How to make the SSL site 100 in all four fields of SSLLAB Server Test

Now, a lot of web site are going to add SSL for security purpose.

Just like my site here, the SSL Report is as below.

ssl-report-yinfor

It is A+. The score is great. When I look at it close. There are four parts. Three of them are not 100%.

Can I make it all 100?

I use one test site to do my research and try to make it 100.

OK. Let me show you why and how to do it.

Protocol Support

  1. TLS 1.0    90%
  2. TLS 1.1    95%
  3. TLS1.2    100%

The score is made from: Start with the score of the best protocol; Add the score of the worst protocol; Divide the total by 2.

So, to make it 100%, just enable TLS 1.2 only.

In Nginx setting file, I changed the following:

ssl_protocols TLSv1.2;

Key Exchange

Weak key (Debian OpenSSL flaw) 0%
Anonymous key exchange (no authentication) 0%
Key or DH parameter strength < 512 bits 20%
Exportable key exchange (limited to 512 bits) 40%
Key or DH parameter strength < 1024 bits (e.g., 512) 40%
Key or DH parameter strength < 2048 bits (e.g., 1024) 80%
Key or DH parameter strength < 4096 bits (e.g., 2048) 90%
Key or DH parameter strength >= 4096 bits (e.g., 4096) 100%

To make it 100%, I have to change my existing secp256r1 to secp384r1.

Add following to my Nginx setting file.

ssl_ecdh_curve secp384r1;

Cipher Strength

0 bits (no encryption) 0%
< 128 bits (e.g., 40, 56) 20%
< 256 bits (e.g., 128, 168) 80%
>= 256 bits (e.g., 256) 100%

It is clear that just allow 256 bits to make it 100%.

My cipher setting is shown below:

ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:!DSS’;

Then, I did the test and have a look at the result of the test.

100-score-ssllabs-test

Notes: It is a testing site when I make this post.  I recorded all test information below.

ssllab-test-1

ssllab-test-2

ssllab-test-3

ssllab-test-4

ssllab-test-5

ssllab-test-6

I do not think it is worth to make everything 100. Some device or operation system are not support TLS 1.1 and TLS 1.2.

When I use my RedMi cellphone chrome browser to open the site. It can not be connected.

2016-03-17 00.17.05

The cellphone is Android 4.4.4. The error is Error SPDY INADEQUATE TRANSPORT SECURITY.

When test it with my Nexus 7 tablet, same error.

So, it is a balance skill to make the site secure and compatible. The most secure site is not good at compatible side.