Switch to HTTPS Now, For Free

published by Eric Mill on
Update, April 2015: While you can still get a free certificate from StartSSL, these days I use SSLMate for my domains, at home and at work. They're $16/year, but it's more than worth it to be able to run sslmate buy domain.com and have it Just Work.

And: unlike StartSSL, you can reissue and revoke for free and as many times as you need. SSLMate is fantastic and I recommend the hell out of them. (They're not paying me, I swear!)

If you use SSLMate, this guide will still help you -- pick it up from Installing the certificates and Setup with other common hosts.

From now on, you should see a delightful lock next to https://konklone.com in your browser's URL bar, because I've switched this site to use HTTPS. I paid $0 for the trouble.

Why you should bother doing the same:

This post shows how to do your part in building a surveillance-resistant Internet by switching your site to HTTPS. Though it takes a bunch of steps, each one is very simple, and you should be able to finish this in under an hour.

A quick overview: to use HTTPS on the web today, you need to obtain a certificate file that's signed by a company that browsers trust. Once you have it, you tell your web server where it is, where your associated private key is, and open up port 443 for business. You don't necessarily have to be a professional software developer to do this, but you do need to be okay with the command line, and comfortable configuring a web server you control.

Most certificates cost money, but at Micah Lee's suggestion, I used StartSSL. They're who the EFF uses, and their basic certificates for individuals are free.

There are two things that could cost you money. One is that if your site is commercial in nature, they'll ask you to pay for a higher level certificate.

More importantly, if your certificate needs to be revoked someday, StartCom will charge you a $30 fee. While revocation has generally been rare, the Heartbleed exploit is an example where a huge portion of the Internet had to revoke their keys. For some people who had issued a large number of free certificates, this turned out to be expensive.

Still, StartCom makes getting started with SSL simple and inexpensive. Their website is difficult to use at first — especially if you're new to the concepts and terminology behind SSL certificates (like I was). Fortunately, it's not actually that hard; it's just a lot of small steps.

Below, we'll go step by step through signing up with StartSSL and creating your certificate. We'll also cover installing it via nginx, but you can use the certificate with whatever web server you want.

Final reminder: SSLMate is way easier than this. It's not too late!

Register with StartSSL

To get started, visit their signup page and enter your information.

They'll email you a verification code. They tell you to not close the tab or navigate away from it, so just keep it open until you get the code, and can paste it in.

You'll need to wait for certification, but it should only take a few minutes. Once you're approved, they'll email you a special link and a verification code to type in.

That'll bring you to a screen to generate a private key. They're generating you this private key inside your browser, using the "keygen" tag. However, this isn't the key you use to make your SSL certificate. They're using it to create a separate "authentication certificate" that you will use to log in to StartSSL's control panel going forward. You'll make a separate certificate for your website later.

Finally, they'll ask you to "Install" the certificate:

Which installs your authentication certificate directly into your browser.

If you're in Chrome, you should see this at the top of your browser window:

Again, this is just the certificate that identifies you by your email address and lets you log in to StartSSL going forward.

Now, we need to persuade StartSSL that we own the domain name we want to generate a new certificate for. From the control panel, click the "Validations Wizard" tab, and select "Domain Name Validation" from the dropdown.

Enter your domain name.

Next, you'll select an email address that StartSSL will use to verify you own the domain name.

As you can see, StartSSL will believe you own the domain if you control webmaster@, postmaster@, or hostmaster@ with the domain name, OR if you own the email address listed as part of the domain's registrant information (in my case, that's currently konklone@gmail.com). Choose an email address where you can receive mail.

They'll email you a validation code, which you can enter into the field to validate the domain.

Generating the certificate

Now that StartSSL knows who you are, and knows you own a domain, you can generate your certificate using a private key.

While StartSSL can generate a private key for you — and their FAQ assures you they use only the highest quality random numbers and don't hold onto the key afterwards — it's better to create your own, as StartSSL never sees your private key.

To create a new 2048-bit RSA key, open up your terminal and run:

openssl genrsa -aes256 -out my-private-encrypted.key 2048

You'll be asked to choose a pass phrase. Pick a good one, and remember it. This will generate an encrypted private key. If you ever need to transfer your key, via the network or anything else, use the encrypted version.

