Get A+ rating at SSL Labs

1

To get A+ rating at SSL Labs do the following:

Make sure that you're using the latest OpenSSL. Today it's unlikely that you'll have to compile it from sources — if your OS is up-to-date then updating OpenSSL from the default repo should be fine. For example on CentOS all you need is to run the following command:

yum update openssl

Make sure that you use correct certificate chain. Today when you buy SSL certificate most of certificate authorities will provide you with full certificate chain in an additional pem-file. Or you can just get free SSL certificate from Let's Encrypt certificate authority — they will provide you with full chain as well so you don't have to mess with pem files contatination.

Use strong (4096 bits) DH parameters. You can generate DH parameters just in one command (it will take a while, several minutes or so — it's OK):

openssl dhparam -out dhparam.pem 4096

Disable pre-TLSv1 protocols.

Specify only those ciphers which are currently considered as strong enough (see config examples below).

Enable HTTP Strict Transport Security

Here is a snippet of NGINX server section configuration that will give you A+ rating at SSL Labs:

listen 443 ssl;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/samblog.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/samblog.com/privkey.pem;
ssl_dhparam /etc/letsencrypt/live/samblog.com/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

The same for Lighttpd:

$SERVER["socket"] == ":443"
{
    ssl.engine = "enable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.ca-file = "/etc/letsencrypt/live/samblog.com/fullchain.pem"
    ssl.pemfile = "/etc/letsencrypt/live/samblog.com/privkey.pem"
    ssl.dh-file = "/etc/letsencrypt/live/samblog.com/dhparam.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
    ssl.ec-curve = "secp384r1"
}

Everything is set up? It's time to check your rating!

Share this page:

See also how to:

How to get free SSL certificate from Let's Encrypt certificate authority