Mozilla SSL Configuration Generator
Best practice SSL konfiguration
Mozilla SSL Configuration Generator generates configurations for Linux based systems that uses the OpenSSL library, where it considers which protocols and ciphers are supported by the version of OpenSSL and server software used.
Mozilla SSL Configuration Generator gets updated regularly with the newest recommendations, and offers 3 configuration options security, compatibility or a balance between the two.
Here is a full overview of the settings that can be changed.
The first section is which server y ou wish to generate a configuration for.
The next section is which profile you want:
- Modern: Provides higher security, but lower compatibility as it will block out older browsers and clients.
Recommended if all the clients are known, e.g. a website that is only used internally.
- Intermediate: A balance between medium-high security and high compatibility.
Generally recommended for servers where unknown clients access, e.g. a webshop.
It optimises the security while allowing some older client access the website.
- Old: Low security, highest compatibility.
This setting can only be recommended if security is not nearly as important as compatibility, as it will open for outdated SSL standards that has know security holes.
The last section is to set the server and openssl versions so they fit with the versions you have installed.
It is also here you can activate HTTP Strict Transport Security (HSTS) and OCSP stapling:
- HSTS: (HTTP Strict Transport Security) is a header from the server that tells the client that it may only access the DNS name through HTTPS from now on.
This will be remembered by the client for the max-age set, and even if it is removed from the server again the client will adhere to it, so there is no way back if it fails.
Follow a thorough guide and be conservative with the time, set max-age to a low amount, like 300 seconds (5 min.) for at least a week, and if no issues are encountered, then gradually raise the time.
Be careful about sub domains and preload, unless everything on the domain is already running HTTPS.
- OCSP Stapling: It is definitely an advantage to activate OCSP Stapling.
This will enable the server to collect the status of the certificate regularly, and then forward the status tot he client instead of each client having to look up the status themselves every time they try to connect to the website.
When you have chosen all the settings you will get an SSL configuration you can then copy into your configuration file on the server.
Remember to modify the configuration so it fits your server.