{"id":241,"date":"2023-04-27T16:52:00","date_gmt":"2023-04-27T15:52:00","guid":{"rendered":"https:\/\/www.winni.at\/wordpress\/?p=241"},"modified":"2023-04-27T17:00:22","modified_gmt":"2023-04-27T16:00:22","slug":"ssllabs-100-in-all-sections-ubuntu-nginx-and-letsencrypt","status":"publish","type":"post","link":"https:\/\/www.winni.at\/wordpress\/?p=241","title":{"rendered":"SSLLabs 100% in all sections Ubuntu Nginx and LetsEncrypt"},"content":{"rendered":"\n<p><strong>#Certificate Section<\/strong><\/p>\n\n\n\n<p>Simple&#8230; just make sure your cert and chain are in the correct order and SHA256 certificates<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>#Protocol Support Section<\/strong><\/p>\n\n\n\n<p>TLS1.2 or stronger are necessary for <\/p>\n\n\n\n<p>Needed entry in \/etc\/nginx\/nginx.conf &#8211; http section<\/p>\n\n\n\n<p>ssl_protocols TLSv1.2;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>#KeyExchange<\/strong><\/p>\n\n\n\n<p>A few parts are necessary to reach this:<\/p>\n\n\n\n<p><strong>Part 1:<\/strong> Use a 4096-bit RSA or secp256 or higher Certifcate<\/p>\n\n\n\n<p><em>Example (RSA):<\/em><br>_\u00a0<code>certbot --rsa-key-size 4096 -(other-arguments)<\/code>\u00a0_<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Part 2:<\/strong> Enable ecdh curves in Nginx (set in \/etc\/nginx\/nginx.conf &#8211; http section)<\/p>\n\n\n\n<p>ssl_ecdh_curve secp521r1:secp384r1;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Part 3: Somtimes Part 1 and 2 are enough, but also sometimes you need part 3 too &#8211;> stronger DHParam file &#8211;> see my post<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-wh-it-system-administration wp-block-embed-wh-it-system-administration\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"5ZaqV5KaJ0\"><a href=\"https:\/\/www.winni.at\/wordpress\/?p=239\">OpenSSL strong DHparam key in Ubuntu and Nginx<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;OpenSSL strong DHparam key in Ubuntu and Nginx&#8221; &#8212; WH | it system administration\" src=\"https:\/\/www.winni.at\/wordpress\/?p=239&#038;embed=true#?secret=pY84JXh17s#?secret=5ZaqV5KaJ0\" data-secret=\"5ZaqV5KaJ0\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>#CipherStrength<\/strong><\/p>\n\n\n\n<p>Important is here that currently with activated TLS1.3 you wont get 100% SSLLabs Score.<\/p>\n\n\n\n<p>Reason behind this that in OpenSSL there is still a 128bit cipher that prevents that. &#8220;Problem&#8221; is also that in the current TLS1.3 RFC this cipher is mandatory.<\/p>\n\n\n\n<p>To reach the 100% Cipher Strength you have two Options: <\/p>\n\n\n\n<p>Option 1: Manually remove this 128bit cipher from OpenSSL for TLS1.3 = you have a non RFC compliant TLS1.3 Webserver. Needed openssl.cnf is located at \/usr\/lib\/ssl\/openssl.cnf but i wont share a solution here to break an RFC \ud83d\ude09<\/p>\n\n\n\n<p>Option 2: Don`t use TLS1.3 &#8211; is not a general recommendation from my side. just the hint if you want a 100% score<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>So my cipher section looks like this to reach the 100% cipher score:<\/p>\n\n\n\n<p>Set in \/etc\/nginx\/nginx.conf &#8211; http section<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    ssl_protocols TLSv1.2;\n    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;\n    ssl_prefer_server_ciphers off;<\/code><\/pre>\n\n\n\n<p> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>#Certificate Section Simple&#8230; just make sure your cert and chain are in the correct order and SHA256 certificates #Protocol Support<\/p>\n","protected":false},"author":1,"featured_media":245,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[3],"tags":[212,117,205,214,213,209,211,210,204,208],"class_list":["post-241","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kb","tag-212","tag-linux","tag-nginx","tag-ssllab-nginx-100","tag-ssllab-ubuntu-100","tag-ssllabs","tag-ssllabs-100","tag-ssllabs-a","tag-ubuntu","tag-ubuntu-nginx"],"_links":{"self":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=241"}],"version-history":[{"count":2,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/241\/revisions"}],"predecessor-version":[{"id":244,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/241\/revisions\/244"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/media\/245"}],"wp:attachment":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}