Update 05.03.2015: This configuration is not vulernerable to POODLE, BEAST, HEARTBLEED or FREAK Attack. Proof: SSLLabs.com
After a lot of searching on the internet I found the perfect setting for nginx to get an A+ rating on ssllabs without breaking compatibility. There are some guides, but quite old.
Removing TLSv1 is easy but breaks compatibility to everything lower Android 4.4, Windows 7 IE11 and most search engine crawler.
The following settings are requitred to get A+ rating as of february 2015.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;ssl_ciphers ‘kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED’;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;resolver <trusted DNS Server>;
After restarting nginx you will see the result above with the following ciphers:
If you’re interested in even more compatibility Mozilla SSL Configuration Generator may help you to suit the configuration your needs.
Note: A+ can only be reached with SHA2 certificate or higher. Best you can reach with SHA1 is A rating.
Recent Comments