I decided to take it as a challenge to get a full perfect score on the de facto standard of SSL implementation quality, the Qualys SSL Labs Server Test.
Needless to say, getting a perfect score is not without cost. For example, many browsers will be incapable of accessing the site. For this reason, I decided use a “disposable” domain name: ssl100.quantum2.xyz, which also runs on a separate IPv6 address to prevent any contamination on this website (there is no IPv4 since I didn’t have a disposable address), so you will need IPv6 access.
Incidentally, this also gets an A+ on securityheaders.io.
This is the configuration I used. Think thrice before copying, since it’s rather extreme, and will break your site for some users.
Effectively, this configuration allows only TLSv1.2 (while
TLSv1.3 is listed, the stack does not support the same draft that the test uses). It prefers only AES256 ciphers, operating with either a DiffieHellman parameter ≥ 4096 bits or the elliptic curve equivalent on the
secp384r1 curve, equivalent to 7680 bits. I also had to get Let’s Encrypt to issue a 4096 bit RSA certificate, with OCSP must-staple thrown in as a bonus. Naturally, OCSP stapling is included in the configuration.
The security headers are fairly standard, and securityheaders.io has a fairly decent explanation for all of them.