How to get A+ Score Rating in SSLLabs – Qualys

In this tutorial I’ll guide you how you can improve the security of ssl whether it is paid ssl or the free ssl from Let’s Encrypt. This guide will help you to achieve A+ ssl rating in ssl labs, you’ll get high-level of ssl security, as well as enhance the security of your IT/eCommerce business and building customer confidence and loyalty.

FOR CWP GO HERE :

Get A+ Score Rating with SSLLabs Qualys in CWP – Control web panel

For Apache :

create “ssl.conf” in apache conf.d dir and add/edit ciphers to it, you can also create it in apache dir and include “ssl.conf” in apache/httpd.conf :

ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

eg. ssl.conf :

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

now add HSTS header in domain vhosts :

Header always set Strict-Transport-Security "max-age=31536000"

eg. where to add in apache domain vhost :

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/mysterydata.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/mysterydata.com.key
SSLCertificateChainFile /etc/pki/tls/certs/mysterydata.com.bundle
Header always set Strict-Transport-Security "max-age=31536000"  

For nginx :

in nginx.conf ensure this ciphers are there or you can replace it

ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :

ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

now in nginx domain vhost you need to add this HSTS header line :

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

**For cwp or any other panel’s nginx vhosts containing old “ssl protocol” config kindly edit there too no nginx vhosts should use TLS 1.0 and TLS 1.1 i.e. completly disable this protocols.

eg. where to add in nginx domain vhost :

ssl_certificate      /home/mystery/conf/ssl.mysterydata.com.pem;
ssl_certificate_key  /home/mystery/conf/ssl.mysterydata.com.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

** if you’ve Latest or openssl version which support TLS 1.3 edit the nginx.conf and add this like:

ssl_session_cache   shared:SSL:10m;
ssl_protocols       TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

Restart webservers and Done you can check SSL grade online here :
https://www.ssllabs.com/ssltest/

Extra work :

you need to also ass Certification Authority Authorization (CAA) dns record for more security read here LINK

Like you can add CAA dns who you want to give permission to issue certs :

mysterydata.com.          300     IN      CAA     0 issue "digicert.com"
mysterydata.com.          300     IN      CAA     0 issuewild "digicert.com"
mysterydata.com.          300     IN      CAA     0 issuewild "letsencrypt.org"
mysterydata.com.          300     IN      CAA     0 issue "letsencrypt.org"
mysterydata.com.          300     IN      CAA     0 issuewild "comodoca.com"
mysterydata.com.          300     IN      CAA     0 issue "comodoca.com"
mysterydata.com.          300     IN      CAA     0 issuewild "globalsign.com"
mysterydata.com.          300     IN      CAA     0 issue "globalsign.com" 
Back to top button