Configuring SSL

Production instances must use SSL to protect user data and shopping transactions. But the security of SSL encryption changes over time. It’s good to review the SSL configuration of a server from time to time and update the configuration if necessary.

You can test your server with: https://www.ssllabs.com/ssltest/

You can get best practise configurations from: https://wiki.mozilla.org/Security/Server_Side_TLS

If you are wondering which versions you run:

$ nginx -v
# nginx version: nginx/1.8.1

$ openssl version
# OpenSSL 1.0.1 14 Mar 2012

For example, some Australian servers had an old setup rated C. Changing the used protocols and ciphers resulted in a grade B:

# /etc/nginx/sites-available/openfoodnetwork
# moderate setup still supporting WindowsXP with IE8, but not IE6
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

Generating a 4096 bit key as DH key resulted in grade A+.

$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
# /etc/nginx/sites-available/openfoodnetwork
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Would it be better capturing this on a wiki page?