Get that perfect score on Qualys SSL check

Well to get 100 score on Qualys SSL, you will trade off a lot of compatibility for security but well, why not? :)

Here is my apache configuration at the moment:

    #To get 100 score on protocol support, you can only allow TLSv1.2
    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder on
    #The following configuration will give you 100 score for cipher strength, basically only use 256 bit encryption :)
    #OCSP stapling and Enable HSTS (may need to enable header module with "a2enmod headers" command)
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
    SSLUseStapling on
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    #Contact your CA or check their FAQ for where you can download the intermediate  certificate chain file. I use free certificate from startssl and the intermediate cert can be downloaded here:
    SSLCertificateChainFile /etc/apache2/certs/

    <VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile     /etc/apache2/certs/yourdomain.crt
    SSLCertificateKeyFile  /etc/apache2/certs/yourdomain.key
    SSLCertificateChainFile /etc/apache2/certs/
    #Setup public key pinning
    #openssl dgst -sha256 -binary yourdomain.key | openssl enc -base64 
    Header set Public-Key-Pins "pin-sha256=\"<Your generated base64 encoded sha256 of server public key>\"; max-age=2592000; includeSubDomains"

Below is score at the time of writing :)

This rating has now changed as I disabled some features for security testing reason.:)

comments powered by Disqus