I tried running thepinknotes.com in Qualys SSL Labs SSL Server Test and found out that there were a couple of issues on my SSL configurations. I was only supposed to take a look but one thing led to another and decided to try and increase my score to
Here are the things that I changed in my configurations in order for me to accomplish that goal:
Corrected the SSL certificate order
I bought a COMODO certificate from namecheap.com a couple of months ago and tried to set it up. I didn’t realize that I concatenated the certificates wrongly (noob). To fix this, I recreated my certificate by concatenating it in the right order.
cat your_site_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > final.crt
I uploaded this new certificate in my server and restarted NGINX.
This came up in the analysis report from ssl labs.
Session resumption (caching) No (IDs assigned but not accepted)
This means that for every request a user makes, the SSL handshake will need to be re-established. This can be pretty costly. This can be reduced by caching the session.
To enable it, you simply need to add this in
This means that NGINX will share the session cache between workers. This will be stored for 10 minutes. For more information, you can check out this link.
For further reading:
Guarding against POODLE attack
POODLE attack exploits SSLv3 to reveal encrypted data. This is fairly easy to guard against. In NGINX, you need to add this line in
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This will only enable the specified SSL protocols.
Strengthening the DH Key Exchange
I saw this comment in my analysis report:
This server supports weak Diffie-Hellman (DH) key exchange parameters.
NGINX uses the default key given by OpenSSL as input to Diffie-Hellman Key Exchange.
This default key is using
1024numbits. To increase the strength of this key, I generated a new one using
4096bits. If you don’t specify
numbitsit will default to
$ cd /etc/ssl/private/ $ openssl dhparam -out dhparam.pem 4096
This will generate
I used this new dhparam and configured it in NGINX by adding this in
Because my website needs only to communicate in HTTPS, I have enabled HSTS.
To do this, I added this in the
serverblock for thepinknotes.com in my NGINX config.
add_header Strict-Transport-Security max-age=15768000;
I have also modified my cipher configuration for stricter rules in regards to the cipher used. I added this in
I have also set the configuration to prefer using the server cipher over the client’s. To configure this, I have added this in the
After doing these changes, I managed to get an
A+ on my SSL analysis. That’s been a fun Saturday fiddling about my SSL configuration and reading up on some of these concepts. The final outcome :-)
If you want to read more, I suggest you read this blog. It has more detailed information on some of the vulnerabilities.