你如何使用Let's Encrypt和Nginx在SSL实验室测试的所有类别中获得A + 100分?

时间:2017-01-30 06:23:53

标签: nginx lets-encrypt

在www.ssllabs.com上测试我的SSL证书时,我试图在所有类别上获得100分

然而,我很难在所有分数上获得A +和100分。

有关NGINX配置我应该使用的任何提示吗?或者我应该如何生成我的Let的加密证书? THX

1 个答案:

答案 0 :(得分:49)

这些说明适用于所有证书(包括Let's Encrypt证书)。但是,我们会给出一两个Let的特定提示。

下面给出的NGINX SSL配置将为您提供以下SSL Labs分数。你选择:

<强>推荐

  • A +
  • 证书100/100
  • 协议支持95/100
  • 密钥交换90/100
  • 密码强度90/100

完美但限制性

  • A +
  • 证书100/100
  • 协议支持100/100
  • 密钥交换100/100
  • 密码强度100/100

NGINX SSL配置 - 提取您想要的位数。这些说明澄清了给定的NGINX指令将如何影响您的SSL Labs得分:

# Your listen directive should be .. listen 443 ssl http2;
# gzip off; # gzip over ssl? really?

ssl_certificate      /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/yourdomain.com/privkey.pem;

#################### ssllabs.com Protocol Support

ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=95 (recommended)
# ssl_protocols TLSv1.2; # Score=100

#################### ssllabs.com Key Exchange

# Score=90 (recommended)
ssl_dhparam          /etc/letsencrypt/live/yourdomain.com/dhparam2048.pem; # openssl dhparam -out dhparam2048.pem 2048
ssl_ecdh_curve       secp384r1; # optional

# Score=100 (must generate letsencrypt certs with flag --rsa-key-size 4096)
# ssl_dhparam        /etc/letsencrypt/live/yourdomain.com/dhparam4096.pem; # openssl dhparam -out dhparam4096.pem 4096
# ssl_ecdh_curve     secp384r1; # required

#################### ssllabs.com Cipher Strength - see https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:EC
DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES25
6-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; # Score=90 (recommended)
# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100

#################### ssllabs.com A+ - Enable HSTS on all subdomains

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off)

# THE PRELOAD DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING!
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

#################### Other typical SSL settings that DO NOT effect the ssllabs.com score

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

注意,如果你的:

,你只能在密钥交换上获得100
  • 证书RSA密钥大小为4096(对于Let&#39的加密,在生成证书时使用--rsa-key-size 4096,否则您将无法使用CA为您生成证书时使用的RSA密钥大小)和
  • dhparam是4096(openssl dhparam -out dhparam4096.pem 4096) - 这需要大约1个小时来生成,对于自动化解决方案毫无用处

修改

  • 2048年的安全性足以满足未来40年的需求。没有人破解1024,更不用说2048了!

  • openssl dhparam -dsaparam -out dhparam4096.pem 4096 ...比一小时快得多(参见-dsaparam旗)但我不知道你是否应该使用它...我没有在SSL实验室测试中测试过,因为我正在使用2048

相关问题
最新问题