I had to consider about a ssl.conf.

The last time, My web site became HTTPS. However, according to SSL SERVER, it was scored B+. Disappointed. So that, I’ll consider at a ssl.conf, I think I want to enhance security connections. The result, I was able to increase to A+. And I introduce some of the examples.

sslreport

First, I was enabled SPDY. But this is NOT related to security.

listen 443 ssl;
listen 443 ssl spdy;

Now, Spdy is enabled.

Now then, although I am saying reviewed ssl.conf I need reference materials.
I found “Mozilla SSL Configuration Generator“.
This is outputted a ssl.conf to fit each environment. For example, Nginx, set of modern and SSL 1.01e version. etc..

Second, about a ssl_ciphers.
Apparently ECDHE-RSA-AES128-GCM-SHA256 is newer.
Because

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;

Priority is high that it is written to the left.
If you use a generator, it would include “DHE-RSA-AES128-GCM-SHA256”, but I have removed it. so that, so that, also, I didn’t create a dhparam.

Third, about an OCSP Stapling.
This is needed root CA certificate.
like this.

-----BEGIN CERTIFICATE-----
Root CA Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate Certificate
-----END CERTIFICATE-----
ssl.conf
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ca-certs.pem;

That’s it.

sslshot

How was it.
Have a good day!

These are references.

My Library
http://blog.mylibs.jp/archives/181

Similar Posts:


Leave a Reply

Your email address will not be published. Required fields are marked *