Not all HTTPS sites are created equal. Make HTTPS great again.
Welcome to the Internet of broken protocols and pardon my reuse of a political phrase. When I set up this site long ago, it was running on VPCs with many components which with today’s standards, were considered vulnerable: OpenSSL 1.1.0g, PHP5.4, Apache2.1 on Debian 7. You named it.
That’s why it was quite embarrassing, yeah no surprises, to see ssllabs.com rated my site as F:
Enough is enough
Since I had some time and always wanted to dig deeper into these important configuration, I decided to take some steps to improve this score.
First thing first: bye-bye to outdated OpenSSL
The fix was fairly simple: upgrading OpenSSL.
sudo apt update && sudo apt upgrade openssl libssl-dev
After that, check the version:
openssl version OpenSSL 1.1.1d 10 Sep 2019
And then, no more outdated cipher
SSLLabs also reported another two issues which cap the grade at B:
- “This server accepts RC4 cipher, but only with older protocols. Grade capped to B”
- “This server does not support Forward Secrecy with the reference browsers. Grade capped to B.”
Ok, onto finding Apache2 config files:
# assuming Apache2 is at /etc/apache2 grep -i -r "SSLEngine" /etc/apache2 /etc/apache2/sites-available/default-ssl.conf: SSLEngine on /etc/apache2/sites-available/diophung.com.conf: SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
After that, restart Apache2 and recheck
apachectl -k restart
Why stop at A when you can get A+?
At this step, ssllabs rated the site as A, which is pretty good result. But I figured I can get to even better result A+ and being me, I wouldn’t stop. So the next step, is to enable HSTS:
I opened up the Apache2 config files and add this HSTS header:
<VirtualHost diophung.com:443> Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" </VirtualHost>
Feel free to read up about HSTS if you’re curious.
After everything, the site is now rated as an A+ result. I’m pretty happy about it and a bonus is that the site also loads 45% faster. So, strongly recommend you give it a try: https://ssllabs.com and let me know what score do you have?