Getting 100% at SSL Labs

1. Caddy version (caddy version):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

via systemctl start caddy

a. System environment:

systemd, Fedora 31

3. The problem I’m having:

I would like to increase the Let’s encrypt keysize. The default is 2048, I would like to have a 4096 key. Is this possible with the caddyfile? I’ve heard this is only achievable via JSON, but this would lead to the problem that it’s not possible to import JSON configuration into a Caddyfile configuration :S and I really don’t want to use the API or transform my caddyfile into JSON first…

What I am trying to achieve is a 100% rating for SSLABs with Caddy (like the one for nginx here: https://github.com/ssllabs/ssllabs-scan/issues/636#issuecomment-630415223 )

4. Error messages and/or full log output:

nothing yet.

5. What I already tried:

nothing yet.

6. Links to relevant resources:

Yep, with the key_type global option:

I’m pretty certain that Caddy’s default is p256 though.

Mh I wonder what I would need to modify to get a 100% rating here:

https://www.ssllabs.com/ssltest/analyze.html?d=shibumi.dev&s=78.46.124.83

Right now i have 10% missing for key exchange and cipher strength. I could fix the key exchange with p384 I guess, but what about the cipher strength? Is there a way to only allow ciphers with at least 256bit?

Ok, I have tested this with p384 and surprisingly I get the same rating by ssllabs :smiley:
This scanner is hilarious.

Small sidenote: caddy doesn’t renegotiate the keys automatically, if you set a new key_type you have to delete the relating files manually.

Usually you need HSTS set to a long duration to get 100%. That’s what caddyserver.com does anyway, and we have 100%.

Currently, you do not need to change any TLS/cert settings in Caddy to get 100%. Just set that header. Using p384 may be less optimal in most hardware implementations.

I have this on my headers:

                header Strict-Transport-Security "max-age=31536000"
                header X-XSS-Protection "1; mode=block"
                header X-Content-Type-Options "nosniff"
                header X-Frame-Options "DENY"
                header -Server

And still can’t get pass 90% on key exchange and cipher strength. How do you do it, @matt?

I’m not sure, but the answer is probably here: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

Still, doing that seems unnecessary / not a great idea for compatibility.

I checked caddyserver.com, and it is the same as my server, it only gets 90% on cipher and keys.

You’re right, I missed that part of what you were trying to achieve.

I’m pretty sure if we actually got 100% in everything then we’d have a lot more complaints about people not being able to connect (and for no good reason).

Well, there is a thread on github with a guy who is using nginx and he has 100% in every area + He doesn’t mention any conneciton issues.

You do you – I’m just saying that even by not supporting TLS 1.0 I’ve had a lot of complaints, so.

Look at the sections around here if you really feel it is important to get 100%: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#key-exchange

From Caddy 2 documentation:

ciphers specifies the list of cipher suite names in descending preference order.

How will that go on a Caddyfile? Like this?

tls {
    ciphers TLS_AES_256_GCM_SHA384
    ciphers TLS_CHACHA20_POLY1305_SHA256
    curves secp384r1
}

Will they be comma separated, or space separated?

The docs say the syntax is:

ciphers   <cipher_suites...>

So, they’re space-separated on one line.

1 Like

Thanks! Ciphers on TLS 1.3 are not configurable, so this one:

TLS_AES_128_GCM_SHA256

Will forbid us from ever getting that 100%.

You can use TLS 1.2 and still get 100%.

Like I’ve been saying, getting 100% on an arbitrary test is overrated / pointless in general. :wink:

True. As good as it gets:

Caddy is capable of getting full 100% (I’ve done it before for fun, and seen others do it before too) – you just have to configure it to meet the requirements for their test.

But again, I’ll clarify for anyone finding this thread in a search result – getting 100% at SSL Labs is absolutely not necessary, and usually not recommended. (This is just for fun, I suppose.) Caddy’s defaults are modern and secure.