Unfortunately, TLS has been plagued by several vulnerabilities in recent years, making every HTTPS connection potentially unsafe.
In this article I’ll show you how to get the Grade A+ on SSLLabs (https://www.ssllabs.com/) through the appropriate use of GnuTLS Priorities.
That is why it is important to conduct a review of the cryptographic algorithms to be used today … couple of years ago, we thought that RC4 was an strong encryption algorithm that had the ability to mitigate attacks such as BEAST.
I always had doubts about RC4, but criticize something that mitigated beast was swimming against the tide.
Obtaining Grade A+
Today to get an A+ on SSLLabs (main reference on SSL/TLS configuration), we have to keep several things:
- TLSv1.2 (previous versions are considered weak)
- Mitigate several attacks (BEAST, CRIME, etc)
- Perfect Forward Secrecy (Diffie-Hellman Efimero)
- To use >128bit on symmetric encryption algorithms
- To use > 2048bit on RSA based asymmetric encryption algorithms (or equivalent strong for Elliptic Curve).
- To use SHA signature algorithms >= 256-bit (256,384,512), avoid SHA-1
- Avoid weak signature algorithms eg. MD5
- To use HSTS (@HTTP Headers), for obtaining the A+
How to configure the GnuTLS
Setting up the GnuTLS to meet this requirement is very simple. GnuTLSPriorities need to use the following line:
GnuTLSPriorities SECURE128:+SECURE192:+SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:-ARCFOUR-128:-SHA1:-RSA:%SERVER_PRECEDENCE
- Secure128 & 192: These options in my opinion should not be here, but guarantees compatibility with Firefox NSS library. If we remove it, we will only be compatible with Chrome and Opera.
- Secure256: best set of symmetric encryption algorithms based on 256 bit symmetric algorithms.
- -VERS-TLS-ALL:+VERS-TLS1.2 Deshabilita todos los algoritmos TLS menos TLS 1.2
- -ARCFOUR-128: Disables RC4
- -SHA1: Disables SHA1, which is a weak hashing algorithm.
- -RSA: Disables RSA for the key exchange. We will only use perfect forward secrecy.
Using this way we can achieve Grade A on SSL Labs.
How to configure the WordPress or any application in PHP to set the HSTS (Grade A+):
DISCLAIMER: Use at your own risk, you should be careful, wrong settings or configurations may cause denial of service for a long time (months or years).
To configure the wordpress with HSTS, you may use this plugin I recommend:
https://wordpress.org/plugins/security-headers/
And to set up any PHP site with HSTS, you must put the following code in the first PHP line, especially at index.php:
header("Strict-Transport-Security: max-age=31536000;");
** It is important not to print any HTML bordering the PHP before sending the header, because otherwise it will fail.
This will tell the browser: keep the site in HTTPS strictly for a full year. Then, the browser will reject plain HTTP browsing.
Thanks to Howard Fried (@cyberhoward) for remembering to check my TLS configuration.