How to get A+ on SSL Labs

May 3, 2014 · 328 words · 2 minute read

This will show how to get A+ on SSL Server Test from Qualys SSL Labs.

Enable SSL and headers module in Apache2.

a2enmod ssl
a2enmod headers

Edit Apache configuration.

SSLCertificateFile /etc/ssl/crt/«yourcert».pem
SSLCertificateKeyFile /etc/ssl/crt/«yourkey».pem
SSLCertificateChainFile /etc/ssl/crt/«intermediatechain».pem

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS

The ! preceding the cipher means that Apache will not use that cipher.

View ciphers 🔗

List the ciphers openssl supports with the current configuration.

openssl ciphers -v -ssl3 -tls1 'EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS'

Explanation 🔗

With this configuration Apache will prefer Perfect forward secrecy. If Perfect forward secrecy can’t be negotiated it will default to AES cipher. This configuration will work on all newer browser. Exceptions are older IE, older Java and a few bots.

Where there are no links to the information source it’s taken from the documentation on openssl.org.

Header always set Strict-Transport-Security 🔗

Force browser to use HTTPS even if the user enters HTTP. The browser should remember this setting for a really long time, example a year.

SSLHonorCipherOrder On 🔗

Use the servers preferred encryption not the browsers which may be a weaker cipher.

EECDH 🔗

Ephemeral elliptic-curve Diffie-Hellman, see ECDH.

EDH 🔗

Ephemeral Diffie-Hellman, see Diffie–Hellman key exchange.

AES 🔗

Advanced Encryption Standard.

!aNULL 🔗

The cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a ``man in the middle'' attack and so their use is normally discouraged.

!eNULL 🔗

The «NULL» ciphers that is those offering no encryption.

!LOW 🔗

«Low» encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.

!RC4 🔗

RC4 stream cipher. After attacks on RC4 it is said to be vulnerable. See New RC4 Attack for more information.

!3DES 🔗

Triple DES.

!DES 🔗

Data Encryption Standard.

!MD5 🔗

MD5 message-digest algorithm.

!EXP 🔗

Export encryption algorithms. Including 40 and 56 bits algorithms.

!PSK 🔗

Cipher suites using pre-shared keys (PSK).

!SRP 🔗

Secure Remote Password protocol.

!DSS 🔗

Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.

security