如何在 SSL Labs 上獲得 A+ 等級分數
Qualys SSL Labs 可以檢測網站的HTTPS配置和評分級別,藉由等級區分,讓管理者清楚地了解網站在安全性上是否有需要改善或提升的地方,好讓網站更加安全、可靠與被信任。
XAMPP Apache 在設定完 SSL 憑證後,到 SSL Labs 去做掃描,卻只拿到 B 等級
以下示範如何獲得 A+ 等級
$ sudo vi /opt/lampp/etc/extra/httpd-ssl.conf
將下行註解掉
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
然後新增以下:
# - Try ciphers in the order listed. Try the strongest ciphers first until a compatible one is found.
SSLHonorCipherOrder on
# - Allow only strong TLS
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
# - TLSv1.3 Settings
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
# - TLSv1.2 Settings
SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:RSA-PSK-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES256-GCM-SHA384:ADH-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:PSK-AES256-CCM:DHE-PSK-AES256-CCM:PSK-AES256-CCM8:DHE-PSK-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8
# - Preferred Elliptic Curve
SSLOpenSSLConfCmd ECDHParameters brainpoolP512r1
# - Other accepted Elliptic Curve
SSLOpenSSLConfCmd Curves brainpoolP512r1:sect571r1:secp521r1:secp384r1
# - HTTP Strict Transport Security Header.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload"
# - Set a same origin policy
Header always set X-Frame-Options SAMEORIGIN
# - Rewrite any session cookies to make them more secure
# - Make ALL cookies created by this server are HttpOnly and Secure Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
#Prevent browsers doing MIME Type sniffing.
Header always set X-Content-Type-Options nosniff
儲存後,重新啟動 /opt/lampp/xampp restart
再到 ssllab 進行測試,就可以得到 A+ 的結果,如下圖:
由於SSL設定較嚴謹,所以 XP 系統的 IE 8 瀏覽器(不支援TLS 1.1)會無法顯示網頁,還好可以另外安裝 Chrome for XP 平台的最後一版49.0版,就能正常顯示網頁,這也是解套的方式。
後記:原來 XP IE 8 也可以開啟 TLS 1.1/1.2 但是我測試完後,還是無法瀏覽SSL A+的網站,有興趣的人不訪可以試試以下連結:
Enable TLS 1.2 Encryption on Windows XP/2008/7/Windows 2008 R2
留言