The next step is to decrypt it so that you can generate a "certificate signing request" with it. To decrypt your private key:

openssl rsa -in my-private-encrypted.key -out my-private-decrypted.key

Now, generate a certificate signing request. Don't worry about the details - all StartSSL cares about is the public key associated with the CSR.

openssl req -new -sha256 -key my-private-decrypted.key -out mydomain.com.csr

Go back to StartSSL's control panel and click the "Certificates Wizard" tab, and select "Web Server SSL/TLS Certificate" from the dropdown.

Since we generated our own private key, you can hit "Skip" here.

Then, paste in the contents of the .csr file we generated earlier.

If all goes well, it should say it received your certificate signing request.

Now, choose the domain you validated earlier which you plan to use with the certificate.

It requires you to add a subdomain. I added "www" for mine.

It will ask you to confirm. If it looks right, hit "Continue".

Note: It's possible you'll get hit with a "Additional Check Required!" step here, where you wait for approval by email. It didn't happen to me the first time, but did the second time, and my approval arrived in ~30 minutes. Upon approval, you'll need to visit the "Tool Box" tab and visit "Retrieve Certificate" to get your cert.

That should do it — your certificate will appear in a text field for you to copy and paste into a file. Call it whatever you want, but the rest of the guide will refer to it as mydomain.com.crt.

Creating the full certificate chain

(If you used SSLMate, you can skip this step.)

Next, we're going to create the "certificate chain" that your web server will use. It contains your certificate, and StartSSL's intermediary certificate. (Including StartSSL's root cert is not necessary, because browsers ship with it already.) Download the intermediate certificate from StartSSL:

wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem

Then concatenate your certificate with theirs:

cat mydomain.com.crt sub.class1.server.sha2.ca.pem > unified.crt

Installing the certificates

If you have direct access to your web server and its nginx configuration, here's how to install your certificate. If you don't, check out setup options for other common hosts or for Apache.

First, make sure port 443 is open on your web server. Many web hosts automatically keep this port open for you. If you're using Amazon Web Services, you'll need to make sure your instance's security group has port 443 open.

Also, take a look at David Zvenyach's nginx-ssl, a simple script to bootstrap the nginx/HTTPS process.

Finally, tell your web server about your unified certificate, and your decrypted private key. I use nginx — below is the bare minimum nginx configuration you need. It redirects all HTTP requests to HTTPS requests using a 301 permanent redirect, and points the server to the certificate and key.

You can also check out a more complete HTTPS nginx configuration that turns on SPDY, HSTS, SSL session resumption, OCSP stapling, and enables Forward Secrecy.

Qualys' SSL Labs offers an excellent SSL testing tool you can use to see how you're doing.

Now, ensure your nginx configuration is okay (this also verifies that the key and certificate are in working order):

sudo nginx -t

Then restart nginx:

sudo service nginx restart

Cross your fingers and try it out in your browser! If all goes well, the will be yours.

Important: the StartSSL free Class 1 certificate is good for just 1 year. Don't forget to renew it before then! Set a calendar reminder or something!

Setup with other common hosts

Many common hosts don't give you direct access to install a certificate yourself. In that case, you'll probably have to pay $$ for HTTPS, if it's possible at all.

If you use:

  • Heroku, you'll need to pay $20/month for their SSL add-on, and then use it to set up an SSL endpoint. Check out Moncef Belyamani's SSLMate + Heroku tutorial for some straightforward assistance.
  • Amazon S3, as of March 2014 they support free SSL for custom domains via CloudFront. Bear in mind this requires SNI, which won't work for users running Internet Explorer on Windows XP or Android 2.x's default browser. It's also unsupported by Python 2.x. If that's a dealbreaker, then you'll have to pay an insane $600/month for a dedicated IP.
  • Apache, check out kang's blog post on making an Apache config that gets the A rating from Qualys.
  • Bytemark and other servers using Symbiosis for Debian support simple SSL hosting as standard. Use the key generation guide above and name it ssl.key, following the Symbiosis documentation. Likewise, the certificate when generated should be ssl.crt. You'll also need StartSSL intermediate certificate that's mentioned above: sub.class1.server.sha2.ca.pem. Rename this to ssl.bundle.
  • Github Pages, they offer undocumented HTTPS support for *.github.io domains. However, they offer no HTTPS support at all for custom domains, so for that you'll have to look elsewhere (see below).
  • Webfaction, they provide HTTPS support at no extra charge. Go Webfaction!

