https

Mitigations

• BEAST: nginx
• DH downgrade: Apache, nginx

Perfect Forward Secrecy (PFS)

• HTTPS - Perfect Forward Secrecy (PFS): Use

      TLS_ECDHE_RSA_WITH_RC4_128_SHA
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 
  

• Configure Forward Secrecy: HowTo for Apache, nginx and OpenSSL

Public Key Pinning (HPKP)

• HPKP - HTTP Public Key Pinning: Headers look like

  Public-Key-Pins-Report-Only
  
  Public-Key-Pins pin-<algorithm>="<hash>"; pin-<algorithm>="<hash>"; max-age=<age>[; includeSubdomains]
  

• Creating SPKI fingerprints

  openssl x509 -noout -in certificate.pem -pubkey | \
  openssl asn1parse -noout -inform pem -out public.key;
  openssl dgst -sha256 -binary public.key | openssl enc -base64
  

OSCP

• Cloudflare: OSCP Stapling
• OCSP Stapling with nginx

HTTPS Testing

• HTTPS Client Test (online)
• HTTPS Server Test (online)
• HTTPS Server Test shell script

SSL Performance

• SSL Overclocking
• SSL Performance Case Study Cloudflare