I’ve decided to enable SSL on my personal site https://palmerit.net
I installed nginx on a ubuntu 14.04 LTS server, generated a private SSL key, created a sha256 certificate signing request, and then went to NameCheap to have it signed. (As a side note, I can’t wait for Lets Encrypt to launch.)
I enabled SSL on nginx, and decided to check out which ciphers were allowed out of the box.
openssl s_client -connect https://palmerit.net
I’ve snipped the output for brevity, but of particular concern was this section:
ssl-enum-ciphers: SSLv3 ciphers: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong TLS_RSA_WITH_AES_128_CBC_SHA - strong TLS_RSA_WITH_AES_256_CBC_SHA - strong TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong compressors: NULL
The end result was a configuration that looked like this:
In the main server block for palmerit.net, I added:
listen 443 ssl spdy; include ssl.inc;
I then created
/etc/nginx/ssl.inc which contained the following:
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_stapling on; ssl_stapling_verify on; resolver 184.108.40.206 220.127.116.11 valid=300s; resolver_timeout 10s; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;
I decided to create this as an include in case I later decide to add additional “nginx server blocks”.
The final result from an SSL Labs scan:
Keep in mind, I used a very restrictive CipherSuite. This will block older clients from being able to connect. I personally don’t mind this(Personally, I think people should be using modern browsers and software), but you might not want to prohibit older clients to your site.
References: - Raymii.org - Strong SSL on nginx