Spent a few hours tonight and converted hagan-consulting.com to use HTTPS for all traffic. I have to thank Hynek Schlawack for his very useful blog post explaining how to configure optimal SSL settings. If you’re interested in seeing how your site (or this one) ranks on SSL, check out Qualys’ very useful SSL Labs Server Test. Unfortunately, the version of Apache I’m using doesn’t support elliptical curve cryptography, so Internet Explorer users will not have perfect forward secrecy. But all other major browsers should be getting the latest encryption settings, including perfect forward secrecy.
If you’re interested in the steps used, here’s an outline…
- A 2048-bit SSL certificate was generated and certified with Comodo’s PositiveSSL service (via my registrar, Namecheap.com).
- Apache 2.2 was configured with the SSL settings from Hynek’s blog post.
- Apache 2.2 was configured to serve a HSTS header per the Wikipedia article.
- The site was tested with the SSL Labs Server Test to verify the configuration.
If you’re new to SSL and HTTPS and would like some background on why transitioning to HTTPS is important, the EFF has a nice explanation. And of course, you’re always welcome to comment below!