The Cost of A+

As someone maintaining my own web server, I often use various tools to determine if things are good. As web servers are not my daily job, I found that is the only way to save both sanity and time.

One of the most helpful tools comes courtesy of SSL Labs. Their SSL/TLS test suite is both simple to use and full of really good data. While getting a good score doesn't guarantee everything is secure, it shows you are doing at least some things right.

As of Jan 31st 2020, SSL Labs decided to cap grade to B for lower TLS (1.0 and 1.1) protocols. That means even if your server was a class star until then, starting February it got relegated to a B league. Totally unacceptable!

Fortunately, if you are using Apache, change is easy:

apache2.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:-MEDIUM:!LOW:!aNULL:!MD5
SSLHonorCipherOrder on

With this adjustment your server can enjoy A+ again.


PS: Cost? Say goodbye to Android 4.3, Windows Phone 8, Java 7, Safari 6, and Internet Explorer on Windows 7. For me personally all things I can live without.

PPS: If you want to disable some algorithms manually, a table mapping between OpenSSL and IANA names will be most useful.

PPPS: For curious, here are my TLS definitions for Apache:

apache2.conf
SSLProtocol "TLSv1.3" "+TLSv1.2"
SSLCipherSuite "TLSv1.3" "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
SSLCipherSuite "HIGH -MEDIUM !LOW !aNULL !MD5 !3DES !AES128 !ARIA128 !CAMELLIA !RSA"
SSLHonorCipherOrder on
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOptions +StrictRequire
SSLCompression off
SSLStrictSNIVHostCheck off

SSLSessionCache "shmcb:/run/httpd/sslcache(512000)"
SSLSessionCacheTimeout 300

SSLStaplingCache "shmcb:/tmp/stapling_cache(128000)"
SSLUseStapling on

One thought to “The Cost of A+”

  1. Since all the modern and just old browser supports TLS 1.3, in some days we can remove the SSL Protocol TLS 1.2. It is up to you what you are running.

Leave a Reply

Your email address will not be published. Required fields are marked *