Got A+ at the SSL LABS test

Today I’ve got 100% for Certificate, Protocol Support, Key Exchange and the Cipher Strength at the Qualys SSL Labs - SSL Test

nginx config

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;

# openssl dhparam -out /etc/ssl/certs/dh4096.pem 4096  (may take up to 2 hours on some systems or more)
ssl_dhparam /etc/ssl/certs/dh4096.pem;
ssl_ecdh_curve secp521r1;

ssl_ciphers 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!CAMELLIA:!SRP:!RSA:!3DES:!AES128';

• Good article on SSL security and nginx

  https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

• On compatibility with IE

  https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites

• SSL: Intercepted today, decrypted tomorrow

  http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

• SafeCurves: choosing safe curves for elliptic-curve cryptography

  http://safecurves.cr.yp.to/

  Note that per rfc5480 FIPS186-3 refers to secp521r1 as P-521, to secp256r1 as P-256; in [PKI-ALG] the secp256r1 curve was referred to as prime256v1. Also it seems that openssl doesn’t support any of the curves that are listed there as safe

Related Posts

• 01 Dec 2017 » Using GPG inside a Docker container
• 07 Nov 2017 » HiDPI display on Ubuntu 17.10 and font size
• 23 Aug 2017 » Disable Zeitgeist in Ubuntu 16, 17