I tested my SSL and got B. Is there any way of improving that?

This is the test I’ve run: https://www.ssllabs.com/ssltest/analyze.html?d=olimppi.us. What happens is that my grade is a bit low: B. Is there any way of configuring stuff to make it better? I have a VPS with Ubuntu 16.04 LTS, with Nginx server. Moreover, I’m using both: http and https.

1 Like

Hi @roguitar88

please read the output of your check.

Then update your configuration.

If you want to have Grade A, it’s your job to learn all the required details.

1 Like

Have you tried to (securely) configure it at all?
I mean it seems very “out of the box”.
You need to remove the DHE ciphers or use 2048 bit or higher (if needed).
All the “WEAK” ciphers should be removed.
You probably need to update the O/S and the nginx as well.

1 Like

At the moment I’m reviewing this guide here https://weakdh.org/sysadmin.html related to the first issue (This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.).

As far as I can remember, all I did was to install Nginx and configure it as above… Nothing else.

So you’re saying I need to remove DHE ciphers and replace them with one higher, right? And also I need to update Nginx, right? Ok, I’ll try to do it, too.

You can get a bunch of relevant configurations at

https://ssl-config.mozilla.org/

One trade-off which you’ll see presented there is that sometimes the configuration changes that get you a higher grade will reduce your compatibility with older browsers.

1 Like

Ok, it has really helped. It improved the grade a little, little bit. See: https://www.ssllabs.com/ssltest/analyze.html?d=olimppi.us
But, anyway there is a little, little issue I should solve:

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

How can I solve it?

1 Like

Well I’ve got to solve the issue above about the DH parameters. Now I have another challenge before me: to solve the issue of the TLS versions:

This server supports TLS 1.0 and TLS 1.1. Grade capped to B

How can I make my server support TLS 1.3, since I’ve tried it several times and it always outputs: Reloaded failed. Every time I add TLSv1.3 after ssl_protocols it goes wrong. So how can I enable this in my server?

Do you know if that mozilla configuration generator is recent/maintained?

I just tried using it on a public openresty/nginx server, and the SSL labs system didn’t pick up TLS1.2

That’s a good question. Mine supports TLS 1.2, but not 1.3 and here is the proof (/etc/nginx/nginx.conf):

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

I believe that if we look further we could find something more recent than that.

AHA!

After digging through some docs and the shell, I realized I cheated on setting up this server and it uses an OpenResty binary – not from source. The SSL support on Nginx is pegged to the openssl versions it was built with.

Thankfully the binary has a new build against a newer openssl (I can still cheat!). I updated that, and everything works as expected.

1 Like

Check your nginx compile options:

nginx -V

look for a path to a versioned openssl in there. if you don’t see any and are using a binary, try updating the binary. otherwise if you have your own installation, update openssl on the machine to at least OpenSSL 1.1.1. see
http://nginx.org/en/docs/http/ngx_http_ssl_module.html

You can get key exchange to 100 but not cipher strength (not if you want to keep TLSv1.3).

Select your ecdhe curves accurately (and make sure your dhparams are big enough if you use them)

I did as you said. I tried to add TLSv.13 to /etc/nginx/nginx.conf script but the key exchange remained the same.
I added the ecdhe curves as below:

#Diffie Hellmann performance improvements
ssl_ecdh_curve secp384r1;

The lines above were caught from https://ma.ttias.be/deploying-laravel-websockets-with-nginx-reverse-proxy-and-supervisord/

This is not very compatible:

Try something more flexible and secure (order matters).
Like:
ssl_ecdh_curve sect571r1:secp521r1:X448:sect409r1:secp384r1:sect283r1:prime256v1;

Which version of OpenSSL are you running?

1 Like

Also, try using more ciphers.
Like:
ssl_ciphers TLS13:ECDHE+ARIA:ECDHE+CHACHA20:ECDHE+AESGCM;

1 Like

I currently use

ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256; 

and

ssl_ecdh_curve secp521r1:X448:secp384r1:secp256k1;

But my ssllabs result is 100-100-100-90. (There are some 128bit ciphers that cannot be turned off with TLSv1.3)

PS:

ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;

I tried to use the same configuration proposed by you, but the ssl curve above didn’t work, so I’ve preserved mine. However, the results remained the same.

OpenSSL 1.0.2g 1 Mar 2016

Is there any problem about it?

I don’t think OpenSSL 1.0.2g supports TLSv1.3
Otherwise it is relatively OK.

You should try to update it and your entire O/S.
sudo apt update
sudo apt upgrade

1 Like

You may be able to see which ciphers are supported by your version of OpenSSL with:
openssl ciphers
[should produce a long concatenated list separated with “:”]
If it shows any entries that start with “TLS” it supports TLSv1.3.

Here is an example output:

openssl version
OpenSSL 1.1.1  11 Sep 2018

openssl ciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA
1 Like