nginx SSL hardening: Get an A rating on SSL Labs & forward secrecy

Introduction

I recently got a shiny new 2048 bit SSL Certificate for onebytetoomany.co.uk (even Facebook is still on the now considered insecure 1024 bit cert at the time of writing).  I’m in the process of getting an extended validation (EV) certificate but in the meantime I had the task of hardening our nginx server to include the following:-


Here’s the result:

OBTM's SSL Report

OBTM’s SSL Report

How to:

You will need the following prerequisites installed:-
>= openssl-1.0.1
>=nginx-1.2.1


The Configuration

The cipher priorities might change as there is much discussion about RC4 being old but apparently it is the best we have right now.

If you want to hear all about Strict Transport Security I suggest listening to Steve Gibson :)