Mobile
Streaming Platform Products
Virtual & Dedicated Servers Products
Containers Products
Serverless Computing Products
AI & Machine Learning Products
Private and Hybrid Solutions Products
Monitoring Products
Custom Services Products
Media & Entertainment
Financial Services
IT / Technology
Retail
Education
Website Acceleration
Video Streaming
Security & Protection
Cloud
Partnership Solutions
Corporate Solutions
SSL Labs is a free, noncommercial service provided by cybersecurity company Qualys. SSL Labs gives a free rating of the security of a website’s connection, and issues a grade from A+ to F. When you run a test on SSL Labs, they check your server’s SSL/TLS (Secure Sockets Layer/Transport Layer Security) configurations, and the certificate that is part of the PKI (Public Key Infrastructure). Overall, the grade that SSL Labs issues indicates the security and encryption quality of your web server’s connection.
The letter grade is a translation of an average score of all tests. An A grade corresponds to a score of 80/100 or higher. An A+ requires 80/100 or higher, no warnings, and HTTP Strict Transport Security (HSTS) support with a maximum age of at least six months.
Getting an A+ is the ultimate goal for any security-conscious website owner or administrator. An A+ grade tells users, search engines, and other internet services that your website is trustworthy and uses best practices when it comes to security and encryption. An A+ can help your search engine rankings and may improve user experience.
Let’s find out why you need an SSL Labs test, take an in-depth look at an SSL Labs report, and how to configure your nginx server to get an A+.
Think of SSL Labs as a free security report. While getting an A+ is the ultimate goal, running an SSL Labs test is valuable even if you aren’t certain you’re going to get the best grade. Lower grades provide useful feedback by pinpointing areas ripe for improvement. By highlighting security weaknesses, an SSL Labs report lets you fix vulnerabilities before anyone can take advantage of them. You can rerun the test often to check that your grade is steady or improving, and ensure that you are keeping up to date with the latest security best practices.
It’s worth noting that the SSL score reflects only one aspect of security: the communication channel between a web site and its users. The channel security’s importance varies depending on the use case. For public content, it’s optional, but for highly sensitive content—like personal data or payment information—it’s absolutely critical. SSL/TLS is a great foundation on which to build your security protocols, but doesn’t constitute an entire protocol in itself.
When you run a test on SSL Labs, the output might be overwhelming and hard to understand. But unless you understand the whole report, you won’t know if there are areas where you can improve your security and grade. Let’s break down the main components of the test report.
In order to score at least 80/100, you must fulfill the following minimum requirements:
Based on the requirements above and modern security requirements, we will use the following settings for this tutorial:
Please note that the settings may block communication with the web server for clients who have not received a security update for 5-10 years (e.g., clients running Windows 7 without all security updates.) Generally, this will only affect very old clients.
Let’s configure nginx to use the above settings.
server { listen 443 ssl; ssl_certificate /path/to/server/vhost.crt; ssl_certificate_key /path/to/server/vhost.key; # allowed protocols ssl_protocols TLSv1.2 TLSv1.3; # prioritize server ciphers over client ciphers ssl_prefer_server_ciphers on; # Mozilla Intermediate compatibility cipher set # ECDHE-ECDSA-AES128-GCM-SHA256 # ECDHE-RSA-AES128-GCM-SHA256 # ECDHE-ECDSA-AES256-GCM-SHA384 # ECDHE-RSA-AES256-GCM-SHA384 # ECDHE-ECDSA-CHACHA20-POLY1305 # ECDHE-RSA-CHACHA20-POLY1305 # DHE-RSA-AES128-GCM-SHA256 # DHE-RSA-AES256-GCM-SHA384 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; location / { # header for HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; root /usr/share/nginx/html; } }
Thus, with just four settings, you can configure a web server that meets modern SSL security requirements and will score you an A+ on SSL Labs.
As we discovered, getting an A+ grade on SSL is achievable without too much work. An A+ grade brings concrete benefits, such as improved search engine ranking. It’s worth running an SSL Labs test to find out about any security vulnerabilities.
Upgrade your SSL security today with an SSL certificate via Gcore.