SSL how to get an A+ rating with Nginx
I recently needed to get an A+ SSL rating on a website running on top of Nginx and I found this great guide which comes down to the following steps when running Nginx.
First if you have SSL enabled on your Nginx server then checkout how your SSL config rates right now at SSL Labs so you have a benchmark. Then you can recheck after the config changes have been made.
Change the cipher suite, why?
The recommended cipher suite for backwards compatibility (IE6/WinXP):
Make sure you also add these lines:
ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m;
When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client’s preference is used. If this directive is enabled, the server’s preference will be used instead.
Why? All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL’s defaults, which include a 1024-bit key for the key-exchange. Since we’re using a 2048-bit certificate, DHE clients will use a weaker key-exchange than non-ephemeral DH clients.
We need generate a stronger DHE parameter:
cd /etc/ssl/certs openssl dhparam -out dhparam.pem 4096
And then tell nginx to use it for DHE key-exchange:
If you have applied the above config lines you need to restart nginx:
# Check the config first: /etc/init.d/nginx configtest # Then restart: /etc/init.d/nginx restart
Now recheck your SSL rating with SSL Labs hopefully you A or A+.