How to get an A pass SSL rating for your SSL website

qualys-ssl-labs-logoEveryone wants security, and its ideal that your SSL certificates are also secure. With this in mind, websites like SSLLabs have a testing tool that is used to grade the SSL certificate installed on your server.

Often people get a low ranking when its fairly easy to get an A. I could make this post long winded and complex, but ultimately it comes down to adding the following items in your SSL configuration.

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLHonorCipherOrder on
    SSLProtocol All -SSLv2 -SSLv3

Note: If you are using Centos, then its likely you will need to add this to every virtualhost config after turning SSL on.
You can get optimized cipher lists and other useful settings for your specific install from https://mozilla.github.io/server-side-tls/ssl-config-generator/

On recent Debian and Ubuntu based distributions those usually goes into the /etc/apache2/mod-enabled/ssl.conf file.

They can however go into the virtual-host configuration with that domain also easily enough if you get lost. Just keep in mind that will only apply to the specific virtual-host.

Then set up your SSL certificate as you normally would in your virtual-host configuration...

      SSLEngine on
      SSLCertificateFile  /etc/apache2/ssl.crt/yourdomain.com.crt
      SSLCertificateKeyFile /etc/apache2/ssl.key/yourdomain.com.key
      SSLCACertificateFile /etc/apache2/ssl.crt/intermediate.ca

Once done, restart your web service (eg Apache), then head on over to https://www.ssllabs.com/ssltest/ and test it.

It is worth noting that if your server install is older you will need to make sure that is updated and has patched version of openSSL to include the more secure TLS protocols. Else the ssllabs test will grade you F for exploitable old packages. If you need help checking on what your server supports please do open a support ticket.

This entry was posted in Security and tagged , , , . Bookmark the permalink.

Comments are closed.