Laravel Forge SSL Obsolete Cipher Suite

Forge Obsolete Cipher SuiteIf you use Laravel Forge to provision your servers, you probably already know that it can install SSL via Let’s Encrypt. The process is as simple as clicking two buttons–one for the install and a second to activate. However, what Forge fails to mention is you need to add a couple more directives to Nginx. In fact, even Forge (which is provisioned with Forge) does not add these extra directives. You can see this by clicking the lock icon in Chrome and then the connections tab.

We can get more information by testing SSL using Qualsys’ SSL Labs. After running the test, we see that Forge’s grade is capped at B because the server supports weak Diffie-Hellman (DH) key exchange parameters. So, how can we fix it?

Mozilla provides recommendations for Nginx configuration and even offer an SSL configuration generator specific to your server and OpenSSL versions. Using the modern profile is safe at this point unless you need to support really old browsers. If you do, you’re on your own. If you don’t, we simply need to generate a strong DH key and add a few directives to our nginx config.

To generate the key:

sudo openssl dhparam -out dhparam.pem 2048

Move the key:

sudo mv dhparam.pem /etc/ssl/certs/dhparam.pem

Then edit your Nginx config. You can do this in Forge or from the command line.

sudo nano /etc/nginx/sites-enabled/yoursite.com

Add the following directives in the server section of your config file. Right after the Forge lines will work fine:

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security max-age=15768000;

Go ahead and restart Nginx and you should be good to go.

sudo /etc/init.d/nginx restart

Modern Cipher SuiteNow when you check Chrome you will see that your connection is secured by a modern cipher suite and when you run the Qualsys test you should get an A+.

5 Comments

  • Great Job. I fixed my server in a couple minutes. Just curious, where is the value supplied in ssl_ciphers coming from? Are those names of standard available ciphers?

    • Exactly. They are the ciphers your server will accept and use to negotiate the connection.

  • Nginx failed to reboot after pasting in to the nginx config file.

    Is this just supposed to go at the end?

    Is there any variation between servers? I’m on a Digital Ocean Ubuntu 14.04.4 x64 droplet.

    • Something in one of these two lines… in any case, even without these, I got my A+. So, thanks!

      ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK’;
      ssl_prefer_server_ciphers on;

      • Sorry I couldn’t react more quickly to your questions. Glad you got your A+!

Leave a Comment

Your email address will not be published. Required fields are marked *