SSL Optimization image
15 February 2022

How we optimized an SSL overall rating from B to A+

With Skillbrowser you can browse, confirm and rate the skills of IT suppliers as well as connect with new customers. The product owner recently needed to switch vendors and we are pleased that he trusted us with the ongoing support & maintenance.

One day we received a really odd support ticket that some people were facing an issue with SSL and are not able to open the site at all. It seemed that for some clients the SSL Certificate was not valid so we decided to do a SSL audit using the SSL Labs test tool and the results were not good at all - grade B with several warnings in place.

SSL overall rating before image
Overall rating before our SSL optimization

Our DevOps team immediately came up with a six steps plan to be executed in order to boost the SSL rating.

  • Leave only TLS 1.2 and TLS 1.3

    TLS 1.0 and 1.1 were deprecated in 2020 so they needed to step back.

  • Fix the incomplete certificate chain warning

    Certificate from the Certificate Authorities was not found in the built-in trust list so some visitors were seeing an “incomplete chain” error. We obtained the necessary intermediate certificates and added them to the configuration and this issue was gone.

  • Fix the Forward Secrecy warning

    This one was easy we just needed to configure the Apache server for Forward Secrecy removing the link between server’s private key and each session key and disabling attackers from using the private key to decrypt any of the archived sessions.

  • Fix certificate path in docker infrastructure

    This step was specific to the existing docker infrastructure of the project. After our change, one manual step needed to be executed after each deployment was removed.

  • Add DH parameters

    The default key size in OpenSSL is 1024 bits, which seems breakable with the computing power of a nation-state so we generated DH parameters with OpenSSL making the key 4096 bits now.

  • Additional optimizations

    • Added the Strict-Transport-Security response header that informs browsers that the site should only be accessed using HTTPS.
    • Adjusted some of the present ssl_sessions settings.
    • Done proper setup of ssl_ciphers for TLS1.2, TLS1.3.
    • Added the X-Content-Type-Options and X-XSS-Protection header. The first one allows you to avoid MIME type sniffing while the second one stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

After implementing our plan we came up with a grade A+ result without any warnings. Not bad at all!

SSL overall rating after image
Overall rating after our successful SSL optimization

Another measurable exceptional result from our work!

Share this post:

Find out what we can do for you!

Looking for a dedicated remote team of Drupal professionals?
Back to top icon