

Getting an A+ on Qualy's SSL Labs Tester - sethvargo
https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/

======
hobarrera
> At this time, the only way to get a verified certificate that will be
> trusted across most Internet browsers is to pay for a certificate. I chose
> RapidSSL, but you can choose any respectable provider.

You've got StartSSL, which has been free for years.

------
blfr
You can get A+ with a 2048-bit key, and while keeping support for most of the
Internet users[1]. You just won't get 4x100. But if you want to, in addition
to steps from OP, drop tls1 and 1.1, leaving only 1.2.

[1]
[https://wiki.mozilla.org/Security/Server_Side_TLS#Intermedia...](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29)

~~~
sethvargo
Interesting - if I drop TLS1 I can get the full 100%? I actually couldn't
figure out what was keeping the bar at 95 :). Thank you!

------
hello_there
There is also the Server Side TLS guide from Mozilla which I think is really
nice. It explains which cipher suites you need to support different browsers
as well as example configurations (and a config generator) for different
setups, including Apache and Nginx.

The guide can be found here:
[https://wiki.mozilla.org/Security/Server_Side_TLS](https://wiki.mozilla.org/Security/Server_Side_TLS)

------
hannob
I had created a 100/100/100 and all config perfect test page a while back.
It's here: [https://fancyssl.hboeck.de/](https://fancyssl.hboeck.de/)

However you probably can't see it because almost no browser is capable :-) The
description is here:
[https://fancynossl.hboeck.de/](https://fancynossl.hboeck.de/)

(some info probably outdated, but still gets the all-100%-rating)

~~~
rev
Firefox 34.0 on Ubuntu 14.10 is "unable to connect securely: Firefox cannot
guarantee the safety of your data on fancyssl.hboeck.de because it uses SSLv3,
a broken security protocol. Advanced info: ssl_error_no_cypher_overlap"
Strange error, considering you use TLS 1.2 only.

------
ytch
Here is a guide[1] from SSL Labs on how they grade the strength of HTTPS.

[1][https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pd...](https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf)

------
zhngp
I'm seeing ssl_session_tickets in the final configuration, but not above.

