SSLLabs checker shows that Forward Secrecy is not supported

Created:

2016-12-12 03:42:31 UTC

Modified:

2017-08-08 13:41:49 UTC

0

Was this article helpful?


Have more questions?

Submit a request

SSLLabs checker shows that Forward Secrecy is not supported

Applicable to:

  • Plesk 12.5 for Linux

Symptoms

SSLLabs checker evaluates domains with A- or A score instead of A+ , Forward Secrecy is not supported. How to improve it?

Resolution

Modify /etc/nginx/conf.d/ssl.conf configuration as follows:

# cat /etc/nginx/conf.d/ssl.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Here, add_header directive defines how much time browsers should keep security data for a site. max-age=31536000 equals to 1 year. includeSubDomains applies these settings to all subdomains, but in this case, make sure that all subdomains have trusted certificates. If not, remove includeSubDomains so that add_header directive is as follows:

add_header Strict-Transport-Security "max-age=31536000;";
Have more questions? Submit a request

3 Comments

  • 0
    Avatar
    Jorge Batres

    Hi, I have followed these exact instructions but SSLLabs does not show Strict Transport Security (HSTS) for my domain www.vacationpeople.com which already has an "A".

    I use Onyx Version 17.0.17 Update #14 in a linux RHEL 6.8.

    Any ideas?

  • 0
    Avatar
    Vitaly Zhidkov

    @Jorge, I see that you have configured everything correctly:

    # curl -s -D- https://www.vacationpeople.com | grep Strict
    Strict-Transport-Security: max-age=31536000;

    SSLLabs test returns the A+ score and shows the same - HSTS is configured properly.

  • 0
    Avatar
    Jorge Batres

    Thank you Vitaly, everything works great now!

Please sign in to leave a comment.