在Let's Encrypt和Nginx的SSL实验室测试中，您如何在所有类别中获得100分的A +? [英] How do you score A+ with 100 on all categories on SSL Labs test with Let's Encrypt and Nginx?

问题描述

在www.ssllabs.com上测试我的SSL证书时，我试图在所有类别上获得100分

I'm trying to score 100 on all categories when testing my SSL certs at www.ssllabs.com

但是，我正在努力获得所有分数的A +和100.

However, I am struggling to get A+ and 100 on all scores.

关于我应该使用哪种NGINX配置的任何提示?还是我应该如何生成让我们加密"证书?

Any tips as to what NGINX config I should use? Or how I should generate my Let's Encrypt certs? thx

推荐答案

这些说明适用于所有证书(包括让我们加密"证书).但是，给出了一个或两个让我们加密"的具体提示.

These instructions apply to all certs (including Let's Encrypt certs). However, one or two Let's Encrypt specific tips are given.

以下给出的NGINX SSL配置将为您提供以下SSL实验室分数.您选择:

The NGINX SSL config given below will give you the following SSL Labs scores. You choose:

推荐

• A +
• 证书100/100
• 协议支持95/100
• 密钥交换90/100
• 密码强度90/100

完美但严格

• A +
• 证书100/100
• 协议支持100/100
• 密钥交换100/100
• 密码强度100/100

NGINX SSL配置-提取所需的位.这些说明阐明了给定的NGINX指令将如何影响您的SSL Labs得分:

NGINX SSL config - Extract the bits you want. The notes clarify how a given NGINX directive will effect your SSL Labs score:

# Your listen directive should be .. listen 443 ssl http2;
# gzip off; # gzip over ssl? really?

ssl_certificate      /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/yourdomain.com/privkey.pem;

#################### ssllabs.com Protocol Support

ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=95 (recommended)
# ssl_protocols TLSv1.2; # Score=100

#################### ssllabs.com Key Exchange

# Score=90 (recommended)
ssl_dhparam          /etc/letsencrypt/live/yourdomain.com/dhparam2048.pem; # openssl dhparam -out dhparam2048.pem 2048
ssl_ecdh_curve       secp384r1; # optional

# Score=100 (must generate letsencrypt certs with flag --rsa-key-size 4096)
# ssl_dhparam        /etc/letsencrypt/live/yourdomain.com/dhparam4096.pem; # openssl dhparam -out dhparam4096.pem 4096
# ssl_ecdh_curve     secp384r1; # required

#################### ssllabs.com Cipher Strength - see https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:EC
DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES25
6-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; # Score=90 (recommended)
# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100

#################### ssllabs.com A+ - Enable HSTS on all subdomains

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off)

# THE PRELOAD DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING!
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

#################### Other typical SSL settings that DO NOT effect the ssllabs.com score

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

注意，如果您符合以下条件，则只能在Key Exchange上获得100分:

Note, you can only get 100 on Key Exchange if your:

• 证书的RSA密钥大小为4096(对于生成证书时，让我们加密使用--rsa-key-size 4096，否则您将受制于CA为您生成证书时使用的RSA密钥大小)并且
• dhparam是4096(openssl dhparam -out dhparam4096.pem 4096)-生成大约需要1个小时，对于自动解决方案没用

编辑

• 2048在接下来的40年中足够安全.没有人破解过1024，更不用说破解2048了！

• 2048 is enough security for the next 40 years. Noone has ever cracked a 1024, let alone a 2048!

openssl dhparam -dsaparam -out dhparam4096.pem 4096 ...比一个小时要快得多(请参阅-dsaparam标志)，但我不知道您是否应该使用它...尚未测试因为我要使用2048

openssl dhparam -dsaparam -out dhparam4096.pem 4096 ... is much quicker that one hour (see -dsaparam flag) but I don't know whether you should use it or not ... have not tested it on SSL Labs test since I'm going with 2048

这篇关于在Let's Encrypt和Nginx的SSL实验室测试中，您如何在所有类别中获得100分的A +?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！