SSL optimizations and advanced configuration

[cameel]

After implementing #55 go to Qualys SSL Server Test and run their test against our nginx on the dev cluster. Looks at the results and list the issues in the comments below.

Before running the test I see several options that may need to be adjusted:

• Supported protocols. We should definitely disable SSL v3 and earlier. Support only TLS. You can be aggressive with your config here because we don't have to support old browsers.
• Ciphers and Diffie-Hellman parameters
• Configure session caching
• Configure OCSP stapling
• Enable HSTS
• Perfect Forward Secrecy

More information:

• Here's an example SSL configuration for nginx with more parameters: nrollr > NGINX config for SSL with Let's Encrypt certs
• Running Your Flask Application Over HTTPS, in particular the section called "Achieving an SSL A+ Grade".

[bartoszbetka]

I would considered adding preloads option to HSTS header, which ensure that browsers will never connect to domain using insecure connection. Also, I think that we should remove TLS1.0 from supported protocols , which is vulneralibity for BEAST attack. More information:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security
• https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat

[cameel]

I would considered adding preloads option to HSTS header, which ensure that browsers will never connect to domain using insecure connection.

No, we don't want preloads. At least not until we have our service running in production for some time. It's much easier to get into that list than to be removed from it later so this should not be a haphazard decision.

And, our service has very little to do with browsers.

Also, I think that we should remove TLS1.0

Yes, we should support only TLS 1.2.