I’ve decided to enable SSL on my personal site https://palmerit.net
I installed nginx on a ubuntu 14.04 LTS server, generated a private SSL key, created a sha256 certificate signing request, and then went to NameCheap to have it signed. (As a side note, I can’t wait for Lets Encrypt to launch.)
I enabled SSL on nginx, and decided to check out which ciphers were allowed out of the box.
I’ve snipped the output for brevity, but of particular concern was this section:
You may have read about POODLE recently, and the best way to prevent it is to disable SSLv3.
After seeing this result, I went to SSL Labs to see what else I needed to disable.
After the initial scan, I had a C rating. I knew at a minimum, I needed to disable SSLv3, but I also decided to enable some of the newer technologies such as SPDY, HSTS, and OSCP Stapling.
The end result was a configuration that looked like this:
In the main server block for palmerit.net, I added:
I then created /etc/nginx/ssl.inc which contained the following:
The final result from an SSL Labs scan: A+
Keep in mind, I used a very restrictive CipherSuite. This will block older clients from being able to connect. I personally don’t mind this(Personally, I think people should be using modern browsers and software), but you might not want to prohibit older clients to your site.