If you need to look elsewhere because your host makes it too expensive or impossible to set up HTTPS, another option is to sign up for CloudFlare. You don't need to leave your current host to use them — they sit "in front" of your website and can speed it up in various ways.

CloudFlare offers HTTPS to anyone for free, but there are two big catches:

  • The free plan doesn't support clients using Windows XP or Python 2. To support older clients, you need a paid plan (which start at $20/month).
  • All CloudFlare plans can only encrypt between the visitor and CloudFlare. To ensure that the connection is encrypted all the way from the visitor to your website, you'll need to install your own certificate on your own web server anyway and tell CloudFlare to use and validate that certificate.

The tradeoffs are yours to choose, and yours alone!

Mixed Content Warnings

If your site is running on HTTPS, it's important to make sure all linked resources — images, stylesheets, JavaScript, etc. — are HTTPS too. If they're not, users' browsers will complain. Newer versions of Firefox will outright block insecure content on a secure page.

Fortunately, pretty much every major service with an embed code has an HTTPS version, and most (including Google Analytics and Typekit) handle it automatically. For others, you'll need to figure it out on a case by case basis.

Where you need to support both HTTP and HTTPS, use protocol-relative URLs (starting URLs with //domain.com). They're supported just about everywhere except (of course) for IE6.

Back up your keys and certificates

Don't forget to back up your SSL certificate, and its encrypted private key. I put them in a private git repository, and included a brief text file describing every other file, and the process or command that created it. Make sure to record when your certificate expires, and set a calendar alarm for that date!

You should also back up your authentication certificate that you use to log in to StartSSL. StartSSL's FAQ has instructions — it's a .p12 file containing a cert + key that you export from your browser.


  1. Xiao

    Seems the command

    openssl req -new -sha256 -key my-private-decrypted.key -out mydomain.com.csr

    will extract the public key from the decrypted private/public keypair and insert the public key into the CSR. Is that right?

  2. Xiao

    There seems to be an error in your second openssl command

    openssl rsa -in my-private-encrypted.key -out my-private-decrypted.key

    This commnad actually extract the private key from the encrypted private key.

    And in the following command you include the private key in the CSR

    openssl req -new -sha256 -key my-private-decrypted.key -out mydomain.com.csr

    But StartSSL says: All content of the certificate signing request is ignored except its public key.

    So StartSSl want you to include a public key in your CSR. But you actually submited your decrypted private key within your CSR.

  3. Saviour Sanders

    Well written article. Keep it up, Eric.

  4. François

    I get the following error: "0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"

    I think I made an error on the command line somewhere, so I tried to retrace the steps above, but resubmitting the csr to startssl.com it says there already is a certificate for that domain. So I wanted to delete (revoke) the old certificate but startssl now wants $24.90 to do that.

    Can I sign up with sslmate instead to generate a new one there or do I have to revoke the broken certificate?

  5. NdT

    Why do you have a SSL certificate issued by AVG? And why are they issuing these certs?

  6. Carl

    Thanks for sharing this guide. It's fantastic. I'm not the most experienced server guy but it was so easy to follow and worked right away. Seems to be working nicely with CloudFlare and the plain http redirects to the https. Keep the great articles coming :D

  7. David

    @Santanu Brahma, you need to buy a wildcard cert. I have not seen them for free anywhere.

  8. Santanu Brahma

    I have added StartCom SSL(Class-1) on my websites. https://www.axlator.com is a one of the example. I have created another SSL certificate for subdmain https://gateway.axlator.com My Question is that how we can create a single certificate for all of my subdmains including main domain(with and without www)?

  9. Beni Paskin-Cherniavsky

    I got stuck when generating the CSR worrying about exact answers to openssl req -new questions. Turns out StartSSL doesn't care: "All content of the certificate signing request is ignored except its public key." (this is visible in later screenshots, but not obvious when you reach that step) Thanks for this useful tutorial (and other security posts)!

  10. Paul

    I take out what I said earlier. StartSSL is now using SHA-2 as default.

