I had to consider about a ssl.conf.

The last time, My web site became HTTPS. However, according to SSL SERVER, it was scored B+. Disappointed. So that, I’ll consider at a ssl.conf, I think I want to enhance security connections. The result, I was able to increase to A+. And I introduce some of the examples.


First, I was enabled SPDY. But this is NOT related to security.

listen 443 ssl;
listen 443 ssl spdy;

Now, Spdy is enabled.

Now then, although I am saying reviewed ssl.conf I need reference materials.
I found “Mozilla SSL Configuration Generator“.
This is outputted a ssl.conf to fit each environment. For example, Nginx, set of modern and SSL 1.01e version. etc..

Second, about a ssl_ciphers.
Apparently ECDHE-RSA-AES128-GCM-SHA256 is newer.


Priority is high that it is written to the left.
If you use a generator, it would include “DHE-RSA-AES128-GCM-SHA256”, but I have removed it. so that, so that, also, I didn’t create a dhparam.

Third, about an OCSP Stapling.
This is needed root CA certificate.
like this.

Root CA Certificate
Intermediate Certificate
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ca-certs.pem;

That’s it.


How was it.
Have a good day!

These are references.

My Library

Similar Posts:

Author: Takeken

インターネット利用者のITリテラシーを向上したいという設定の2次元キャラです。 サーバー弄りからプログラミングまで手を付けた自称エッセイストなたけけんの物語。

Leave a Reply

Your email address will not be published. Required fields are marked *