SSL Cipher Suite Security A or better at SSLlabs.com


A to A+ grade SSL Security

To obtain an A or better grade from ssllabs.com with your site (Interworx, CPanel) is fairly simple.

  1. First, SSH into your Server or VM.

  2. Next use vi(m) or nano to edit /etc/httpd/conf.d/vhost_domain-name.conf (where the domain-name is your domain, such as vhost_8dweb.com.conf)

  3. Scroll down to:

  4. Add the following under that tag: Header add Strict-Transport-Security "max-age=63072000;"
    Or if you have a wildcard SSL: Header add Strict-Transport-Security "max-age=63072000; includeSubDomains"
    To Better understand HSTS (HTTP Strict Transport-Security) read: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

  5. Now go to the bottom of the file you should see: SSLEngine on

    Under that add the following:
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On

  6. Comment out the Existing SSLCipherSuite Line by adding # before that line. You may also remove it.

  7. Insert a new SSLCiphersuite Line (Choose the one labeled Modern Browsers for most applications) You can simply copy both sets below and uncomment the one that meets your site requirements:
     #Very Strict
     #SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

     #Modern Browsers
     SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256


  8. Save that file and restart Apache: service httpd restart

 Optional: Redirect non-https to https via .htaccess (located at the root of your website)

Edit or create the .htaccess file in /home/username/yourdomainname.com/html/.htaccess

Add the following near the top of the file (if you have an existing file, insert above other directives)


  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Save and then test at: https://www.ssllabs.com/ssltest/analyze.html?d=yourdomainname.com    (Replace yourdomainname.com with your actual domain/site URL)


Comments

Please login to comment