  11. Paul

    Most browsers will stop accepting SHA-1-based SSL certificates by 2017 which is what the SSH Free version is based on. Got 2 years. Ref: http://en.wikipedia.org/wiki/SHA-1

  12. Joe Average

    Meh. Every time I go to get a StartSSL free cert I get...

    Over Capacity

    We are currently receiving more requests than we can handle. Please try it later again.

    We apologize for the temporary inconvenience and thank you for your understanding.

    I've tried at various times over various days for a month. Temporary my arse.

  13. Sergiu

    Looks complicated but worth it ! Thanks for sharing

  14. Ron

    Great, easy to use guide. Went through all the steps, except my domain is hosted on Blogger (owned by Google) and they do not support the installation of certificates just yet. I'm being told that Blogger will eventually support ssl certificates, but not right now. I guess I'll need to be patient!

  15. Gaurav

    I appreciate with startssl, but they offers free ssl certificate only for non-commercial use. I found https://www.cheapsslshop.com who offers ssl certificate at $3.50 only

  16. suraj

    My IP address is 27.5.193.137

    The error message is "This webpage is not available". DNS look up failed.

    For another ISP it works fine.

  17. suraj

    Hey, I followed the steps as mentioned and ssl got applied within 30 minutes. But for some reasons, my website doesn't work for a particular ISP. Did anyone else face this?

    Can you guide.

  18. Identity

    How can i install this certificate with godaddy hosting? have you any idea?

  19. Mike

    Hi, you said StartSSL is free but it currently says only valid for 1 year...what happens after 1 year? The site starts throwing errors (no valid certificate: ignore warnings) when using https unless you pay a fee? -_

  20. Mark

    https://konklone.com/post/switch-to-https-now-for-free

    They comment and show lack of understanding about all of this but are actually secured by Comodo a CA that doesn't give SSL for free?

  21. J. C.

    I was thinking to use this Free SSL from StartSSL, but after reading your last section, I think I'll try Free SSL from Cloudflare. Thank you for sharing it.

  22. Marius

    Is this good for subdomains too? Or supports?

  23. Stefan Wallin

    Regarding the first line:

    openssl genrsa -aes256 -out my-private-encrypted.key 2048

    I can't find in 'man genrsa' or Google what the flag -aes256 is supposed to, could you please enlighten me?

  24. Jos

    This was a very helpful description. Thanks.

  25. Me

    You should go through your blog updating "openssl req" lines to add "-sha256" just for the hapless people that come across your site for instructions.

  26. Stefan Wallin

    If you need to configure SNI vhosts, make sure you put your generic ssl configs in a separate file that you include, as some of the options will collide in a non-obvious manner and cause unexpected behaviour.

    Here's an example config setup for SNI vhosts: https://gist.github.com/StefanWallin/5690c76aee1f783c3d57

  27. Michael

    Thanks!

  28. Eric

    @Jesin I wanted to test out Namecheap, so I used this site as a demo, that's all. I'm still using StartSSL on my other sites. Namecheap's web UX is nicer, but their process is still weird (in part because they are a reseller).

  29. Jesin A

    Looks like you're using a Comodo certificate now. What happened with StartSSL?

  30. Matt

    Thanks for the step-by-step. I don't do this every day. Worked like a charm.

  31. lukasz

    I going to do self-generating private key. In StartSSL I chosed KeySize (4096), Secure Hash Algorithm (SHA2).

    How to do it on the command line. It will be like this: openssl genrsa -aes256 -out my-private-encrypted.key 4096 ?

    In StartSSL I have selected SHA2. Will it therefore uses the same hashing algorithm or another?

    How openssl generate private keys? Also uses some random data? I understand that it is safer than doing it in the browser.

  32. Eric

    My cert's CN is for www.konklone.com, but konklone.com is included as an alternative name.

    https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com

  33. Hans

    I don't get it, how does this work? : your certificate seems to be for "www.konklone.com" (CN), not "konklone.com" but still works on "https://konklone.com/" ?

  34. Sergio

    Really helpful tutorial! You wrote very concise and pretty clear instructions. Moving to HTTPS was something dark for me... until now. Thank you very much!!

  35. Eric

    @Chris - I've actually "upgraded" to Class 2 certs, which means that StartCom also validated my home address (they mailed me a code to type in). I had originally done this process for a cert for isitchristmas.com, just to try it out and go over-the-top.

