Qualys SSL Labs provides a SSL Server Test for awhile. You can rate your web site at https://www.ssllabs.com/ssltest
To get rating “A”, there are few straightforward tricks:
- Disable all versions of SSL protocol. Enable only TLS. e.g.,
ssl_protocols TLSv1 TLSv1.1 TLSv1.2
- Choose only strong ciphers, e.g., you’ll sacrifice some very old clients.
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
- Use HSTS, e.g.,
add_header Strict-Transport-Security max-age=31536000;
Optionally,
ssl_dhparam /etc/ssl/private/dhparam.pem; ssl_stapling on; ssl_stapling_verify on;