For website hosted in Ubuntu 16 with Nginx, SSL tests always shows B grade. Below is the reason shown. See also the attached image. Current SSL cipher settings are below. I have noticed the same thing in around 8 to 10 servers I have with ubuntu 16 and Nginx.
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'AES256+EECDH:AES256+EDH::!EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_session_cache shared:SSL:10m;
Diffie-Hellman (DH) key exchange parameters. Grade capped to B
One way to see if a server or endpoint supports Diffie-Hellman is to use the nmap tool with the option for the ssl-enum-ciphers script, as shown in the example below, to list all supported cipher suites. All cipher suites that list DH, DHE, or ECDHE use Diffie-Hellman.
Setting up an HTTPS Server. To set up an HTTPS server, in your nginx. conf file include the ssl parameter to the listen directive in the server block, then specify the locations of the server certificate and private key files: server { listen 443 ssl; server_name www.example.com; ssl_certificate www.
Finally I found the solution. By default Linux uses inbuilt DH provided by openssl. This uses weak key. The solution is to generate our own. Use the below to generate new one. I used 2048, you can also try 4096.
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
Then add it to nginx main conf and reload. Here we go. We now have A grade.
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
Reference urls:-
https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score
https://geekflare.com/nginx-webserver-security-hardening-guide/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With