Check the SSL certificate on ssllabs: only Overall Rating "B"

Hello everyone, I installed the server Jitsi Meet in the standard configuration.
If I now check the SSL certificate at https://www.ssllabs.com/ssltest/, I only get a B result.
How can I get an A result?
Thank you.

Since the standard/auto configuration uses LetsEncrypt certificates, you should be able to find any guide that describes how to get an A-rating with nginx/apache and LetsEncrypt. It typically has to do with which algorithms and SSL protocol levels the server indicates support for.

In your case above, I think you should drop TLS 1.0 and TLS 1.1, which should make a difference. I just tested with one of our instances, and get an A grade from SSL-labs.

These are some of the settings we use (and they can be optimized I’m sure):

ssl_session_cache shared:le_nginx_SSL:10m;                                                                                          
ssl_session_timeout 1440m;                                                                                                          
ssl_session_tickets off;                                                                                                            
                                                                                                                                    
ssl_protocols TLSv1.2 TLSv1.3;                                                                                                      
ssl_prefer_server_ciphers off;                                                                                                      
                                                                                                                                    
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
1 Like

Do you have the changes in /etc/nginx/nginx.conf or in /etc/nginx/sites-enabled/domain.xx.conf ?

Disabling TLS1.0 and 1.1 and enabling 1.3 will give you at least an A rating. You do that in your sites-enabled/meet.example.com.conf, in your ssl server block change
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; to ssl_protocols TLSv1.2 TLSv1.3;

1 Like

In our case, we have that for each site configuration (…/sites-enabled/…)

It has no effect. Even after restarting the server, it remains at B.

server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name meet.example.com;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384$

And no effect in /etc/nginx/nginx.conf either:

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

Add this to your /etc/turnserver.conf:

no-tlsv1
no-tlsv1_1

Beter also create a dhparam.pem file and add this to your turnserver.conf:
dh-file=/etc/nginx/ssl/dhparam.pem

My 2 cents.

Now it’s better. But still a B result.
How can I create a dhparam.pem file?

openssl dhparam -out dhparam.pem 4096

Yes.

Step 1:
nano /etc/nginx/sites-available/meet.example.com.conf
change to:
ssl_protocols TLSv1.2 TLSv1.3;

Step 2:
mkdir /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem ‭2048‬
nano /etc/turnserver.conf
(add):
no-tlsv1
no-tlsv1_1
dh-file=/etc/nginx/ssl/dhparam.pem

service nginx restart

Thank you!!

1 Like

What meens “HTTP request to this server failed, see below for details” ?

I have the same problem as OP. Why do we have to edit the turnserver.conf? Usually it’s the conf in sites-enabled. Is this a bug?

No, this is certainly not a bug.
This is because if you use coturn the web server nginx will forward the requests directly to the turn server. That is why you will have to set up the turn server properly and safely. Nginx is just a conduit in this case.
The turn server does not return a valid HTTP response, hence SSL labs indicate that the HTTP request has failed; this is no further problem.

My 2 cents.

Thank you for the clarification. So if I add the lines you mentioned to turnserver.conf I don’t have to add it to the sites-enabled conf too?

Edit: What do you mean by properly and safely? Is the standard configuaration unsafe besides the B rating?

Yes, you also have to set the config in sites-enabled correctly because not all HTTP requests are forwarded to the turn server. But requests from SSL labs, for example, will be forwarded to the turn server, and if you go to the home page of your Jitsi server, for example, it will be handled entirely by Nginx.
Just make both configurations as safe as possible.
Standard configurations often do not use the most secure settings.

1 Like

I have two more questions. Why does the HTTP request from SSL Lab gets handled by the turnserver but “normal” requests from browsers not? And is it possible to check the nginx configuration with SSL Lab test?

If you use nginx with ALPN multiplexing as configured in the example configs, nginx checks the TLS handshake for the ALPN extension and only responds by itself if the ALPN protocol is set to http (and maybe http2). If the ALPN protocol does not contain http, nginx will backs off and lets the turnserver deal with the connection. That is, the turnserver needs to respond to the TLS client hello and therefore must be configured with the valid TLS certificate chain and appropriate cipher suites and so on.

I guess that SSL Labs does not include the ALPN extension in at least some of their http requests, which is why they don’t get a valid http response and are served by the turnserver instead.
You can test the behavior yourself using openssl: openssl s_client -connect meet.example.org:443 -alpn http/1.1 -showcerts to check the certificate chain sent by the webserver. Replace http/1.1 with, e.g., turn to check the chain delivered by the turnserver.

Note: The above is how I think it works but reality may disagree :wink: Please correct me to the benefit of all in case you find some of my statements are wrong.