quick notes on hardening nginx ssl
The ssl test is a useful tool for determining the strength of your server's ssl configuration. Here is my result. There are a few simple steps you can take with nginx to get a higher score. first, the highlights from my nginx.conf:
- enable a ssl session cache
- only use recent protocols
- only use high-strength ciphers
- prefer ciphers that allow for perfect forward secrecy
- use HSTS
I've removed a lot from the standard nginx ssl deployment: sslv2/sslv3 support and weak ciphers. If your audience is mostly using modern browsers, none of these changes will impact them.
I also provide a chained cert. A chained cert includes the authority's intermediate information in your site cert so it does not have to be fetched.
For nginx, you create a chained cert as
cat your_cert.crt authority_cert.crt > your_bundle_cert.crt
and then use your_bundle_cert.crt as your site cert.
These changes should get you an "A" score on the test.
last update 2013-06-25