Get A+ and score 100/100/100/100 on sslabs tlsv1.3
For this i'm use SSL from Letsencrypt
-
Generate ssl certificate 4096 bit
-
Generate Key exchange 4096 bit (for get 100% score of Key exchange) :
openssl dhparam -out dhparams.pem 4096
-
Download nginx from source http://nginx.org/en/download.html
-
Download OpenSSL from source https://www.openssl.org/source/
-
Edit ssl.h (openssl_src/include/openssl/ssl.h) on openssl folder source which already downloaded
-
Go to line 178 & 181 and remove TLS_AES_128_GCM_SHA256 (Based on https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#cipher-strength , 128 bit keys will scored 90%, so you need removed it if you want get 100% Cipher strength.). code like this :
#define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ "TLS_CHACHA20_POLY1305_SHA256:" \ "TLS_AES_128_GCM_SHA256" #else #define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ "TLS_AES_128_GCM_SHA256" #endif
edit to like this :
#define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ "TLS_CHACHA20_POLY1305_SHA256" #else #define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384" #endif
-
Compile nginx with openssl which you're downloaded :
./Configure .... .... --with-openssl=openssl_src make && make install
-
You're done , you get A+ score with 100/100/100/100 :)
- Protocol : min TLSv1.2 for get 100%
- Key exchange : min 4096 bit for get 100%
- Cipher strenght : >= 256 bit for get 100%