How to get A+ on SSL Labs

This will show how to get A+ on SSL Server Test from Qualys SSL Labs.

Enable SSL and headers module in Apache2.

a2enmod ssl
a2enmod headers

Edit Apache configuration.

SSLCertificateFile /etc/ssl/crt/«yourcert».pem
SSLCertificateKeyFile /etc/ssl/crt/«yourkey».pem
SSLCertificateChainFile /etc/ssl/crt/«intermediatechain».pem

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS

The ! preceding the cipher means that Apache will not use that cipher.

View ciphers

List the ciphers openssl supports with the current configuration.

openssl ciphers -v -ssl3 -tls1 'EECDH:EDH:AES:!aNULL:!eNULL:!LOW:!RC4:!3DES:!DES:!MD5:!EXP:!PSK:!SRP:!DSS'

Explanation

With this configuration Apache will prefer Perfect forward secrecy. If Perfect forward secrecy can’t be negotiated it will default to AES cipher. This configuration will work on all newer browser. Exceptions are older IE, older Java and a few bots.

Where there are no links to the information source it’s taken from the documentation on openssl.org.

Header always set Strict-Transport-Security

Force browser to use HTTPS even if the user enters HTTP. The browser should remember this setting for a really long time, example a year.

SSLHonorCipherOrder On

Use the servers preferred encryption not the browsers which may be a weaker cipher.

EECDH

Ephemeral elliptic-curve Diffie-Hellman, see ECDH.

EDH

Ephemeral Diffie-Hellman, see Diffie–Hellman key exchange.

AES

Advanced Encryption Standard.

!aNULL

The cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a ``man in the middle’’ attack and so their use is normally discouraged.

!eNULL

The «NULL» ciphers that is those offering no encryption.

!LOW

«Low» encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.

!RC4

RC4 stream cipher. After attacks on RC4 it is said to be vulnerable. See New RC4 Attack for more information.

!3DES

Triple DES.

!DES

Data Encryption Standard.

!MD5

MD5 message-digest algorithm.

!EXP

Export encryption algorithms. Including 40 and 56 bits algorithms.

!PSK

Cipher suites using pre-shared keys (PSK).

!SRP

Secure Remote Password protocol.

!DSS

Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.

See also

• Luks decryption with clevis and TPM2
• Wireguard VPN server
• Malware lists for PiHole
• List CPU vulnerabilities
• Design an online ransomware safe backup with restic