CentosControl PanelCWPLinuxUbuntuVesta CP

How to get A+ Score Rating in SSLLabs – Qualys

In this tutorial I’ll guide you how you can improve the security of ssl whether it is paid ssl or the free ssl from Let’s Encrypt. This guide will help you to achieve A+ ssl rating in ssl labs, you’ll get high-level of ssl security, as well as enhance the security of your IT/eCommerce business and building customer confidence and loyalty.

FOR CWP GO HERE :

Get A+ Score Rating with SSLLabs Qualys in CWP – Control web panel

For Apache :

create “ssl.conf” in apache conf.d dir and add/edit ciphers to it, you can also create it in apache dir and include “ssl.conf” in apache/httpd.conf :

ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

eg. ssl.conf :

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

now add HSTS header in domain vhosts :

Header always set Strict-Transport-Security "max-age=31536000"

eg. where to add in apache domain vhost :

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/mysterydata.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/mysterydata.com.key
SSLCertificateChainFile /etc/pki/tls/certs/mysterydata.com.bundle
Header always set Strict-Transport-Security "max-age=31536000"  

For nginx :

in nginx.conf ensure this ciphers are there or you can replace it

ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :

ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

now in nginx domain vhost you need to add this HSTS header line :

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

**For cwp or any other panel’s nginx vhosts containing old “ssl protocol” config kindly edit there too no nginx vhosts should use TLS 1.0 and TLS 1.1 i.e. completly disable this protocols.

eg. where to add in nginx domain vhost :

ssl_certificate      /home/mystery/conf/ssl.mysterydata.com.pem;
ssl_certificate_key  /home/mystery/conf/ssl.mysterydata.com.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

** if you’ve Latest or openssl version which support TLS 1.3 edit the nginx.conf and add this like:

ssl_session_cache   shared:SSL:10m;
ssl_protocols       TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

Restart webservers and Done you can check SSL grade online here :
https://www.ssllabs.com/ssltest/

Extra work :

you need to also ass Certification Authority Authorization (CAA) dns record for more security read here LINK

Like you can add CAA dns who you want to give permission to issue certs :

mysterydata.com.          300     IN      CAA     0 issue "digicert.com"
mysterydata.com.          300     IN      CAA     0 issuewild "digicert.com"
mysterydata.com.          300     IN      CAA     0 issuewild "letsencrypt.org"
mysterydata.com.          300     IN      CAA     0 issue "letsencrypt.org"
mysterydata.com.          300     IN      CAA     0 issuewild "comodoca.com"
mysterydata.com.          300     IN      CAA     0 issue "comodoca.com"
mysterydata.com.          300     IN      CAA     0 issuewild "globalsign.com"
mysterydata.com.          300     IN      CAA     0 issue "globalsign.com" 

Sandeep B.

I'm a system admin and php developer and currently working as System Admin In CWP Control panel, expertise in Linux and Windows administration RHEL certified admin.

Related Articles

21 Comments

  1. I have a web-site with apache. I followed your guide and. Disabling TLS 1.0, TLS 1.1 and enabling HSTS worked for me. Now my site is A+.
    Thank you very much

  2. I can’t get it to work with CWP.

    It doesn’t increase from the letter B, the same as the previous capture.

    This is what I have written in the files:

    /usr/local/apache/conf.d/ssl.conf – https://i.gyazo.com/3182570f7e81a888674cd7175be1e3b9.png

    /usr/local/apache/conf.d/vhosts/ – https://i.gyazo.com/2550ca24676d991010272bc920d4641f.png

    /etc/nginx/nginx.conf – https://i.gyazo.com/8d0a35a9f78882cbaa14551ea0e70cfe.png

    /etc/nginx/conf.d/vhosts/ – https://i.gyazo.com/20b023d7b630c968b98be1a02de93463.png

    I reboot both Apache and Nginx and everything stays the same…

          1. Nothing, I’ve done it again, I’ve clicked where it says clear cache, and it’s still the same.

            I’m going to try to open a ticket through the CWP support system, so I can send the data and see if they can tell me where the problem is.

            Greetings!

  3. Hello!

    I can’t understand how to perform the steps. Can you tell me the exact paths of the files to be modified in CWP?

    1. FOR CWP :-
      apache ssl.conf location :
      /usr/local/apache/conf.d/ssl.conf

      and apache vhosts are in :
      /usr/local/apache/conf.d/vhosts/

      nginx conf location :
      /etc/nginx/nginx.conf

      and nginx vhosts are in :
      /etc/nginx/conf.d/vhosts/

        1. thanks for the report, I’ve updated the post to achieve it.

          added TLS 1.0 and TLS 1.1 ssl protocol disable option :
          apache :
          SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

          and for nginx
          ssl_protocols TLSv1.2;

          1. Hi Sandeep ! very cool tutorial, yet I’ve been following the instructions, created a file ssl.conf, followed all your steps place the code you suggested

            LoadModule ssl_module modules/mod_ssl.so

            Listen 443
            SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
            SSLHonorCipherOrder on
            SSLCipherSuite “EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS”
            Restarted Apache, but still nothing, I get a B it seems that TLS 1.0 and 1.1 are still enabled.. and can’t manage to disable them.. how can I achieve that?
            I’m using Centos7.9 APache only with CWP
            Thanks for your help!

Leave a Reply

Your email address will not be published.

Back to top button