I tried following this tutorial on how to get 100% in all four categories on ssllabs, and it was pretty helpful.
I tweaked it here and there (I removed CBC ciphers, for example, I have no need for legacy clients), but even unmodified I was able to achieve 100% in the first three categories pretty quickly.
The fourth, cipher strength, was another matter. Whatever I tried writing in
ssl_ciphers, nginx would use
TLS_AES_128_GCM_SHA256. and this is a 128 bit AES cipher, not allowed for 100%.
Just to see if I could, I disabled TLSv1.3 and used only TLSv1.2, with success. But I believe that for the time being I’ll bit the bullet and keep AES128 among my ciphersuites.
In case someone finds it useful, this is my nginx ssl config:
ssl_protocols TLSv1.3 TLSv1.2; #ssl_protocols TLSv1.2; ssl_prefer_server_ciphers off; ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256; #ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; ssl_ecdh_curve secp521r1:secp384r1; ssl_dhparam dhparams.pem; # 8192 bit self generated -- almost a day on a laptop add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "upgrade-insecure-requests" always;