How to Get an A+ Grade on ssllabs.com

What Is SSL Labs?

SSL Labs is a free, noncommercial service provided by cybersecurity company Qualys. SSL Labs gives a free rating of the security of a website’s connection, and issues a grade from A+ to F. When you run a test on SSL Labs, they check your server’s SSL/TLS (Secure Sockets Layer/Transport Layer Security) configurations, and the certificate that is part of the PKI (Public Key Infrastructure). Overall, the grade that SSL Labs issues indicates the security and encryption quality of your web server’s connection.

What Grades Do SSL Labs Issue?

The letter grade is a translation of an average score of all tests. An A grade corresponds to a score of 80/100 or higher. An A+ requires 80/100 or higher, no warnings, and HTTP Strict Transport Security (HSTS) support with a maximum age of at least six months.

Getting an A+ is the ultimate goal for any security-conscious website owner or administrator. An A+ grade tells users, search engines, and other internet services that your website is trustworthy and uses best practices when it comes to security and encryption. An A+ can help your search engine rankings and may improve user experience.

Let’s find out why you need an SSL Labs test, take an in-depth look at an SSL Labs report, and how to configure your nginx server to get an A+.

Why You Need an SSL Labs Test

Think of SSL Labs as a free security report. While getting an A+ is the ultimate goal, running an SSL Labs test is valuable even if you aren’t certain you’re going to get the best grade. Lower grades provide useful feedback by pinpointing areas ripe for improvement. By highlighting security weaknesses, an SSL Labs report lets you fix vulnerabilities before anyone can take advantage of them. You can rerun the test often to check that your grade is steady or improving, and ensure that you are keeping up to date with the latest security best practices.

It’s worth noting that the SSL score reflects only one aspect of security: the communication channel between a web site and its users. The channel security’s importance varies depending on the use case. For public content, it’s optional, but for highly sensitive content—like personal data or payment information—it’s absolutely critical. SSL/TLS is a great foundation on which to build your security protocols, but doesn’t constitute an entire protocol in itself.

What Does an SSL Labs Test Report Look Like?

When you run a test on SSL Labs, the output might be overwhelming and hard to understand. But unless you understand the whole report, you won’t know if there are areas where you can improve your security and grade. Let’s break down the main components of the test report.

How to Configure Your nginx Web Server for an A+ Grade

In order to score at least 80/100, you must fulfill the following minimum requirements:

• Protocol SSL 3.0 and higher (in practice, protocols below TLS 1.2 are deprecated in 2021 or earlier)
• Key exchange with key strength and DH parameter greater than or equal to 1024 bits
• Cryptographic strength of the used cipher greater than or equal to 128 bits
• HSTS support

Based on the requirements above and modern security requirements, we will use the following settings for this tutorial:

• Protocols TLS 1.2 and TLS 1.3
• Key exchange with a key strength of 4096 bits
• Ciphers with a cryptographic strength of 128 bits or more (from the Mozilla intermediate compatibility set)
• Prioritization of server ciphers over client ciphers
• HSTS

Please note that the settings may block communication with the web server for clients who have not received a security update for 5-10 years (e.g., clients running Windows 7 without all security updates.) Generally, this will only affect very old clients.

Let’s configure nginx to use the above settings.

server {
    listen 443 ssl;

    ssl_certificate /path/to/server/vhost.crt;
    ssl_certificate_key /path/to/server/vhost.key;

    # allowed protocols
    ssl_protocols TLSv1.2 TLSv1.3;

    # prioritize server ciphers over client ciphers
    ssl_prefer_server_ciphers on;

    # Mozilla Intermediate compatibility cipher set
    # ECDHE-ECDSA-AES128-GCM-SHA256
    # ECDHE-RSA-AES128-GCM-SHA256
    # ECDHE-ECDSA-AES256-GCM-SHA384
    # ECDHE-RSA-AES256-GCM-SHA384
    # ECDHE-ECDSA-CHACHA20-POLY1305
    # ECDHE-RSA-CHACHA20-POLY1305
    # DHE-RSA-AES128-GCM-SHA256
    # DHE-RSA-AES256-GCM-SHA384
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    location / {
        # header for HSTS
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        root /usr/share/nginx/html;
    }
}

Thus, with just four settings, you can configure a web server that meets modern SSL security requirements and will score you an A+ on SSL Labs.

Conclusion: Learn More About SSL Security

As we discovered, getting an A+ grade on SSL is achievable without too much work. An A+ grade brings concrete benefits, such as improved search engine ranking. It’s worth running an SSL Labs test to find out about any security vulnerabilities.

Upgrade your SSL security today with an SSL certificate via Gcore.