Skip to main content

Getting an A+ Score on Qualys' SSL Server Test

Image
By
On a lark, to get some experience with configuring HTTPS servers, I decided to host the Flightware frontends on my RaspberryPi on an HTTPS endpoint instead of the default HTTP. The broad steps to do this were:

  1. Getting a certificate for my site via LetsEncrypt's certbot
  2. Enabling the HTTPS endpoint on Lighttpd
  3. Testing the security of the setup via the Qualys SSL Server Test
It took some trial and error to get an A+ rating for my server's SSL setup. The two key steps involved in improving the security of the setup were:
  1. Starting with a strong SSL configuration generated by Mozilla's SSL Configuration Generator. This means no SSL v2, SSL v3 or anything below TLS v1.2, and setting up HSTS
  2. Configuring DNS CAA records for the domain. Here's how my CAA record is configured on Google Domains:

    dig caa element77.com +short

    0 issue "letsencrypt.org"

    0 issue "pki.goog"

    0 iodef "mailto:caa@element77.com"

    0 issue "amazon.com"

I haven't set up OCSP stapling yet but that's an exercise for the future. Here's my full SSL configuration for the server.
  1 # /usr/share/doc/lighttpd/ssl.txt
  2 
  3 server.modules += ( "mod_openssl" )
  4         
  5 $SERVER["socket"] == "0.0.0.0:443" {
  6         ssl.engine = "enable"
  7         ssl.privkey= "/etc/letsencrypt/live/piaware.element77.com/privkey.pem"
  8         ssl.pemfile = "/etc/letsencrypt/live/piaware.element77.com/fullchain.pem"
  9         ssl.ca-file = "/etc/letsencrypt/live/piaware.element77.com/chain.pem"
 10         
 11 # Test via https://www.ssllabs.com/ssltest/analyze.html?d=piaware.element77.com
 12 # See https://www.raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
 13 # See https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.55&config=intermediate&openssl=1.1.1d&guideline=5.4
 14 # modern configuration
 15         ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
 16         ssl.honor-cipher-order = "disable"
 17         ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-    GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 18         ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
 19         ssl.ec-curve = "secp384r1" 
 20 }               
 21                 
 22 server.modules += ( "mod_setenv" )
 23 $HTTP["scheme"] == "https" {
 24         setenv.set-response-header = (
 25                 "Strict-Transport-Security" => "max-age=31536000; includeSubdomains",
 26                 "X-Frame-Options" => "DENY",
 27                 "Content-Security-Policy" => "frame-src none;"
 28         )
 29 }       
 30                 
 31 # Redirect HTTP to HTTPS only on port 80
 32 # dump1090-fa data is served on 8080 on HTTP
 33 $HTTP["scheme"] == "http" {
 34         $SERVER["socket"] == ":80" {
 35                 url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
 36         }
 37 }

Labels:

Comments

Post a Comment

Popular posts from this blog

FCC Aproves Sirius-XM Merger

By
This has been a long time coming but finally the FCC has finally approved the merger of Sirius Satellite Radio with XM Satellite Radio . The combined entity is pretty much a monopoly in the satellite radio space but they are still competing with terrestrial radio. Either way, their stocks, NASDAQ:SIRI and NASDAQ:XMSR should get a good boost on Monday. Yahoo! Finance Quote for SIRI Quote for XMSR
1 comment
Read more

Lead Tide SIM Reader

By
I recently came across a cheap little device for reading SIM cards . It was available from Meritline for less than USD 5 with free shipping. Curious to see what it was like, I ordered one. The device came in a small package along with a mini CD containing drivers. The packaging advertised the device as the LEAD TIDE Sim reader . Like most things these days, it's made in China. The device has a USB 1.1 interface. There was no product code or number anywhere on the packaging. Installing the drivers for the device turned out to be harder than I expected. The mini CD's autorun installed some stuff but Microsoft Windows XP couldn't install any suitable driver for the device. The mini-CD had several top level directories with what appeared to be product codes but I couldn't match any to the device itself since it had no product code. Google searches revealed that I wasn't alone in my endeavors to get the device working . Further digging revealed pointers to some thir
11 comments
Read more

Migrating from Palm Calendar to Google Calendar and iPhone

By
Here are the free steps to migrate from Palm's date book (or Pimlico's DateBk6 ) calendar to Google calendar for full iPhone sync. First, sync Palm with Palm Desktop . Next, open Palm Desktop, select the Calendar view, navigate to File | Export, select Export Type as Date Book Archive, Range as All and provide a file name. This will export the calendar data as Date Book Archive (.dba). There's a paid tool called DBA2CSV that converts .dba files to .csv files. However this can be done for free using Yahoo Calendar. Login into Yahoo Calendar and via Settings/Import, import the .dba file. It helps to have an empty Yahoo Calendar. Via Settings/Export, export the calendar as .csv file. Login to Google Calendar (also works with Google Apps For Your Domain GAFYD Calendar) and import the .csv file into any of the calendars. It is a good idea to create a test calendar and test the import before importing into your real calendar. That way if anything goes wrong, you can delet
15 comments
Read more