6

For website hosted in Ubuntu 16 with Nginx, SSL tests always shows B grade. Below is the reason shown. See also the attached image. Current SSL cipher settings are below. I have noticed the same thing in around 8 to 10 servers I have with ubuntu 16 and Nginx. 

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'AES256+EECDH:AES256+EDH::!EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_session_cache shared:SSL:10m;

Diffie-Hellman (DH) key exchange parameters. Grade capped to B

Qualys SSL Labs - SSL Server Test

galoget
  • 722
  • 9
  • 15
nisamudeen97
  • 519
  • 4
  • 22

2 Answers2

13

Finally I found the solution. By default Linux uses inbuilt DH provided by openssl. This uses weak key. The solution is to generate our own. Use the below to generate new one. I used 2048, you can also try 4096.

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

Then add it to nginx main conf and reload. Here we go. We now have A grade.

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

enter image description here

Reference urls:-

https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score

https://geekflare.com/nginx-webserver-security-hardening-guide/

nisamudeen97
  • 519
  • 4
  • 22
-2

The Mozilla SSL Configuration Generator is the best way to properly configure your TLS setup.

Chase
  • 3,009
  • 3
  • 17
  • 23
  • Do you think it is because of "ssl_ciphers" used? I dont think so, I have A grade with the same ciphers in Centos servers. – nisamudeen97 Jan 26 '18 at 14:09