My SSL is A+ rated!

I just performed some tweaks to my webserver configuration and it now rates A+ on the SSL Labs test.

The less-than-perfect score is due to the lack of some over-restrictive settings. Read more about getting 100% here.

Also, I'm using a virtual host which relies on SNI and older browsers lack support for that. Such browsers won't be able to access my site. I pity them, but I am not bothered about that!

Following feedback from the testing, these are the changes that I made:

  • include intermediate certificate chain (SSLCACertificateFile option).
  • disable SSLv3 (SSLProtocol all -SSLv3)
  • disable RC4 (add !RC4 to SSLCipherSuite
  • prevent client overriding cipher preference (SSLHonorCipherOrder option).
  • be specific about ciphers (SSLCipherSuite option, and see below).

The choice of cihphers is inspired by this article and resulted in the following selection:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

Feel free to re-test the site (or just view the latest report) here.

The next thing to do is centralise the configuration in extra/httpd-ssl.conf. First, include this in httpd.conf:

# Secure (SSL/TLS) connections
<IfModule ssl_module>
  Include conf/extra/httpd-ssl.conf
</IfModule>

Then, in that file:

# Acceptable ciphers
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLProtocol all -SSLv3

and remove similar definitions from other virtual host definitions.

Now, with that in place, I also get an A+ for my other virtual hosts too!

And finally, to bask in the glory of my ratings, I can display a badge on my site.

SSL Rating