Yunohost, Let’s Encrypt, A+ au SSLLabs How to English Version

French version / Version française : https://forum.yunohost.org/t/yunohost-let-s-encrypt-a-au-ssllabs/

Prerequisites : You need to have some knowledge about Let’s Encrypt, How SSL/TLS configuration works (basics).

I’ve followed How to : Install Let’s Encrypt certificates and it works. Nothing to say, it helps to have a secured connexion. But in order to have the best TLS configuration, I’ve test my domain domain and subdomains on the https://www.ssllabs.com/ website. The Default Let’s Encrypt configuration gives a B level as results. It’s confirmed with the Calomel SSL addons on Firefox. So the Default TLS & Let’s Encrypt configuration is not optmised.

Attention : more the grade is high, more the access to the website is restricted. Old browsers (on old computer O.S. or old Smartphone O.S. like Android 2.2, 4.0…) won’t be able to connect to your websites.

Only using Firefox in it’s latest version on each off my devices (PC or smartphone), it’s not a problem for me to have the best grade.

So I’ve read many how to secure nginx. I’ve compared the nginx configuration files theses how-o preconize with the one Yunohost has by default. The default nginx file in Yunohost is secured (obsolete algorithm are disabled). But I’ve gone deeper with some modification.

Nginx Configuration file of my subdomain : /etc/nginx/conf.d/blog.mydomain.org.conf :

ssl_protocols TLSv1.1 TLSv1.2;
#ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

To compare to he one Aeris (the hacktivist) recommands, for an extrem configuration :
TLSv1.2 + EECDH + AESGCM + SHA-2 only :P

What is missing in order to have a better level grade in SSLLabs test, it’s Diffie Hellman. We need to generate a file for Diffie Hellman, it’s done with :
sudo mkdir -p /etc/nginx/ssl &&
sudo openssl rand 48 -out /etc/nginx/ssl/ticket.key &&
sudo openssl dhparam -out /etc/nginx/ssl/dhparam4.pem 4096

It takes times, depending on processor performance and the capacity to generate random numbers.

After the file generation, in each nginx configuration file of eachd domain and subdomains, you have to to this :
nano /etc/nginx/conf.d/blog.mydomain.org.conf

#Uncomment the following directive after DH generation
openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
# ssl_dhparam /etc/ssl/private/dh2048.pem;
ssl_dhparam /etc/nginx/ssl/dhparam4.pem;

After, you verify ngix configuration files are ok with the command :
nginx -t

You restart nginx with :
service nginx restart

You can now restest your domain on SSLLabs and your grade will be an A+ normally.

2 Likes

Aeris says on Twitter

Remove EDH completely. Avoid the (very long) (and weak) DH generation. No compatibility trouble AFAIK.