Learn about Centmin Mod LEMP Stack today
Become a Member

Getting A+ on SSLLabs and HTBridge SSL test.

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Shaiffulnizam Mohamad, Sep 21, 2016.

  1. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    2:49 AM
    1.7.0
    5.5
    Using latest Nginx 1.11.4 and LibreSSL 2.4.2 I have managed to score A+ on both SSLLabs and HTBridge SSL test and got PCI-DSS also NIST

    This is what I have in my vhost.

    Code:
    ssl_dhparam /usr/xyz/ssl/apasaja.my/dhparam.pem;
    ssl_certificate      /usr/xyz/ssl/apasaja.my/ssl/ssl-bundle.crt;
    ssl_certificate_key  /usr/xyz/ssl/apasaja.my/ssl/apasaja.my.key;
    include /usr/local/nginx/conf/ssl-include.conf;
    
    # mozilla recommended
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
     
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_prefer_server_ciphers   on;
    ssl_buffer_size 1400;
    ssl_session_tickets on;
    
    # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
    # add_header Public-Key-Pins-Report-Only
    # 'pin-sha256="QD8rIMTbLeqoXDiYxYZAfZvNuYw7E9WuhXdKxyCpOe4=";
    #  max-age=5184000';
    
    add_header Public-Key-Pins 'pin-sha256="your certificate pin="; 
    pin-sha256="your certificate pin="; pin-sha256="your certificate pin="; max-age=15768000'; #must be more than 2 month
    
    #HSTS long duration
    add_header Strict-Transport-Security "max-age=31536000; preload;";
     
    # enable ocsp stapling
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/xyz/ssl/apasaja.my/ssl/trusted-ssl-bundle.crt;  
    Hoping that, this would help other people as well.


    [​IMG]
     
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    4:49 AM
    Nginx 1.13.x
    MariaDB 5.5
    thanks for sharing

    diff between A and A+ on ssllabs is enabling HSTS in centmin mod lemp stack's nginx HTTP/2 setup configs
    Code:
    #HSTS long duration
    add_header Strict-Transport-Security "max-age=31536000; preload;";
    be careful with HSTS enabling and HTTP Public Key pinning both can DDOS your own site if set incorrectly

    HSTS tells web browsers to force HTTPS when visits visit your site and cache in browser permanently (though there's ways to get out of it and for yourself). So make sure working HTTPS before enabling. Hence, why HSTS is disabled out of box for Centmin Mod Nginx HTTPS setups first as some folks might need to be able to test HTTP and HTTPS versions of their site.

    HPKP also needs special care Public Key Pinning - Web security | MDN as it requires creating backup ssl private key/csr pairs for your HPKP and pin against current ssl private key/csr pairs and backup. So when comes time to renew ssl cert, need to use that backup private key/csr pair for generate the renewed cert and then rotating through and creating a new backup private key/csr pair again and so forth. If you accidentally use a new ssl private key/csr pair instead of your backup set for renewaling ssl certificate. You will deny any visitors to be able to load and visit your site for the duration of HPKP max-age which in your case is 15768000 seconds or ~6 months !
    Code (Text):
    add_header Public-Key-Pins 'pin-sha256="your certificate pin=";
    pin-sha256="your certificate pin="; pin-sha256="your certificate pin="; max-age=15768000'; #must be more than 2 month
    
     
    Last edited: Sep 21, 2016
    • Informative Informative x 1
  3. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    2:49 AM
    1.7.0
    5.5
    yes Agree, but because my certs is still available for 3 years, happy with it. Hehehehe, Already tested on my own browser.
     
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,966
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,422
    Local Time:
    4:49 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah HPKP for long expiry SSL certificates much easier. Not so much for letsencrypt 90 day expiry certificates which can be problematic right now heh.