="your certificate pin=";
pin-sha256="your certificate pin="; pin-sha256="your certificate pin="; max-age=15768000'; #must be more than 2 month

Shaiffulnizam Mohamad · Sep 21, 2016

yes Agree, but because my certs is still available for 3 years, happy with it. Hehehehe, Already tested on my own browser.

eva2000 · Sep 21, 2016

Yeah HPKP for long expiry SSL certificates much easier. Not so much for letsencrypt 90 day expiry certificates which can be problematic right now heh.

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Getting A+ on SSLLabs and HTBridge SSL test.

Shaiffulnizam Mohamad New Member

eva2000 Administrator Staff Member

Shaiffulnizam Mohamad New Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Getting A+ on SSLLabs and HTBridge SSL test.

Shaiffulnizam Mohamad New Member

eva2000 Administrator Staff Member

Shaiffulnizam Mohamad New Member

eva2000 Administrator Staff Member

.