NOTICE: This blog post is ancient at this point. Please use https://cipherli.st/ or anything else instead of the following content. 2019-06-23
I've been determined recently to get the A+ rating on ssllabs.com. It's driving me mad and I have FINALLY figured it out. So here's how to do it.
Software
OS: Debian 7 Wheezy
Webserver: nginx 1.6
The following is the nginx config you should use. This would go into your /etc/nginx/sites-enabled/[sitename] config file.
Prereqs
- Grab an offical SSL cert via your favorite provider
- Grab the providers CA certs and staple them together in the correct order
Config
server {
listen 443 default_server;
server_name www.example.com example.com;
root /var/www/example.com;
ssl_ciphers "AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_stapling on;
ssl_stapling_verify on;
resolver [DNS-IP-1] [DNS-IP-2] valid=300s;
resolver_timeout 5s;
}
In the above config, we specify a new ssl_dhparam file. This is because nginx by default uses OpenSSL's 1024 bit key. Instead, we want a 4096 bit key. You'll need to generate this file using the following command (It's going to take a while...): cd /etc/ssl/certs/ && openssl dhparam -out dhparam.pem 4096
Now, test the config with nginx -t and if that's successfuly run service nginx restart.
My Results!
