TL;DR: this post is about how I improved my site ssllab.com HTTPS rating from F to A+ .
Make HTTPS great again.
Not all HTTPS-enabled sites are created equally, so welcome to the Internet of broken protocols and pardon my usage of a political phrase.
When I set up this site long ago, it was running on VPCs with many components which with today’s standards, were considered vulnerable: OpenSSL 1.1.0g, PHP5.4, Apache2.1 on Debian 7. You named it.
That’s why ssllabs.com used to rate my site as F:
It’s rated A+, and I’m pretty proud of it.
Here are the detailed steps on how I improve my site security from F to A+ in few simple steps.
1. First thing first: bye-bye to outdated OpenSSL
The previous version of openssl on Debian was suffering from these 2 critical vulnerabilities: SSL Pulse (CVE-2014-0224) & Padding Oracle (CVE-2016-2107). That’s the reason why SSLLab report an F.
The fix was fairly simple: upgrading OpenSSL.
sudo apt update && sudo apt upgrade openssl libssl-dev
After that, check the version:
OpenSSL 1.1.1d 10 Sep 2019
2. No more outdated ciphers
SSLLabs also reported another two issues which cap the grade at B:
- “This server accepts RC4 cipher, but only with older protocols. Grade capped to B”
- “This server does not support Forward Secrecy with the reference browsers. Grade capped to B.”
Ok, onto finding Apache2 config files:
# assuming Apache2 is at /etc/apache2
grep -i -r "SSLEngine" /etc/apache2
/etc/apache2/sites-available/default-ssl.conf: SSLEngine on
/etc/apache2/sites-available/diophung.com.conf: SSLEngine on
Here we go, the config files are
diophung.com.conf. From there, I decided to remove RC4 due to its flaws, and then enable Forward Secrecy in the config files:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
After that, restart Apache2 and recheck
apachectl -k restart
3. Why stop at A when you can get A+?
At this step, ssllabs rated the site as A, which is pretty good result. But I figured I can get to even better result A+ and being me, I wouldn’t stop. So the next step, is to enable HSTS:
I opened up the Apache2 config files and add this HSTS header:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Feel free to read up about HSTS if you’re curious.
After everything, the site is now rated as an A+ result. I’m pretty happy about it and a bonus is that the site also loads 45% faster. So, strongly recommend you give it a try: https://ssllabs.com and let me know what score do you have?