(2014-10-22) More Nginx with SSL

After POODLE and Shellshock, I've revisited my SSL configuration. Made several tweaks and have improved the overal rating (as well as patching against protocol downgrade attacks).

I've managed to keep my exclusion devices down, and the only used device that is affected is the stock browser on Android 2.2 (as it uses weak ciphers).

You can the full report by clicking on the results below.

edgley.org - ssllabs.com results: 100/100/95/100

I've also upgraded my certificate to an SHA256/SHA384 chain as SHA1 is now deprecated (I switched over to Comodo as RapidSSL was, frankly, crap at sorting this out properly).

Some of the cipher suites I've opted for are better than most browsers currently support, but I've added them for future proofing and hopefully I'll be able to remove the older ones as soon as possible.

The new Nginx cipher suites are:

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;

I've also switched over to the 384 bit curve strengthh with the following line:

ssl_ecdh_curve secp384r1;

This should, in future, be 521r1, but again, most browsers do not support it yet.

The last thing I really wanted to get, was OCSP stapling; I'd prefer it if OCSP wasn't enabled as well, but no matter what I try I can't get it to work either way. The (supposed) config changes are:

ssl_stapling on; 
ssl_stapling_verify on; 
ssl_verify_depth 2;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
ssl_stapling_responder http://ocsp.comodoca.com;

Where the ca-certs.pem is the chain from your certificate provider and the resonder URL is the link to your providers OCSP server.

Generally speaking, you need just a single https server listener; which lead me to completely disable the http listener. But this still doesn't work for me unfortunately.