Get A+ Grade on SSLLabs.com

This is how to get A+ grade in SSL Test

Create a new config

cd /etc/apache2/conf-available
vi ssl-highsecurity.conf

Harden SSL


SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off

### from: https://cipherli.st/
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
## for backward compatibility
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

#use TLS in next 6 months
Header always set Strict-Transport-Security "max-age=15768000; includeSubdomains"
#Header always set X-Frame-Options DENY ## this option kill roundcube, dont use!!
#Header always set X-Content-Type-Options nosniff
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

Enable the config and restart

a2enconf ssl-highsecurity
service apache2 reload