SSL chiper parameters


#1

I have installed lets encrypt, is my setup secure, what can I add to make it more secure?
I am using nginx, and I am on centos 7

   ssl_dhparam /etc/ssl/certs/dhparam.pem;

## SSL
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

Thanks


#2

Could you please elaborate on “secure”?

Please note that the more “secure” the nginx configuration is, the less client would be able to access your website.

If you want to merely rise the rating of your configuration on SSLLabs, you could refer to the below topic.
https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033/4

Thank you


#3

You could start by removing the outdated protocols and ciphers: