The downside of updating your server config

So a little while back when I had been playing with Pagespeed I somehow managed to break certificate stapling on my server. So when I ran the Qualys SSL Server Test my score had fallen to a B! I messed around and tried a few things and I had no luck getting it to work. One of my friends said the site started to give weird errors under Chrome on Android. Then I was reading this CertSimple Blog entry yesterday and they mentioned the Mozilla Server Side TLS Project, which I don’t think I had heard of. Basically what it does is you enter your server version and your OpenSSL version and how aggressive you want your security settings and it will generate a sample config for you. It will tell you based on how aggressive your settings are what the minimum browser versions are. For example of of the differences between Intermediate and Modern is that they drop support for TLSv1 in Modern and only support TLSv1.1 and TLSv1.2. For most browsers this doesn’t seem to be an issue but if you are running IE that means the minimum browser version is IE 11. I debated whether I should drop TLSv1 support or not, but I figure if I keep it I can support IE back to 7, though I can’t imagine any software engineers that might check out this blog using IE anyway. For now I have kept it but one of these days I will drop it because given the rate of SSL issues with Freak and Logjam lately, it is only a matter of time before someone finds a hole in TLSv1.

As for my issue Mozilla in their example config said my ssl_certificate setting should point to my signed key plus intermediates, whereas previously I only had my signed key there. I had intermediates in the ssl_trusted_certificate with the root certificate, and that was working prior to my gzip changes but for some reason now it wants them in both places or else it does a separate download on the intermediate certificate and drops me to a B. So I am back to my coveted A+ rank, and I think the lesson I learned is one a coworker mentioned to me. They said that they put all of their config files in git so that any time they make a change if there are issues they can look at all previous revisions. In the future if I make any changes here on my server config I think I may do the same and setup a config file repository before I touch anything again just to have easy version control and knowing how to revert if things get ugly.