Coding, Web, Hydrology and more.

SSL Labs A+ Nginx Configuration Example


0x00 Background

Since the end support for TLS 1.0 and 1.1, SSL Labs has change its grade for sites which support them to B since 2020/01/31. Moreover, modern browsers like Chrome/FireFox/IE has deprecated support for them since first half of 2020. Therefore, it is time to migrate to TLS 1.2 or higher if your site is still using TLS 1.0 and 1.1.

0x01 How To

If you are using nginx config like following:

you should enable tls by default, but if you don’t specify the version, nginx will support TLS 1.0,1.1 and 1.2. And this will result in B grade in SSL Labs. The best practice to receive a A+ grade is following configuration:

this configuration add Diffie-Hellman public key, TLS 1.2, 1.3, safer ciphers, ssl_session_cache to nginx default configuration to provide more security and performance. And you may also notice that this configuration change ssl_session_timeout from 10m to 1d and ssl_session_ticket from on to off, 1d ssl_session_timeout will reuse ssl session as possible and setting ssl_session_ticket to off can avoid ssl protocol error caused by inconsistent setting of ssl_session_ticket of multiple sites on same server.

0x02 Additional Configuration

You can also enable HTTP Strict Transport Security and OCSP Stapling if you like to obtain more security, add these would not affect score on SSL Labs.

note that if you are using Let’s Encrypt cert, you should use ca.cer in ssl_trusted_certificate and fullchain.cer in ssl_certificate.

Moreover, previous configuration will help you get 100 points in Certificate and Protocol Support, but you can’t get full scores on Key Exchange and Cipher Strength, in case you want full scores on these 4 items, you can follow these steps:

  •  Replace dhparam with 4096 bit one;

  • change ssl_chipers to AES256+EECDH:AES256+EDH:!aNULL;
  • add ssl_ecdh_curve secp384r1;

0x03 Reference

About the author


[stay(d) for d in ('determined','diligent','devoted')]

By EDLinus
Coding, Web, Hydrology and more.