Introduction #
After implementing the following in ProVide it is now possible to configure the server to achieve a perfect score at Qualys SSL Labs official test.
- Added ability to prioritize specified elliptic curves for SSL negotiations
- Updated internal security and encryption mechanisms
- Implemented support for HTTP Strict Transport Security.
- Implemented support to individually enable/disable SSL/TLS protocols (SSL v2, SSL v3, TLS v1, TLS v1.1, TLS v1.2, TLS v1.3).
- Implemented support for forward secrecy with most browsers.
- Improved support for completely loading chain certificates including intermediate.
- Improved support for individually enable/disable SSL/TLS ciphers.
- Improved support for renegotiation (allow secure, disable client-initiated).
Achieving A+ (100/100/100/100) with ProVide #
To get the best SSL-Labs score, use either:
- RSA-4096 certificate, or
- ECDSA-P384 certificate
and make sure you’re running the latest version of ProVide.
Step 1: Edit settings.ini
Update the following sections:
[SSL Elliptic Curves]
SECP384R1, X25519
[HTTPS Protocols]
TLS v1.2, TLS v1.3
Step 2: Configure HTTPS Ciphers
Option A – RSA-4096 Certificate
Use these ciphers for maximum compatibility and security:
[HTTPS Ciphers]
ECDHE-RSA-AES256-GCM-SHA384, CHACHA20-POLY1305-SHA256, AES256-GCM-SHA384
If you need support for Chrome 49 on Windows XP SP3, Firefox 47 on Windows 7
Use these ones instead.
[HTTPS Ciphers]
ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305-SHA256, CHACHA20-POLY1305-SHA256, AES256-GCM-SHA384
Option B – ECDSA-P384 Certificate
Use these ciphers for maximum compatibility and security:
[HTTPS Ciphers]
ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305-SHA256, CHACHA20-POLY1305-SHA256, AES256-GCM-SHA384
Done! With these settings, ProVide should score 100/100/100/100.
