https快速获得ssllabs的A评级

配置文件参考
https://github.com/aqzt/kjyw/blob/master/https/www.aqzt.com_https_A.conf

通过https://www.ssllabs.com/ssltest/测试ssl安全性，比如Heartbleed等漏洞。

nginx编译安装openssl最新版本
./configure —prefix=/usr/local/nginx —with-http_ssl_module —with-openssl=../openssl-1.0.2h —with-http_sub_module —with-http_stub_status_module —with-pcre —with-pcre=../pcre-8.33 —with-zlib=../zlib-1.2.8 —with-http_secure_link_module
make
make install

nginx配置中启用ssl配置如下：
ssl on;
ssl_certificate /usr/local/nginx/conf/cert/server.pem;
ssl_certificate_key /usr/local/nginx/conf/cert/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /usr/local/nginx/conf/dhparams.pem;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
ssl_session_tickets on;
ssl_session_ticket_key /usr/local/nginx/conf/session_ticket.key;

说明：
ssl_protocols里面建议不要启用SSLv3（IE6 默认只支持 SSLv2 和 SSLv3），启用SSLv3使用ssllabs检测，评级最高只能到C评级

生成/usr/local/nginx/conf/dhparams.pem
执行命令
cd /usr/local/nginx/conf
openssl dhparam -out dhparam2048.pem 2048

生成session_ticket.key
执行命令
cd /usr/local/nginx/conf
openssl rand 48 > session_ticket.key

配置文件可参考：https://github.com/aqzt/kjyw/blo … zt.com_https_A.conf

修改完配置，reload下nginx,执行命令
/usr/local/nginx/sbin/nginx -s reload

使用https://www.ssllabs.com/ssltest/测试看下，你的网站是否已经A评级