How to get A+ Score Rating in SSLLabs – Qualys

by Sandeep B.

In this tutorial I’ll guide you how you can improve the security of ssl whether it is paid ssl or the free ssl from Let’s Encrypt. This guide will help you to achieve A+ ssl rating in ssl labs, you you’ll get high-level of ssl security, as well as enhance the security of your IT/eCommerce business and building customer confidence and loyalty.

For Apache :

create “ssl.conf” in apache conf.d dir and add/edit ciphers to it, you can also create it in apache dir and include “ssl.conf” in apache/httpd.conf :

ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

eg. ssl.conf :

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

now add HSTS header in domain vhosts :

Header always set Strict-Transport-Security "max-age=31536000"

eg. where to add in apache domain vhost :

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/mysterydata.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/mysterydata.com.key
SSLCertificateChainFile /etc/pki/tls/certs/mysterydata.com.bundle
Header always set Strict-Transport-Security "max-age=31536000"  

For nginx :

in nginx.conf ensure this ciphers are there or you can replace it

ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :

ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

now in nginx domain vhost you need to add this HSTS header line :

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

**For cwp or any other panel’s nginx domain vhosts contains ssl protocol config for each domain, kindly edit there too for all domains/subs no one should use TLS 1 and TLS 1.1.

eg. where to add in nginx domain vhost :

ssl_certificate      /home/mystery/conf/ssl.mysterydata.com.pem;
ssl_certificate_key  /home/mystery/conf/ssl.mysterydata.com.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

** if you’ve Latest or openssl version which support TLS 1.3 edit the nginx.conf and add this like:

ssl_session_cache   shared:SSL:10m;
ssl_protocols       TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

Restart webservers and Done you can check SSL grade online here :
https://www.ssllabs.com/ssltest/

If this post helps you in any way please consider a donation

Donate with PayPal :

md-donate

Donate with Paytm :

md-donate

You may also like

10 comments

Jose April 10, 2020 - 3:25 pm

Hello!

I can’t understand how to perform the steps. Can you tell me the exact paths of the files to be modified in CWP?

Reply
Sandeep B. April 10, 2020 - 3:31 pm

FOR CWP :-
apache ssl.conf location :
/usr/local/apache/conf.d/ssl.conf

and apache vhosts are in :
/usr/local/apache/conf.d/vhosts/

nginx conf location :
/etc/nginx/nginx.conf

and nginx vhosts are in :
/etc/nginx/conf.d/vhosts/

Reply
Jose April 10, 2020 - 3:44 pm

Nothing, I just can’t get over the letter B. Does CWP need to change anything else?

Image: https://i.gyazo.com/1148e1d6819b1f498f015f3a27835913.png

Reply
Sandeep B. April 10, 2020 - 3:53 pm

thanks for the report, I’ve updated the post to achieve it.

added TLS 1.0 and TLS 1.1 ssl protocol disable option :
apache :
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

and for nginx
ssl_protocols TLSv1.2;

Reply
Jose April 10, 2020 - 4:20 pm

I can’t get it to work with CWP.

It doesn’t increase from the letter B, the same as the previous capture.

This is what I have written in the files:

/usr/local/apache/conf.d/ssl.conf – https://i.gyazo.com/3182570f7e81a888674cd7175be1e3b9.png

/usr/local/apache/conf.d/vhosts/ – https://i.gyazo.com/2550ca24676d991010272bc920d4641f.png

/etc/nginx/nginx.conf – https://i.gyazo.com/8d0a35a9f78882cbaa14551ea0e70cfe.png

/etc/nginx/conf.d/vhosts/ – https://i.gyazo.com/20b023d7b630c968b98be1a02de93463.png

I reboot both Apache and Nginx and everything stays the same…

Reply
Sandeep B. April 10, 2020 - 4:30 pm

did you ran the test again?

Reply
Jose April 10, 2020 - 4:33 pm Reply
Sandeep B. April 10, 2020 - 4:34 pm

Go to the initial test page and didn’t refresh result page

Reply
Jose April 10, 2020 - 4:44 pm

Nothing, I’ve done it again, I’ve clicked where it says clear cache, and it’s still the same.

I’m going to try to open a ticket through the CWP support system, so I can send the data and see if they can tell me where the problem is.

Greetings!

Jose April 10, 2020 - 4:49 pm

I have already opened the ticket: #381607 to see if support can help me 😉

Leave a Comment