在使用 Let's Encrypt 和 Nginx 进行的 SSL 实验室测试中,您如何在所有类别中获得 A+ 100 分?
How do you score A+ with 100 on all categories on SSL Labs test with Let's Encrypt and Nginx?
在 www.ssllabs.com
测试我的 SSL 证书时,我试图在所有类别中获得 100 分
但是,我正在努力获得所有分数的 A+ 和 100。
关于我应该使用什么 NGINX 配置的任何提示?或者我应该如何生成我的 Let's Encrypt 证书?谢谢
这些说明适用于所有证书(包括 Let's Encrypt 证书)。但是,给出了一两个 Let's Encrypt 具体提示。
下面给出的 NGINX SSL 配置将为您提供以下 SSL 实验室分数。您选择:
推荐
- A+
- 证书 100/100
- 协议支持 95/100
- 密钥交换 90/100
- 密码强度 90/100
完美但有限制
- A+
- 证书 100/100
- 协议支持 100/100
- 密钥交换 100/100
- 密码强度 100/100
NGINX SSL 配置 - 提取您想要的位。这些说明阐明了给定的 NGINX 指令将如何影响您的 SSL 实验室分数:
# Your listen directive should be .. listen 443 ssl http2;
# gzip off; # gzip over ssl? really?
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
#################### ssllabs.com Protocol Support
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=95 (recommended)
# ssl_protocols TLSv1.2; # Score=100
#################### ssllabs.com Key Exchange
# Score=90 (recommended)
ssl_dhparam /etc/letsencrypt/live/yourdomain.com/dhparam2048.pem; # openssl dhparam -out dhparam2048.pem 2048
ssl_ecdh_curve secp384r1; # optional
# Score=100 (must generate letsencrypt certs with flag --rsa-key-size 4096)
# ssl_dhparam /etc/letsencrypt/live/yourdomain.com/dhparam4096.pem; # openssl dhparam -out dhparam4096.pem 4096
# ssl_ecdh_curve secp384r1; # required
#################### ssllabs.com Cipher Strength - see https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:EC
DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES25
6-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; # Score=90 (recommended)
# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100
#################### ssllabs.com A+ - Enable HSTS on all subdomains
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off)
# THE PRELOAD DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING!
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
#################### Other typical SSL settings that DO NOT effect the ssllabs.com score
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
请注意,只有满足以下条件,您才能在密钥交换中获得 100:
- certificates RSA key size is 4096 (Let's Encrypt use --rsa-key-size 4096 when generating the cert otherwise you can stuck with the RSA key size used when your CA generate the cert for you) AND
- dhparam 是 4096 (openssl dhparam -out dhparam4096.pem 4096) - 生成大约需要 1 小时,对于自动化解决方案毫无用处
编辑
2048 足以保证未来 40 年的安全。从来没有人破解过 1024,更不用说破解 2048 了!
openssl dhparam -dsaparam -out dhparam4096.pem 4096 ...比一小时快得多(见 -dsaparam 标志)但我不知道你是否应该使用它...因为我要使用 2048
在 www.ssllabs.com
测试我的 SSL 证书时,我试图在所有类别中获得 100 分但是,我正在努力获得所有分数的 A+ 和 100。
关于我应该使用什么 NGINX 配置的任何提示?或者我应该如何生成我的 Let's Encrypt 证书?谢谢
这些说明适用于所有证书(包括 Let's Encrypt 证书)。但是,给出了一两个 Let's Encrypt 具体提示。
下面给出的 NGINX SSL 配置将为您提供以下 SSL 实验室分数。您选择:
推荐
- A+
- 证书 100/100
- 协议支持 95/100
- 密钥交换 90/100
- 密码强度 90/100
完美但有限制
- A+
- 证书 100/100
- 协议支持 100/100
- 密钥交换 100/100
- 密码强度 100/100
NGINX SSL 配置 - 提取您想要的位。这些说明阐明了给定的 NGINX 指令将如何影响您的 SSL 实验室分数:
# Your listen directive should be .. listen 443 ssl http2;
# gzip off; # gzip over ssl? really?
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
#################### ssllabs.com Protocol Support
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=95 (recommended)
# ssl_protocols TLSv1.2; # Score=100
#################### ssllabs.com Key Exchange
# Score=90 (recommended)
ssl_dhparam /etc/letsencrypt/live/yourdomain.com/dhparam2048.pem; # openssl dhparam -out dhparam2048.pem 2048
ssl_ecdh_curve secp384r1; # optional
# Score=100 (must generate letsencrypt certs with flag --rsa-key-size 4096)
# ssl_dhparam /etc/letsencrypt/live/yourdomain.com/dhparam4096.pem; # openssl dhparam -out dhparam4096.pem 4096
# ssl_ecdh_curve secp384r1; # required
#################### ssllabs.com Cipher Strength - see https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:EC
DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES25
6-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; # Score=90 (recommended)
# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100
#################### ssllabs.com A+ - Enable HSTS on all subdomains
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off)
# THE PRELOAD DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING!
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
#################### Other typical SSL settings that DO NOT effect the ssllabs.com score
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
请注意,只有满足以下条件,您才能在密钥交换中获得 100:
- certificates RSA key size is 4096 (Let's Encrypt use --rsa-key-size 4096 when generating the cert otherwise you can stuck with the RSA key size used when your CA generate the cert for you) AND
- dhparam 是 4096 (openssl dhparam -out dhparam4096.pem 4096) - 生成大约需要 1 小时,对于自动化解决方案毫无用处
编辑
2048 足以保证未来 40 年的安全。从来没有人破解过 1024,更不用说破解 2048 了!
openssl dhparam -dsaparam -out dhparam4096.pem 4096 ...比一小时快得多(见 -dsaparam 标志)但我不知道你是否应该使用它...因为我要使用 2048
,所以还没有在 SSL Labs 测试中对其进行测试