Screen-Shot-2017-08-09-at-11.11.39-PM-1Once a year or so I take the time and run an SSL Report on my domains. Most of the time I score a B or an A since things change and I don't always update them right away. After I get the score I start tweaking my server's settings to get an A+ again. I used the links below to help bump my score to an A+, but first, here are the two key things that helped me the most:

  • Ciphers. Weak ciphers need to be avoided while maintaining compatibility with older browsers. There are several lists floating around the web promising a good score. Here's the current list from the nginx config for this domain:
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  • Generating DH Parameters are essential in boosting your score. Without providing your own, nginx uses the default 1024-bit set of dhparams from OpenSSL. Running one command and adding a line to your nginx config is all it takes:
    $ cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096
    add this to the nginx config for your domain:
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

Server Tests:

Generic SSL articles:

CAA DNS Record

CloudFlare supports this new record type, but it's part of a beta that can only be joined by contacting their support team and stating your intentions.

Public Key Pinning (HPKP):

Content Security Policy

A quick note on this. It's a pain in the ass. Look at the Content-Security-Policy header for this domain (e.g - $curl -I https://kevinbowers.me) and just look at its length. Admire it. I'll wait. The best way to implement this would be to not use any 3rd party scripts, CSS, fonts, etc; otherwise you end up being forced to use 'unsafe-inline' and 'unsafe-eval', which isn't ideal and practically defeats the purpose of the CSP header. I took the time to add the 3rd party sites to the header for the sake of this post, but if anything changes, I won't do it again.

Good luck!