Get that perfect score on Qualys SSL check

Well to get 100 score on Qualys SSL, you will trade off a lot of compatibility for security but well, why not? :)

Here is my apache configuration at the moment:

    #To get 100 score on protocol support, you can only allow TLSv1.2
    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder on
    #The following configuration will give you 100 score for cipher strength, basically only use 256 bit encryption :)
    SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES128:RSA+AESGCM!aNULL:!MD5:!DSS:!LOW:!MEDIUM"
    #OCSP stapling and Enable HSTS (may need to enable header module with "a2enmod headers" command)
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
    SSLUseStapling on
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    #Contact your CA or check their FAQ for where you can download the intermediate  certificate chain file. I use free certificate from startssl and the intermediate cert can be downloaded here:http://www.startssl.com/certs/sub.class1.server.ca.pem
    SSLCertificateChainFile /etc/apache2/certs/sub.class1.server.ca.pem

    <VirtualHost *:443>
    ServerName      yourdomain.com
    SSLEngine on
    SSLCertificateFile     /etc/apache2/certs/yourdomain.crt
    SSLCertificateKeyFile  /etc/apache2/certs/yourdomain.key
    SSLCertificateChainFile /etc/apache2/certs/sub.class1.server.ca.pem
    #Setup public key pinning
    #openssl dgst -sha256 -binary yourdomain.key | openssl enc -base64 
    Header set Public-Key-Pins "pin-sha256=\"<Your generated base64 encoded sha256 of server public key>\"; max-age=2592000; includeSubDomains"
   </VirtualHost>

Below is ebfe.pw score at the time of writing :)

This rating has now changed as I disabled some features for security testing reason.:)

comments powered by Disqus