The last time, My web site became HTTPS. However, according to SSL SERVER, it was scored B+. Disappointed. So that, I’ll consider at a ssl.conf, I think I want to enhance security connections. The result, I was able to increase to A+. And I introduce some of the examples.
First, I was enabled SPDY. But this is NOT related to security.
listen 443 ssl; listen 443 ssl spdy;
Now, Spdy is enabled.
Now then, although I am saying reviewed ssl.conf I need reference materials.
I found “Mozilla SSL Configuration Generator“.
This is outputted a ssl.conf to fit each environment. For example, Nginx, set of modern and SSL 1.01e version. etc..
Second, about a ssl_ciphers.
Apparently ECDHE-RSA-AES128-GCM-SHA256 is newer.
Priority is high that it is written to the left.
If you use a generator, it would include “DHE-RSA-AES128-GCM-SHA256”, but I have removed it. so that, so that, also, I didn’t create a dhparam.
Third, about an OCSP Stapling.
This is needed root CA certificate.
-----BEGIN CERTIFICATE----- Root CA Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate Certificate -----END CERTIFICATE-----
ssl.conf # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate ca-certs.pem;
How was it.
Have a good day!
These are references.
- Hello HTTPS
- lpic303 Puppet 01
- 帰ってきた Logwatch