How to Get an A+ on SSL Labs Report

As a follow up to my post on cheap SSL certificates, I learned that the certificate wasn’t the reason I was getting an A- on the Qualys SSL Labs test. But after a few configuration changes, I achieved the coveted A+ grade.

A+ on Qualys SSL Labs report

First, find out your current grade by entering your web site here. If it’s an A+, congratulations! If not, continue reading.

This is the NGINX configuration I’m using (in the server block):

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_session_cache  builtin:1000  shared:SSL:10m;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver valid=300s;
    resolver_timeout 10s;

    add_header Strict-Transport-Security max-age=63072000;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

The only browser this doesn’t support is IE 6 on Windows XP, but I’m okay with that. Windows XP is no longer supported and IE 6 is just about dead (thank goodness). If you’re daring, use the above configuration or the configs at and hope for the best. I opted for the legacy support option (click on the “Yes, give me a ciphersuite that works with legacy / old software.” link). And has example configurations for Apache and Lighttpd.

If you want to learn more about what each of the options do, I found these two tutorials helpful:

  1. Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
  2. Strong SSL security


 (Post a comment) | Comments RSS feed
  1. […] checked my grade on SSL Labs and found it had dropped from the coveted A+ to an A due to the use of SHA-1. I’m pleased to see they’re keeping the test updated. […]

    Pingback by Don't Use SHA-1 for SSL Certificates on November 8, 2014 @ 12:01 am

Comments are closed