Skip to main content

Getting an A+ Score on Qualys' SSL Server Test

Image
By
On a lark, to get some experience with configuring HTTPS servers, I decided to host the Flightware frontends on my RaspberryPi on an HTTPS endpoint instead of the default HTTP. The broad steps to do this were:

  1. Getting a certificate for my site via LetsEncrypt's certbot
  2. Enabling the HTTPS endpoint on Lighttpd
  3. Testing the security of the setup via the Qualys SSL Server Test
It took some trial and error to get an A+ rating for my server's SSL setup. The two key steps involved in improving the security of the setup were:
  1. Starting with a strong SSL configuration generated by Mozilla's SSL Configuration Generator. This means no SSL v2, SSL v3 or anything below TLS v1.2, and setting up HSTS
  2. Configuring DNS CAA records for the domain. Here's how my CAA record is configured on Google Domains:

    dig caa element77.com +short

    0 issue "letsencrypt.org"

    0 issue "pki.goog"

    0 iodef "mailto:caa@element77.com"

    0 issue "amazon.com"

I haven't set up OCSP stapling yet but that's an exercise for the future. Here's my full SSL configuration for the server.
  1 # /usr/share/doc/lighttpd/ssl.txt
  2 
  3 server.modules += ( "mod_openssl" )
  4         
  5 $SERVER["socket"] == "0.0.0.0:443" {
  6         ssl.engine = "enable"
  7         ssl.privkey= "/etc/letsencrypt/live/piaware.element77.com/privkey.pem"
  8         ssl.pemfile = "/etc/letsencrypt/live/piaware.element77.com/fullchain.pem"
  9         ssl.ca-file = "/etc/letsencrypt/live/piaware.element77.com/chain.pem"
 10         
 11 # Test via https://www.ssllabs.com/ssltest/analyze.html?d=piaware.element77.com
 12 # See https://www.raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
 13 # See https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.55&config=intermediate&openssl=1.1.1d&guideline=5.4
 14 # modern configuration
 15         ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
 16         ssl.honor-cipher-order = "disable"
 17         ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-    GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 18         ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
 19         ssl.ec-curve = "secp384r1" 
 20 }               
 21                 
 22 server.modules += ( "mod_setenv" )
 23 $HTTP["scheme"] == "https" {
 24         setenv.set-response-header = (
 25                 "Strict-Transport-Security" => "max-age=31536000; includeSubdomains",
 26                 "X-Frame-Options" => "DENY",
 27                 "Content-Security-Policy" => "frame-src none;"
 28         )
 29 }       
 30                 
 31 # Redirect HTTP to HTTPS only on port 80
 32 # dump1090-fa data is served on 8080 on HTTP
 33 $HTTP["scheme"] == "http" {
 34         $SERVER["socket"] == ":80" {
 35                 url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
 36         }
 37 }

Labels:

Comments

Post a Comment

Popular posts from this blog

Migrating from Palm Calendar to Google Calendar and iPhone

By
Here are the free steps to migrate from Palm's date book (or Pimlico's DateBk6 ) calendar to Google calendar for full iPhone sync. First, sync Palm with Palm Desktop . Next, open Palm Desktop, select the Calendar view, navigate to File | Export, select Export Type as Date Book Archive, Range as All and provide a file name. This will export the calendar data as Date Book Archive (.dba). There's a paid tool called DBA2CSV that converts .dba files to .csv files. However this can be done for free using Yahoo Calendar. Login into Yahoo Calendar and via Settings/Import, import the .dba file. It helps to have an empty Yahoo Calendar. Via Settings/Export, export the calendar as .csv file. Login to Google Calendar (also works with Google Apps For Your Domain GAFYD Calendar) and import the .csv file into any of the calendars. It is a good idea to create a test calendar and test the import before importing into your real calendar. That way if anything goes wrong, you can delet...
15 comments
Read more

AD-5526 Digital Multimeter

By
The AD-5526 is an ancient multimeter from A&D but for $10 one can’t complain. Has all the basic features one would expect from a multimeter and at 5.2 cm X 9.5 cm X 2.6 cm, it’s quite compact. Uses a LRV08 12V alkaline battery – not a common battery in the USA.
Post a Comment
Read more

RTL-SDR, Raspberry Pi and Plane Spotting via ADS-B

By
Most modern aircraft carry an ADS-B ( Automatic Dependent Surveillance - Broadcast ) transmitter that puts out information about the aircraft's identification, geospatial location, speed, and heading. This information is received by ground stations and air traffic control and used as a replacement for radar-based tracking. ADS-B relies on line-of-sight communication via signals transmitted at 1090 Mhz and has a range of up to 250 nautical miles. Sites such as FlightAware , FlightRadar24 , Plane Finder , RadarBox24 , etc. collect ADS-B information using a vast array of ADS-B receivers, some of which are run by hobbyists, and present this information on maps with near-real-time updates. With the advent of cheap software-defined-radio (SDR) dongles, over the past few years, it has become extremely cheap and easy for amateurs to receive ADS-B signals, upload data to these sites and, in exchange, get access to premium features from these sites. This guide will walk you t...
Post a Comment
Read more