• Contact
  • Cookie Policy
  • Helpdesk
Techspark Blogging about technical stuff

Tag Archives: Beast

SSLLabs A+ rating with nginx without breaking compatibility

February 4, 2015 5:09 PM / Leave a Comment / XeroX

Update 05.03.2015: This configuration is not vulernerable to POODLE, BEAST, HEARTBLEED or FREAK Attack. Proof: SSLLabs.com

After a lot of searching on the internet I found the perfect setting for nginx to get an A+ rating on ssllabs without breaking compatibility. There are some guides, but quite old.

nginx A+

Removing TLSv1 is easy but breaks compatibility to everything lower Android 4.4, Windows 7 IE11 and most search engine crawler.

The following settings are requitred to get A+ rating as of february 2015.

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

ssl_ciphers ‘kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED’;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

resolver <trusted DNS Server>;

After restarting nginx you will see the result above with the following ciphers:

Ciphers

 

If you’re interested in even more compatibility Mozilla SSL Configuration Generator may help you to suit the configuration your needs.

Note: A+ can only be reached with SHA2 certificate or higher. Best you can reach with SHA1 is A rating.

Posted in: Webserver / Tagged: a+ rating, beast, configuration, freak, heartbleed, nginx, poodle, ssl, ssllabs, webserver

Support This Site

If you like this content, you can buy me a coffee

Recent Posts

  • Super Famicom/Super Nintendo xBAND XBⱯND – Teardown
  • Gigabyte ITE IT5701/ 5702 Firmware Archive
  • Speed-Up/Tune Synology DSM with HDD & SSD
  • Dreamcast – Skies of Arcadia – PAL – 60Hz – VGA Patch
  • Running Sierra Wireless EM7455 on FreeBSD/OPNSense/pfSense

Recent Comments

  • Raoul on Running Sierra Wireless EM7455 on FreeBSD/OPNSense/pfSense
  • XeroX on Running Sierra Wireless EM7455 on FreeBSD/OPNSense/pfSense
  • Raoul on Running Sierra Wireless EM7455 on FreeBSD/OPNSense/pfSense
  • Raoul on Running Sierra Wireless EM7455 on FreeBSD/OPNSense/pfSense
  • XeroX on Running Sierra Wireless EM7455 on FreeBSD/OPNSense/pfSense

Archives

  • January 2025
  • July 2024
  • October 2023
  • February 2023
  • November 2022
  • September 2022
  • September 2021
  • August 2021
  • November 2020
  • November 2015
  • June 2015
  • February 2015
  • August 2014
  • June 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • September 2013
  • August 2013

Categories

  • ESXi
  • FreeBSD
  • Hardware
  • Hyper-V
  • iOS
  • Microsoft
  • Nintendo
  • OfficeWebApps
  • Operations Manager
  • Retro
  • SharePoint
  • Synology
  • Teardown
  • vCenter
  • VMWare
  • Webserver
  • Windows Server
© Copyright 2025 - Techspark
Infinity Theme by DesignCoral / WordPress