Skip to main content

Getting an A+ Score on Qualys' SSL Server Test

On a lark, to get some experience with configuring HTTPS servers, I decided to host the Flightware frontends on my RaspberryPi on an HTTPS endpoint instead of the default HTTP. The broad steps to do this were:

  1. Getting a certificate for my site via LetsEncrypt's certbot
  2. Enabling the HTTPS endpoint on Lighttpd
  3. Testing the security of the setup via the Qualys SSL Server Test
It took some trial and error to get an A+ rating for my server's SSL setup. The two key steps involved in improving the security of the setup were:
  1. Starting with a strong SSL configuration generated by Mozilla's SSL Configuration Generator. This means no SSL v2, SSL v3 or anything below TLS v1.2, and setting up HSTS
  2. Configuring DNS CAA records for the domain. Here's how my CAA record is configured on Google Domains:

    dig caa element77.com +short

    0 issue "letsencrypt.org"

    0 issue "pki.goog"

    0 iodef "mailto:caa@element77.com"

    0 issue "amazon.com"

I haven't set up OCSP stapling yet but that's an exercise for the future. Here's my full SSL configuration for the server.

  1 # /usr/share/doc/lighttpd/ssl.txt

  2 

  3 server.modules += ( "mod_openssl" )

  4         

  5 $SERVER["socket"] == "0.0.0.0:443" {

  6         ssl.engine = "enable"

  7         ssl.privkey= "/etc/letsencrypt/live/piaware.element77.com/privkey.pem"

  8         ssl.pemfile = "/etc/letsencrypt/live/piaware.element77.com/fullchain.pem"

  9         ssl.ca-file = "/etc/letsencrypt/live/piaware.element77.com/chain.pem"

 10         

 11 # Test via https://www.ssllabs.com/ssltest/analyze.html?d=piaware.element77.com

 12 # See https://www.raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html

 13 # See https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.55&config=intermediate&openssl=1.1.1d&guideline=5.4

 14 # modern configuration

 15         ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")

 16         ssl.honor-cipher-order = "disable"

 17         ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-    GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

 18         ssl.dh-file = "/etc/ssl/certs/dhparam.pem"

 19         ssl.ec-curve = "secp384r1" 

 20 }               

 21                 

 22 server.modules += ( "mod_setenv" )

 23 $HTTP["scheme"] == "https" {

 24         setenv.set-response-header = (

 25                 "Strict-Transport-Security" => "max-age=31536000; includeSubdomains",

 26                 "X-Frame-Options" => "DENY",

 27                 "Content-Security-Policy" => "frame-src none;"

 28         )

 29 }       

 30                 

 31 # Redirect HTTP to HTTPS only on port 80

 32 # dump1090-fa data is served on 8080 on HTTP

 33 $HTTP["scheme"] == "http" {

 34         $SERVER["socket"] == ":80" {

 35                 url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")

 36         }

 37 }


Comments

Popular posts from this blog

Migrating from Palm Calendar to Google Calendar and iPhone

Here are the free steps to migrate from Palm's date book (or Pimlico's DateBk6 ) calendar to Google calendar for full iPhone sync. First, sync Palm with Palm Desktop . Next, open Palm Desktop, select the Calendar view, navigate to File | Export, select Export Type as Date Book Archive, Range as All and provide a file name. This will export the calendar data as Date Book Archive (.dba). There's a paid tool called DBA2CSV that converts .dba files to .csv files. However this can be done for free using Yahoo Calendar. Login into Yahoo Calendar and via Settings/Import, import the .dba file. It helps to have an empty Yahoo Calendar. Via Settings/Export, export the calendar as .csv file. Login to Google Calendar (also works with Google Apps For Your Domain GAFYD Calendar) and import the .csv file into any of the calendars. It is a good idea to create a test calendar and test the import before importing into your real calendar. That way if anything goes wrong, you can delet...

AD-5526 Digital Multimeter

The AD-5526 is an ancient multimeter from A&D but for $10 one can’t complain. Has all the basic features one would expect from a multimeter and at 5.2 cm X 9.5 cm X 2.6 cm, it’s quite compact. Uses a LRV08 12V alkaline battery – not a common battery in the USA.

Lead Tide SIM Reader

I recently came across a cheap little device for reading SIM cards . It was available from Meritline for less than USD 5 with free shipping. Curious to see what it was like, I ordered one. The device came in a small package along with a mini CD containing drivers. The packaging advertised the device as the LEAD TIDE Sim reader . Like most things these days, it's made in China. The device has a USB 1.1 interface. There was no product code or number anywhere on the packaging. Installing the drivers for the device turned out to be harder than I expected. The mini CD's autorun installed some stuff but Microsoft Windows XP couldn't install any suitable driver for the device. The mini-CD had several top level directories with what appeared to be product codes but I couldn't match any to the device itself since it had no product code. Google searches revealed that I wasn't alone in my endeavors to get the device working . Further digging revealed pointers to some thir...