Grade B on Nginx



I appear to be getting a Grade B from SSL-Labs on my certificate:

My current nginx config is:

        ssl_certificate    fullchain.pem;
        ssl_certificate_key privkey.pem;
        ssl_trusted_certificate fullchain.pem;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";                                                                                                                                    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;                                                                                                                                                              
        ssl_prefer_server_ciphers on;                                                                                                                                                                     
        ssl_session_cache shared:SSL:10m;                                                                                                                                                                 
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";                                                                                                              
        add_header X-Frame-Options DENY;                                                                                                                                                                  
        add_header X-Content-Type-Options nosniff;                                                                                                                                                        
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;

Could anybody point out what I can do to improve this to an A or A+ possibly?



As indicated by the report, you should generate and use your own DH keys instead of the default (weak) keys:

  1. You should generate an SAN certificate that is valid for and
  2. Enable Strict Transport Security instead of setting an timeout to 0
    Maybe if you know what you do use Public Key Pinning
    If NGinx support http2 enable it for better performance.