All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SSLLabs 100% A+ Help
Right now I'm using:
ssl_ciphers 'ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256';
This gets me a 90% A score.
I want to get 100% on all 4 categories with an A+ rating.
Right now I am getting a 100% on Certificate & Protocol Support.
I am getting 90% on Key Exchange & Cipher Strength.
What ciphers do I need to use to achieve this?
I don't mind killing off access to super old devices. My target demographic is more tech savvy users who aren't going to be using outdated browsers and 10+ year old devices.
Should I just use these? https://ciphersuite.info/cs/?page=1&software=openssl&security=recommended
Can anyone shed some light on this?
Comments
It doesn’t matter. You can get an A+ with most of the things being 80%. You just need TLS1.2 or better with pfs and HSTS with a decent duration.
Ok I get ya. I know this is pointless and probably overkill, but hypothetically if someone were to want 100% across the board, what ciphers would they use.
@4pple5auc3
Key exchange means you need a 4096 bit RSA key (or equivalent)
Cipher strength is worthless to change. To get a 100, I think you need to use only 256 bit ones and no 128 bit ciphers. If you have only 128 bit you get 80%, if you have 128 and 256 you get 90%, and if you have only 256 you get 100%. It’s not worth changing.
That may be true, but sometimes the driving motivation may be a point of pride or a learning opportunity, even if it is not worth the extra effort.
It is like eliminating unimportant compiler warnings in your code. It may not be necessary, but you may have other motivations for doing it.
https://ssl-config.mozilla.org/
This was my
nginx
snippet to get A+ on SSL labs:Combined with:
openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096
I now have 100% on ciphers, but still 90% on Key Exchange. Hmm.
I made a new key using: openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Any ideas?
Using Caddy server gives me an instant A+; I haven't had any of those issues.
Think it might be X25519 causing 90% on key exchange since its 128bit.
Yep, that was it, I have 100% on everything now for SSLLabs. Thanks everyone!
I do not recommend aiming for full 100% on SSL Labs. That encourages bad practices and might actually reduce your security.
The big point in their test is that every cipher suite and hash algorithm has to be larger than 256-bit or equivalent. That raises a couple of issues.
Unlike in TLS 1.2 and earlier versions, cipher suites for TLS 1.3 have been drastically reworked and it is now explicitly considered bad practice to touch them. Some libraries do not even expose methods to do so for that very reason. See how even nginx makes it harder for you? But you don't care because you copy-pasted a config from a random Indian site with half of the directives touching unrelated shit, see the green bars all the way to the right and call it a day.
So you basically you can either:
or
SSL Labs is a good test in general, but their methodology is not that great anymore.
https://en.wikipedia.org/wiki/Nothing-up-my-sleeve_number
The most important site on the Internet (LowEndTalk) only scores a B.
It's a very bad idea to aim for A+. Check out all the big sites, Google scores a B for example.