The Qualys SSL Labs Test is well known as a benchmark to test the security and rigidity of your HTTPS website set-up. You want to see an A or A+ rating, indicating your SSL server is set up to be secure, functional and has no known vulnerabilities.
The Snapt Accelerator is an extremely powerful and secure web acceleration and protection solution. This guide will help you to configure Snapt Accelerator to get your A+ rating!
Understanding what you are changing
With SSL ciphers and protocols when you disable old and outdated (and potentially vulnerable) options, you are limiting old and outdated browsers from communicating with your server. In this guide we will recommend settings that won’t work on very old (10+ years) operating systems and browsers, estimated to be less than 1% of the web.
Protocols, ciphers and headers
We want to disable the use of SSLv2, SSLv3 and TLS1.0 completely. We’re also going to use a modern cipher set and force all users to use HTTPS. This can break things on your site, and you should be aware of the impact the changes will have!
Step 1: Settings your ciphers
Go to Setup -> SSL -> SSL Options on your Snapt installation. Here we want to set the Ciphers Preset to the latest one, tagged “Most Secure”. At the time of writing that is Snapt V6. For technical users, that will apply the following cipher set: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
Now generate a 4096 Diffie-Hellman key file, using the Generate button. It can take 5–15 minutes to complete.
Once completed Save the page to apply your cipher options and then select the new dhparams.pem file we created for you. Save again with this.
Step 2: Choose your protocols
Go to Accelerator -> Configuration -> SSL Options. You want to change your SSL Protocol to TLSv1.1, TLSv1.2 — that will restrict what protocols you will communicate with, disabling SSLv2, SSLv3, and TLS1.0.
Next up enable OSCP Stapling and Strict Transport Security. Be aware that this will tell browsers to only ever speak to your website using SSL, so make sure it’s all running on HTTPS!
Now Save on this page. Reload the Accelerator.
Step 3: Checking your certificate
Snapt doesn’t control your SSL certificate of course, and you may need a more recent or more secure one in order to get the best rating. Running the SSL Test will let you know about that. With the settings you’ve changed now, you should have an A+ rating. If you do not it is most likely your certificate.