Grade B on Nginx


#1

Hello

I appear to be getting a Grade B from SSL-Labs on my certificate: https://www.ssllabs.com/ssltest/analyze.html?d=jacob.uk.com&s=46.101.64.69

My current nginx config is:

        ssl_certificate    fullchain.pem;
        ssl_certificate_key privkey.pem;
        ssl_trusted_certificate fullchain.pem;
                                                                                                                                                                                                          
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";                                                                                                                                    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;                                                                                                                                                              
        ssl_prefer_server_ciphers on;                                                                                                                                                                     
        ssl_session_cache shared:SSL:10m;                                                                                                                                                                 
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";                                                                                                              
        add_header X-Frame-Options DENY;                                                                                                                                                                  
        add_header X-Content-Type-Options nosniff;                                                                                                                                                        
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;

Could anybody point out what I can do to improve this to an A or A+ possibly?

J


#2

As indicated by the report, you should generate and use your own DH keys instead of the default (weak) keys: https://weakdh.org/sysadmin.html


#3
  1. You should generate an SAN certificate that is valid for jacob.uk.com and www.jacob.uk.com
  2. Enable Strict Transport Security instead of setting an timeout to 0
    Maybe if you know what you do use Public Key Pinning
    If NGinx support http2 enable it for better performance.