In this tutorial I’ll guide you how you can improve the security of ssl whether it is paid ssl or the free ssl from Let’s Encrypt. This guide will help you to achieve A+ ssl rating in ssl labs, you’ll get high-level of ssl security, as well as enhance the security of your IT/eCommerce business and building customer confidence and loyalty.
FOR CWP GO HERE :
Get A+ Score Rating with SSLLabs Qualys in CWP – Control web panel
For Apache :
create “ssl.conf” in apache conf.d dir and add/edit ciphers to it, you can also create it in apache dir and include “ssl.conf” in apache/httpd.conf :
ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :
<IfModule !ssl_module> LoadModule ssl_module modules/mod_ssl.so </IfModule> Listen 443 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
eg. ssl.conf :
<IfModule !ssl_module> LoadModule ssl_module modules/mod_ssl.so </IfModule> Listen 443 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
now add HSTS header in domain vhosts :
Header always set Strict-Transport-Security "max-age=31536000"
eg. where to add in apache domain vhost :
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/mysterydata.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/mysterydata.com.key
SSLCertificateChainFile /etc/pki/tls/certs/mysterydata.com.bundle
Header always set Strict-Transport-Security "max-age=31536000"
For nginx :
in nginx.conf ensure this ciphers are there or you can replace it
ensure you’ve disabled TLS 1.0 and TLS 1.1 ssl protocol and add this ciphers :
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
now in nginx domain vhost you need to add this HSTS header line :
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
**For cwp or any other panel’s nginx vhosts containing old “ssl protocol” config kindly edit there too no nginx vhosts should use TLS 1.0 and TLS 1.1 i.e. completly disable this protocols.
eg. where to add in nginx domain vhost :
ssl_certificate /home/mystery/conf/ssl.mysterydata.com.pem;
ssl_certificate_key /home/mystery/conf/ssl.mysterydata.com.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
** if you’ve Latest or openssl version which support TLS 1.3 edit the nginx.conf and add this like:
ssl_session_cache shared:SSL:10m; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
Restart webservers and Done you can check SSL grade online here :
https://www.ssllabs.com/ssltest/
Extra work :
you need to also ass Certification Authority Authorization (CAA) dns record for more security read here LINK
Like you can add CAA dns who you want to give permission to issue certs :
mysterydata.com. 300 IN CAA 0 issue "digicert.com" mysterydata.com. 300 IN CAA 0 issuewild "digicert.com"
mysterydata.com. 300 IN CAA 0 issuewild "letsencrypt.org" mysterydata.com. 300 IN CAA 0 issue "letsencrypt.org"
mysterydata.com. 300 IN CAA 0 issuewild "comodoca.com" mysterydata.com. 300 IN CAA 0 issue "comodoca.com"
mysterydata.com. 300 IN CAA 0 issuewild "globalsign.com" mysterydata.com. 300 IN CAA 0 issue "globalsign.com"
SANDEEP please update guide
now it give a B
hi i just tested and this tutorial is still valid and working, for CWP there is another tutorial : https://www.uxlinux.com/get-a-score-rating-with-ssllabs-qualys-in-cwp-control-web-panel/
Where can I order a service from you. I need a sysasmin to do this for me.
hello
you can contact me via forum
https://forum.mysterydata.com/
my profile url :
https://forum.mysterydata.com/user/sandeep
I have a web-site with apache. I followed your guide and. Disabling TLS 1.0, TLS 1.1 and enabling HSTS worked for me. Now my site is A+.
Thank you very much
how did you disable the old protocol?
I’ve added CWP related tutorial https://www.uxlinux.com/get-a-score-rating-with-ssllabs-qualys-in-cwp-control-web-panel/
Hi Sandeep, is there a step missing? I get the same results as Jose. Is there a main Letsencrypt location to change?
Hi, i already mentioned in the post you need to disable old http protocols and no nginx vhosts should use it to get A+ score
I can’t get it to work with CWP.
It doesn’t increase from the letter B, the same as the previous capture.
This is what I have written in the files:
/usr/local/apache/conf.d/ssl.conf – https://i.gyazo.com/3182570f7e81a888674cd7175be1e3b9.png
/usr/local/apache/conf.d/vhosts/ – https://i.gyazo.com/2550ca24676d991010272bc920d4641f.png
/etc/nginx/nginx.conf – https://i.gyazo.com/8d0a35a9f78882cbaa14551ea0e70cfe.png
/etc/nginx/conf.d/vhosts/ – https://i.gyazo.com/20b023d7b630c968b98be1a02de93463.png
I reboot both Apache and Nginx and everything stays the same…
did you ran the test again?
Yeah, it’s still the same: https://i.gyazo.com/78f241d27ffe691b4db63645f851054a.png
Go to the initial test page and didn’t refresh result page
Nothing, I’ve done it again, I’ve clicked where it says clear cache, and it’s still the same.
I’m going to try to open a ticket through the CWP support system, so I can send the data and see if they can tell me where the problem is.
Greetings!
I have already opened the ticket: #381607 to see if support can help me 😉
Hello!
I can’t understand how to perform the steps. Can you tell me the exact paths of the files to be modified in CWP?
FOR CWP :-
apache ssl.conf location :
/usr/local/apache/conf.d/ssl.conf
and apache vhosts are in :
/usr/local/apache/conf.d/vhosts/
nginx conf location :
/etc/nginx/nginx.conf
and nginx vhosts are in :
/etc/nginx/conf.d/vhosts/
Nothing, I just can’t get over the letter B. Does CWP need to change anything else?
Image: https://i.gyazo.com/1148e1d6819b1f498f015f3a27835913.png
thanks for the report, I’ve updated the post to achieve it.
added TLS 1.0 and TLS 1.1 ssl protocol disable option :
apache :
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
and for nginx
ssl_protocols TLSv1.2;
Hi Sandeep ! very cool tutorial, yet I’ve been following the instructions, created a file ssl.conf, followed all your steps place the code you suggested
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS”
Restarted Apache, but still nothing, I get a B it seems that TLS 1.0 and 1.1 are still enabled.. and can’t manage to disable them.. how can I achieve that?
I’m using Centos7.9 APache only with CWP
Thanks for your help!
for cwp there is another tutorial
https://www.uxlinux.com/get-a-score-rating-with-ssllabs-qualys-in-cwp-control-web-panel/