Skip to main content

Getting an A+ Score on Qualys' SSL Server Test

On a lark, to get some experience with configuring HTTPS servers, I decided to host the Flightware frontends on my RaspberryPi on an HTTPS endpoint instead of the default HTTP. The broad steps to do this were:

  1. Getting a certificate for my site via LetsEncrypt's certbot
  2. Enabling the HTTPS endpoint on Lighttpd
  3. Testing the security of the setup via the Qualys SSL Server Test
It took some trial and error to get an A+ rating for my server's SSL setup. The two key steps involved in improving the security of the setup were:
  1. Starting with a strong SSL configuration generated by Mozilla's SSL Configuration Generator. This means no SSL v2, SSL v3 or anything below TLS v1.2, and setting up HSTS
  2. Configuring DNS CAA records for the domain. Here's how my CAA record is configured on Google Domains:

    dig caa element77.com +short

    0 issue "letsencrypt.org"

    0 issue "pki.goog"

    0 iodef "mailto:caa@element77.com"

    0 issue "amazon.com"

I haven't set up OCSP stapling yet but that's an exercise for the future. Here's my full SSL configuration for the server.

  1 # /usr/share/doc/lighttpd/ssl.txt

  2 

  3 server.modules += ( "mod_openssl" )

  4         

  5 $SERVER["socket"] == "0.0.0.0:443" {

  6         ssl.engine = "enable"

  7         ssl.privkey= "/etc/letsencrypt/live/piaware.element77.com/privkey.pem"

  8         ssl.pemfile = "/etc/letsencrypt/live/piaware.element77.com/fullchain.pem"

  9         ssl.ca-file = "/etc/letsencrypt/live/piaware.element77.com/chain.pem"

 10         

 11 # Test via https://www.ssllabs.com/ssltest/analyze.html?d=piaware.element77.com

 12 # See https://www.raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html

 13 # See https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.55&config=intermediate&openssl=1.1.1d&guideline=5.4

 14 # modern configuration

 15         ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")

 16         ssl.honor-cipher-order = "disable"

 17         ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-    GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

 18         ssl.dh-file = "/etc/ssl/certs/dhparam.pem"

 19         ssl.ec-curve = "secp384r1" 

 20 }               

 21                 

 22 server.modules += ( "mod_setenv" )

 23 $HTTP["scheme"] == "https" {

 24         setenv.set-response-header = (

 25                 "Strict-Transport-Security" => "max-age=31536000; includeSubdomains",

 26                 "X-Frame-Options" => "DENY",

 27                 "Content-Security-Policy" => "frame-src none;"

 28         )

 29 }       

 30                 

 31 # Redirect HTTP to HTTPS only on port 80

 32 # dump1090-fa data is served on 8080 on HTTP

 33 $HTTP["scheme"] == "http" {

 34         $SERVER["socket"] == ":80" {

 35                 url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")

 36         }

 37 }


Comments

Popular posts from this blog

AD-5526 Digital Multimeter

The AD-5526 is an ancient multimeter from A&D but for $10 one can’t complain. Has all the basic features one would expect from a multimeter and at 5.2 cm X 9.5 cm X 2.6 cm, it’s quite compact. Uses a LRV08 12V alkaline battery – not a common battery in the USA.

Migrating from Palm Calendar to Google Calendar and iPhone

Here are the free steps to migrate from Palm's date book (or Pimlico's DateBk6 ) calendar to Google calendar for full iPhone sync. First, sync Palm with Palm Desktop . Next, open Palm Desktop, select the Calendar view, navigate to File | Export, select Export Type as Date Book Archive, Range as All and provide a file name. This will export the calendar data as Date Book Archive (.dba). There's a paid tool called DBA2CSV that converts .dba files to .csv files. However this can be done for free using Yahoo Calendar. Login into Yahoo Calendar and via Settings/Import, import the .dba file. It helps to have an empty Yahoo Calendar. Via Settings/Export, export the calendar as .csv file. Login to Google Calendar (also works with Google Apps For Your Domain GAFYD Calendar) and import the .csv file into any of the calendars. It is a good idea to create a test calendar and test the import before importing into your real calendar. That way if anything goes wrong, you can delet...

Fetching Stock Data From Yahoo For iOS Applications

Yahoo! provides a great service called Yahoo! Query Language (YQL) which provides a SQL-like interface to a whole bunch of Web services. YQL queries can also be performed via REST. A wide range of services can be accessed through YQL including Yahoo! Finance . A convenient way to play with YQL and explore the available Web services, is to use the YQL Console . The bottom right of the console lists all the data tables, grouped by provider. (Be sure to click "Show Community Tables" to view all the available tables.) The yahoo provider includes the data table yahoo.finance.quote . This table provides access to stock quotes from Yahoo! Finance. As an example, here's the YQL console showing a query for stock data for AAPL . The console helpfully shows the REST URL for the query at the bottom. Armed with the REST URL, it is trivial to write code in Objective-C/iOS to fetch quote data. Here's some code that takes in an NSArray of ticker symbols (NSStrings) and returns a ...