"How to get 100% on ssllabs.com with nginx"

I tried following this tutorial on how to get 100% in all four categories on ssllabs, and it was pretty helpful.

I tweaked it here and there (I removed CBC ciphers, for example, I have no need for legacy clients), but even unmodified I was able to achieve 100% in the first three categories pretty quickly.

The fourth, cipher strength, was another matter. Whatever I tried writing in ssl_ciphers, nginx would use TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_128_GCM_SHA256. and this is a 128 bit AES cipher, not allowed for 100%.

Just to see if I could, I disabled TLSv1.3 and used only TLSv1.2, with success. But I believe that for the time being Iā€™ll bit the bullet and keep AES128 among my ciphersuites.

In case someone finds it useful, this is my nginx ssl config:

ssl_protocols TLSv1.3 TLSv1.2;
#ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256;
#ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
ssl_ecdh_curve secp521r1:secp384r1;

ssl_dhparam dhparams.pem; # 8192 bit self generated -- almost a day on a laptop

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "upgrade-insecure-requests" always;
2 Likes

Hi @9peppe,

Yeah, I tried to edit it but ends up with insufficient permission... Wrote that back in 2018 so it's already outdated by now (some of the links have stopped working)

As of now, there's no way you can adjust the ciphers for OpenSSL (on Nginx) for TLSv1.3, which is why all your attempt to disable one of the "enabled by default ciphers" failed. Qualys Lab said in one of the GitHub issues they'll modify their scoring for TLSv1.3 ciphers but so far there's no progress.

I'm happy that you've found the post useful and hopefully it can be updated soonšŸ˜

Thank you
Steven Zhu

6 Likes

Yeah, it was a lot of fun but I need to stop obsessing over configuring tls on a server that I use by myself.

Right now I am adding an ec-256 key, and reducing dhparam to 4K to see if I can keep that 100-100-100-90 evaluation. (I should.) (wellā€¦ according to ssllabs nearly all the clients that connect to my server use ecdh, I might as well remove all edh suitesā€¦)

(about ec-256 keysā€¦ acme.sh is not as mindlessly usable as certbot :smiley:)

2 Likes

Iā€™ve moved the post from the ā€œServerā€ category (which is now closed) to the ā€œHelpā€ category so you should both be able to edit it again (itā€™s a wiki post). Let me know if you have any trouble!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.