Posts Obtain A+ SSL Security Rating
Post
Cancel

Obtain A+ SSL Security Rating

In previous post, I have setup SSL with nginx on CentOS7 from letsencrypt. Please refer: Use Lets Encrypt Certbot to Install Free SSL on CentOS7.
By default, the security setting of the SSL rating is B. In this post, I will config necessary settings to obtain an A+ security rating.
ssl

Things to do to get A+.

  1. generate a 4096 bits dhpara.pem
  2. modify nginx.conf and demo.bulafish.com.conf

Extra things to do to increase security.

  1. config DNS CAA

Generate dhpara.pem, please change output location to fit your needs. It takes a while of time.

1
openssl dhparam -out /etc/letsencrypt/live/demo.bulafish.com/dhparam.pem 4096

ssl

Modify /etc/nginx/nginx.conf, add the following code inside http block, save and exit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ssl_dhparam /etc/letsencrypt/live/demo.bulafish.com/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
server_tokens off;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

ssl

Modify your_server.conf, add the following code inside server block, save, exit and restart nginx.

1
2
3
ssl_certificate     /etc/letsencrypt/live/demo.bulafish.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/demo.bulafish.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/demo.bulafish.com/chain.pem;

ssl

Re-run the score test again to confirm an A+ rating is obtained.
ssl

What is a CAA record?

A Certification Authority Authorization (CAA) record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain.

To configure CAA, login to your dns server and add a CAA record.
ssl
ssl

Wait for couple hours to let the CAA record take effect, run the rating test again to confirm if CAA policy is working.
ssl

This post is licensed under CC BY 4.0 by the author.