    When I re-issued this blog's cert for Heartbleed, I automatically got issued a Class 2, since they still had my address validation on file. So now I don't have a Class 1 anywhere.

    But you can look at https://www.penflip.com/, which uses a Class 1 free cert from StartSSL - they seem to be visible, according to the site:

    http://www.blockedinchina.net/?siteurl=https%3A%2F%2Fwww.penflip.com%2F

  36. Chris Lee

    @Ben, I don't think there's widespread agreement that startSSL is "violating the public trust", let alone that any browsers should untrust them. They have always stated upfront that they charge a fee for certificate revocation so that cannot be called a violation of trust; moreover I've seen at least one report that when users cited the Heartbleed CVE as the revocation reason that StartSSL waived the normal fee. It seems to me that banning startSSL would be cutting off your nose to spite your face.

  37. Chris Lee

    Hi Eric, are you still using the startSSL free certificate? I'm trying to figure out whether China is still blocking all sites that use startSSL free certificates. According to blockedinchina.net, konklone.com is accessible in China now, so I'm wondering...

    -- Chris

  38. Jonathan

    I am hosting my website using WampServer on Windows xp, this example uses Linux... is this possible to do on Windows xp? If so please email me.

  39. Ben Schumacher

    This is a good tutorial, but it's too bad that StartSSL is violating the public trust re: Heartbleed. Having one of their certificates isn't going to get you much if the folks pushing to untrust StartCom movement is successful.

    I wish there was an alternative, but in the mean time, I've decided paying for a certificate up front is better than being extorted if it it compromised by the largest security flaw the Internet has ever seen.

  40. Zack

    Hi, hopefully I did everything right except for this one thing. I have had so much trouble trying to get this to work. I even dual booted windows 8 and ubuntu so I can do this. But for some reason I get this weird error when I do sudo nginx -t

    This is the error: nginx: [emerg] "server" directive is not allowed here in /etc/nginx/nginx.conf:97 nginx: configuration file /etc/nginx/nginx.conf test failed

    Any help? Thanks so much!

  41. yep

    Thank you ! :D

  42. Eric Mill

    Thanks, Sagar! I added a link to the protocol-relative URLs to the post, and described what they are. Good idea.

    The relative URLs thing is interesting, but I have mixed feelings. However, it did definitely make me realize that we (my employer, https://sunlightfoundation.com) have duplicate content issues with some of our staging sites, so that was a huge help to me in my work. :)

  43. Sagar Behere

    Very nice tutorial. I followed it step-by-step and switched my personal website to https with no pain at all :) Thank you very much.

    One improvement to this tutorial could be some links/resources pointing out how to deal with mixed content warnings. This is what took me the most time to figure out. As I see it, there are two main approaches

    1. Use relative URLs everywhere. BUT this is considered to be a bad thing by some. See http://yoast.com/relative-urls-issues/
    2. Use protocol relative urls. For example: http://billpatrianakos.me/blog/2013/04/18/protocol-relative-urls/

    Cheers and thanks once again, Sagar

  44. IT-KOKO

    -bash: unified.crt: Permission denied

    In this step, cat mydomain.com.crt sub.class1.server.ca.pem > unified.crt pls help me why permission is denied?? what should be correct chmod ??

  45. dom

    How would this work for facebook app landing pages? For example, if you have a 'welcome' facebook tab/html landing page that ask for email (mailchimp)?

  46. Bairrfhoinn Han

    Very useful article for me. We have already translated your article to Chinese, you can refer it here: http://www.oschina.net/translate/switch-to-https-now-for-free

  47. Daniel Lo Nigro

    Eric, you can use http://www.blockedinchina.net/ to check if a site is blocked in China.

  48. Eric Mill

    @tan: is this still the case? I see the story from June:

    http://lowendtalk.com/discussion/11305/china-now-blocking-anyone-using-free-ssl-certificates http://www.solidot.org/story?sid=35250

    Has this changed at all? Is there an easy way to simulate the GFW from the outside, to test it? Like a proxy into the GFW?

  49. tan

    StartSSl is free for the basic use, but it is not useful for Chinese users, since it may be blocked by GFW from the mainland of China.

  50. Eric

    @paul: I don't use CPanel, but if you do, and you can grab some screenshots, how about contributing a little howto alongside the GoDaddy and iCloud howtos here?

    https://github.com/konklone/email

  51. paul

    can you make a tutorial for cpanel users?

