My blog now gets an A+ on SSL Labs

Woohoo!

Since it's was way more of a pain than it should be, I figured I'd brag a little bit.

Since Ubuntu 14.04 still ships with an ancient version of NodeJS, I had to compile my own version using the latest source (v0.13.0) in order to get ECC and perfect forward secrecy which was introduced in v0.12.

Then I used the following settings to order the cipher suites, blacklist some week algorithms (like md5, rc4, export ciphers, and null ciphers), and remove SSLv3:

var https_options = {
    'key': privateKey,
    'cert': certificate,
    'ca': ca_bundle,
    'secureProtocol': 'SSLv23_method',
    'secureOptions': constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2,
    'honorCipherOrder': true,
    'ciphers': [
        "ECDHE-RSA-AES256-SHA384",
        "DHE-RSA-AES256-SHA384",
        "ECDHE-RSA-AES256-SHA256",
        "DHE-RSA-AES256-SHA256",
        "ECDHE-RSA-AES128-SHA256",
        "DHE-RSA-AES128-SHA256",
        "HIGH",
        "!aNULL",
        "!eNULL",
        "!EXPORT",
        "!DES",
        "!RC4",
        "!MD5",
        "!PSK",
        "!SRP",
        "!CAMELLIA"
    ].join(':')
};

Finally, I used Helmet to enable HSTS and a few other features it includes.

And the result of all this 😀🔑:

ssl_labs

My blog now gets an A+ on SSL Labs
Share this