How we optimised an SSL overall rating from B to A+

With Skillbrowser you can browse, confirm and rate the skills of IT suppliers as well as connect with new customers. The product owner recently needed to switch vendors and we are pleased that he trusted us with the ongoing support & maintenance.

One day we received a really odd support ticket that some people were facing an issue with SSL and are not able to open the site at all. It seemed that for some clients the SSL Certificate was not valid so we decided to do a SSL audit using the SSL Labs test tool and the results were not good at all - grade B with several warnings in place.

Our DevOps team immediately came up with a six steps plan to be executed in order to boost the SSL rating.

• Leave only TLS 1.2 and TLS 1.3

  TLS 1.0 and 1.1 were deprecated in 2020 so they needed to step back.

• Fix the incomplete certificate chain warning

  Certificate from the Certificate Authorities was not found in the built-in trust list so some visitors were seeing an “incomplete chain” error. We obtained the necessary intermediate certificates and added them to the configuration and this issue was gone.

• Fix the Forward Secrecy warning

  This one was easy we just needed to configure the Apache server for Forward Secrecy removing the link between server’s private key and each session key and disabling attackers from using the private key to decrypt any of the archived sessions.

• Fix certificate path in docker infrastructure

  This step was specific to the existing docker infrastructure of the project. After our change, one manual step needed to be executed after each deployment was removed.

• Add DH parameters

  The default key size in OpenSSL is 1024 bits, which seems breakable with the computing power of a nation-state so we generated DH parameters with OpenSSL making the key 4096 bits now.

• Additional optimisations
  • Added the Strict-Transport-Security response header that informs browsers that the site should only be accessed using HTTPS.
  • Adjusted some of the present ssl_sessions settings.
  • Done proper setup of ssl_ciphers for TLS1.2, TLS1.3.
  • Added the X-Content-Type-Options and X-XSS-Protection header. The first one allows you to avoid MIME type sniffing while the second one stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

After implementing our plan we came up with a grade A+ result without any warnings. Not bad at all!

Another measurable exceptional result from our work!