background

Documentation

back to Accelerator | Documentation Index

Accelerator: Getting your A+ SSL rating

The Qualys SSL Labs Test is well known as a benchmark to test the security and rigidity of your HTTPS website set-up. You want to see an A or A+ rating, indicating your SSL server is set up to be secure, functional and has no known vulnerabilities. This guide will help you to configure Snapt Accelerator to get your A+ rating!

We are specifically talking about the Snapt Web Accelerator in this post. You can also achieve an A+ SSL rating with the Balancer.

Not a Snapt client? Snapt's Accelerator will elevate your website – we'll load it faster, safer and better. You'll convert more users, save on server costs and love our product, or your money back! Get a free trial.


ssl_security.jpg


Understanding what you are changing

With SSL ciphers and protocols when you disable old and outdated (and potentially vulnerable) options, you are limiting old and outdated browsers from communicating with your server. In this guide we will recommend settings that won’t work on very old (10+ years) operating systems and browsers, estimated to be less than 1% of the web.

Protocols, ciphers and headers

We want to disable the use of SSLv2, SSLv3 and TLS1.0 completely. We’re also going to use a modern cipher set and force all users to use HTTPS. This can break things on your site, and you should be aware of the impact the changes will have!

These older protocols are vulnerable to attacks, hence the reason SSL Labs gives you a low score.


Let's Get Started

Follow the steps below to get your own A+ SSL rating.

Step 1: Settings your ciphers

Go to Setup -> SSL -> SSL Options on your Snapt installation. Here we want to set the Ciphers Preset to the latest one, tagged "Most Secure". At the time of writing that is Snapt V6. For technical users, that will apply the following cipher set:

EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Now generate a 4096bit Diffie-Hellman key file, using the Generate button. It can take 5–15 minutes to complete.

Once completed Save the page to apply your cipher options and then select the new dhparams.pem file we created for you. Save again with this.

Step 2: Choose your protocols

Go to Accelerator -> Configuration -> SSL Options. You want to change your SSL Protocol to TLSv1.1, TLSv1.2 — that will restrict what protocols you will communicate with, disabling SSLv2, SSLv3, and TLS1.0.

Next up enable OSCP Stapling and Strict Transport Security. Be aware that this will tell browsers to only ever speak to your website using SSL, so make sure it’s all running on HTTPS!

Now Save on this page. Reload the Accelerator.

Step 3: Checking your certificate

Snapt doesn’t control your SSL certificate of course, and you may need a more recent or more secure one in order to get the best rating. Running the SSL Test will let you know about that. With the settings you’ve changed now, you should have an A+ rating. If you do not it is most likely your certificate.

You should see a report like the below:

0 khG1YQwzvMBbWDRA.jpg


Final Words

If you need a managed SSL acceleration and Offloading service you need Snapt. Snapt is a full ADC with powerful SSL acceleration that will ensure your website is faster and safer. Get a free trial.

Free Trial!

If you are just learning about Snapt why not try it?