I am a firm believer in using SSL as much as possible, for me that is pretty much everywhere and, thanks to the wonderful guys at GlobalSign, most of my SSL certificates are free becauses my projects are all open source.
I used a blog post by Hynek Schlawack as a base for my SSL setup, he is keeping this article up-to-date as much as possible so it should be a great source for any security conscious people that would like to know more and get good explanations about each part.
Let’s take a brief look at how this website achieves it’s A* rating.
I use a 4096 bit RSA key that is no a Debian weak key.
I do not support SSLv2 or SSLv3 but I do support much stronger protocols;
- TLS 1.2,
- TLS 1.1 and,
- TLS 1.0.
It’s a good idea to generate a set of DH parameters with a prime that is larger than the RSA key being used. For me that’s 4096 so to generate this I use:
openssl dhparam 4096
Once generated it gets appended to our PEM chain.
-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- # intermediate cert -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- -----END DH PARAMETERS-----
Cipher suites & key exchanges
The website prefers ECDH+AESGCM or DH+AESGCM which specifically uses AES-128, if AESGCM isn’t supported by the browser (at time of writing, it’s only support by Chrome 32) it will fall back to ECDH+AES256 or DH+AES256 or fall further back to ECDH+AES128 or DH+AES.
Forcing SSL usage
This one is really quite simple, if you attempt to browse this site using the unsecure interface (HTTP) you will simply be redirected to a secure interface.
Thankfully, at time of writing, I am using OpenSSL 1.0.1e and nginx 1.5.8 meaning SSL compression is disabled, you will have to do some Googling to find out what specific versions you will need to disable SSL compression.
Finally, I support HSTS telling my browser it should only access this website via a secure method, this is done by simply providing an STS header as shown below.
This configuration does not allow for Windows XP operating system or IE6. It supports IE7 and above on Windows Vista or higher.
Consult Hynek’s article for support for Windows XP and IE6.