The Qualys SSL Labs Test is well known as a benchmark to test the security and rigidity of your  HTTPS website set-up. You want to see an A or A+ rating, indicating your  SSL server is set up to be secure, functional and has no known vulnerabilities.

The Snapt Accelerator is an extremely powerful and secure web acceleration and protection solution.

This guide will help you to configure Snapt Accelerator to get your A+ rating!


Understanding what you are changing

With  SSL ciphers and protocols when you disable old and outdated (and  potentially vulnerable) options, you are limiting old and outdated  browsers from communicating with your server. In this guide we will  recommend settings that won’t work on very old (10+ years) operating systems and browsers, estimated to be less than 1% of the web.

Protocols, ciphers and headers

We  want to disable the use of SSLv2, SSLv3 and TLS1.0 completely. We’re  also going to use a modern cipher set and force all users to use HTTPS.  This can break things on your site, and you should be aware of the  impact the changes will have!


Step 1: Settings your ciphers

Go  to Setup -> SSL -> SSL Options on your Snapt installation. Here  we want to set the Ciphers Preset to the latest one, tagged “Most  Secure”. At the time of writing that is Snapt V6. For technical users,  that will apply the following cipher set: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Now generate a 4096 Diffie-Hellman key file, using the Generate button. It can take 5–15 minutes to complete.

Once  completed Save the page to apply your cipher options and then select  the new dhparams.pem file we created for you. Save again with this.

Step 2: Choose your protocols

Go  to Accelerator -> Configuration -> SSL Options. You want to  change your SSL Protocol to TLSv1.1, TLSv1.2 — that will restrict what  protocols you will communicate with, disabling SSLv2, SSLv3, and TLS1.0.

Next  up enable OSCP Stapling and Strict Transport Security. Be aware that  this will tell browsers to only ever speak to your website using SSL, so  make sure it’s all running on HTTPS!

Now Save on this page. Reload the Accelerator.

Step 3: Checking your certificate

Snapt  doesn’t control your SSL certificate of course, and you may need a more  recent or more secure one in order to get the best rating. Running the  SSL Test will let you know about that. With the settings you’ve changed  now, you should have an A+ rating. If you do not it is most likely your  certificate.