How To Get A Near Perfect SSLLabs.com Score

Link To The SSLLabs.com Test
https://www.ssllabs.com/ssltest/

100% on Certificate
Use trusted/well known CAs for your SSL certificates only
Use SHA256 or above certificates (drop and totally forget SHA1)
Setup your certificate correctly and with a chain in proper order

100% on Protocol
Use TLSv1.2 only as the SSL protocol for your web server.

100% on Key Exchange
Use 4096 Bit private keys with 4096 Bit dhparams. Not recommended to go above that due to performance and compatibility issues.

90% on Ciphers
Use the following ciphers:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Set “ssl_prefer_server_ciphers” to “on” to force the client to apply one of the ciphers from above.

OCSP Stapling
Setup and activate OCSP stapling on your server to serve client OCSP requests from your web server instead of letting clients sending their OCSP requests to the cert CA. This will protect the privacy of your visitors and the cert CA never gets to know that your visitors connected to your site.

SSL Sessions
Set ssl_session_cache to atleast "shared:SSL:10m"
Set ssl_session_timeout to atleast "10m"

HTTP Strict Transport Security (HSTS)
Setup and enable HSTS on your server (code below):
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

HTTP Public Key Pinning (HPKP)
Setup and activate HPKP on your server to prevent MITM attacks with forged certificates (eg: shitty Avast web protect and etc..)
add_header Public-Key-Pins 'pin-sha256="base64string"; max-age=63072000; includeSubDomains';
(base64string is the actual base64 string of your certificate, you can also add more pins for the CSR and etc..)

Conclusion
We now have 100% on Certificate, Protocol, and Key Exchange with 90% on Cipher Strength. Ignore the other 10% of Ciper Strength. Ciphers that would fix this 10% cause issues with SPDY/H2 and so on (including issues with some even modern browsers). This is just a checklist for a almost perfect SSL setup with a A+ rating on the Qualys SSL Labs server test.

Source of Information
Thanks to Hidden_Refuge for letting me use his article. Good Information!

3 thoughts on “How To Get A Near Perfect SSLLabs.com Score”

  1. Ron says:

    Also check out https://securityheaders.io if you are really into web security

  2. Ron says:

    To get this working with Ubuntu 14.04 and Apache 2.4.7 people forget that you also need ecparam:

    # openssl ecparam -name secp384r1 > ./ecparam.pem
    # openssl dhparam -out dhparam.pem 4096

    then put the content of those two file in your cert file. Without the ecparams, it won’t work. Your cert would look like so (no intermediates):

    —–BEGIN CERTIFICATE—–
    nqswqmswqöswq,sq
    —–END CERTIFICATE—–
    —–BEGIN EC PARAMETERS—–
    qxmwqqwm==
    —–END EC PARAMETERS—–
    —–BEGIN DH PARAMETERS—–
    awqqwoswqposwqswq
    —–END DH PARAMETERS—–

    This gave me 4 x 100 points and A+ on ssl-labs. Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *