AnsweredAssumed Answered

improve key exchange and cipher suites to 100%

Question asked by Dave Cottlehuber on Dec 1, 2017
Latest reply on Dec 1, 2017 by Dave Cottlehuber

I'm trying to work out what I am *missing* to get my ssllabs score up to A+ using the h2o webserver on FreeBSD with latest libressl.

 

key exchange and cipher strength come in at 90%, any suggestions on improving that?

 

SSL Server Test: continuity.skunkwerks.at (Powered by Qualys SSL Labs) 

 

# /usr/local/etc/h2o/h2o.conf

# vi: ft=yaml
# see https://h2o.examp1e.net/ for detailed documentation
# see h2o --help for command-line options and settings
user: www
pid-file: /var/run/h2o.pid
access-log: "| logger -4 -i -p daemon.info -t h2o"
error-log:  "| logger -4 -i -p daemon.err  -t h2o"
listen: 80
# as of 2017-11-01 the following TLS config and headers gets you:
# A on https://www.ssllabs.com/ssltest/ with CAA records enabled
listen:
  port: 443
  ssl:
    minimum-version: TLSv1.2
    # generate your own certificates
    certificate-file: /usr/local/etc/h2o/server.crt
    key-file: /usr/local/etc/h2o/server.key
    cipher-preference: server
    # cipher-suite: ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
    cipher-suite: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# host headers, global
# A+ on https://securityheaders.io/
header.add: "x-frame-options: deny"
header.add: "X-XSS-Protection: 1; mode=block"
header.add: "X-Content-Type-Options: nosniff"
header.add: "X-UA-Compatible: IE=Edge"
header.add: "Referrer-Policy: strict-origin"
header.add: "Cache-Control: no-transform"
header.add: "Content-Security-Policy: default-src https:"

 

# 6 months HSTS pinning
header.add: "Strict-Transport-Security: max-age=16000000"

 

# no patience for slow users
http1-request-timeout: 10
http2-idle-timeout: 10
# limit POST bodies
limit-request-body: 10485760 # 10MiB
max-connections: 1024
num-threads: 200

 

file.mime.addtypes:
  image/svg+xml: .svg
  text/plain: .log
  text/css: .css
  application/atom+xml: .xml
  application/zip: .zip
  application/json: .json
  "text/html; charset=utf-8": .html

 

# per-host configurations
hosts:
  continuity.skunkwerks.at:
    paths:
      "/":
        file.dir: "/var/www/continuity/"
      "/.well-known/acme-challenge":
        file.dir: "/var/www/acme/"
  skunkwerks.at:
    paths:
      "/":
        redirect:
          status: 301
          url: http://www.skunkwerks.at/
      "/.well-known/acme-challenge":
        file.dir: "/var/www/acme/"

Outcomes