Tips for using SSL

General

Below is common tips to use SSL certificate.

1. Checking your certificate health

To check if your certificate install correctly ? online tool like Qualys SSL lab can help.

2. Download bundle file from your CA

Your CA provider may has tool to check if your certificate is install successfully. Some case installation is not correct you can download bundle file  from test result.

Namecheap SSL Checker : https://decoder.link/sslchecker/

2. Other common setting to enable

– Session reuse

Session reuse is one of the most important mechanism to improve TLS performance: by submitting an appropriate blob to the server, a client is able to trigger an abbreviated handshake, improving latency and computation time.

# Enable cache
ssl_session_cache  shared:SSL:10m;
ssl_session_timeout  10m;

– Forward Secrecy

Perfect Forward Secrecy, which is sometimes just referred to as Forward Secrecy, is a method of ensuring that all transactions sent over the Internet are secure. This method of encryption prevents a hacker from being able to access data from a group of transactions even if they’re able to hack the encryption for a single communication sent over the web.

# Enable Forward secrecy settings
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

– OCSP stapling

OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. This securely cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content.

OCSP stapling addresses a privacy concern with OCSP because the CA no longer receives the revocation requests directly from the client (browser). OCSP stapling also addresses concerns about OCSP SSL negotiation delays by removing the need for a separate network connection to a CA’s responders.

# Enable OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

 

Leave a Reply

Your email address will not be published. Required fields are marked *