  52. Nick Thomas

    Heads-up: StartSSL failed a warrant canary request I sent them. It's probably worth talking about DNSSEC + DANE sometime in the near future :)

  53. pablo

    dreamhost charges extra for adding SSL to your site. Is it common practice? Any shared hosting service allow me to do it for free?

  54. Ian Gallagher

    Thanks for the post! Happy see TLS adoption interest spread. For various secure configuration examples, I suggest checking out the "duraconf" project, you can find secure TLS settings for various applications, including Apache/NGINX/etc, including ones that force perfect forward secrecy providing cipher suites. The project and it's configuration examples are on Github: https://github.com/ioerror/duraconf

  55. Bob

    Using a client cert to log in to startssl that should be backed up is stupid. When you generate a key on a Chromebook it's hardware-protected and CAN'T be backed up.

    This is an awesome feature of Chromebooks, but assumes that nobody does something as stupid as startssl.com does.

  56. GeBeater

    Update regarding the "sec_error_ocsp_unknown_cert" issue with firefox. According to the startcom forum it seems that I have to wait a time.

    https://forum.startcom.org/viewtopic.php?f=15&t=2654

  57. GeBeater

    Great article Eric.

    However I got an error: "sec_error_ocsp_unknown_cert" with firefox. Whereas Chromium works.

  58. Eric

    @hi - Yes, you do, at least temporarily while you generate the CSR.

    My installation instructions also have you leave the decrypted private key on disk and point nginx at it, but I believe you can also point nginx at the encrypted version instead -- if you're willing to type in the decryption password each time you start/restart nginx.

  59. hi

    Hi, do u need to decrypt your private key, in order to do a csr?

  60. James

    If you need a trustable SSL certificate for e-commerce purposes I suggest you to take a look to http://www.trustico.com/, having low prices for RapidSSL, GeoTrust, Thawte and Symantec.

  61. Quentin

    Reply to “Reply to “Lol@Getssl.me””: The point is that their logo uses a yellow padlock!

  62. Stewart

    surveillance-resistant? You're kidding right!? Thanks for the guide anyway, didn't realise there was a place you could free certs from.

  63. glazskunrukitis

    Reply to "Lol@Getssl.me": The yellow lockpad means there is some insecure data transfered (image, css etc) but it looks ok from here [1]. Probably it is one of your extensions messing it up.

    [1] https://www.dropbox.com/s/pafvj9wopuhtbyv/Screenshot%202013-09-26%2011.27.37.PNG

  64. NewGuy

    Hi,

    Are there any free certificate authorities that are not US/Israel based?

  65. Lelala

    Problem is, that they do not offer multidomain certificate :-( But great for semi-professional sites/projects and blogs. Regards

  66. brad

    i ran into this!

    http://blog.jerodsanto.net/2013/04/be-careful-when-you-create-a-unified-ssl-certificate-for-nginx/

  67. Aeip

    I have shared hosting at www.Siteground.com How do I do this/access the terminal?

    Thanks

  68. Micah Lee

    @Jimmy, StartSSL is Israeli.

  69. Jimmy

    Forgive me for asking but are StartSSL located in USA?

  70. Lol@Getssl.me

    Lol @ getssl.me. When you visit their website, it's yellow where the green lock should be.

    That's like, the cardinal rule an SSL certificate company should not break.

  71. certificate_guy

    StartSSL is ok for personal projects but not so much for commercial ones. Check out http://getssl.me, certificates start at just $7.

  72. Mikael "MMN-o" Nordfeldth

    Better yet, use http://CAcert.org who use a web of trust-based system for handing out certificates.

  73. Hoang Huynh

    Thanks for the great guide Eric!

    @david: FYI, I use webmaster@mydomain.com hosted on Google Apps and everything worked just fine.

  74. david

    FYI: this doesn't work with an email address hosted on Google Apps.

  75. Ceane Lamerez

    Add Perfect Forward Secrecy in two lines!

    ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;

    Cipher suite order from http://t.co/FLDmkNcsdj

  76. Eric Mill

    Thanks, John! I did include the HSTS header in the nginx config, and described it -- but just updated the text to name it and link it.

  77. John Blackbourn

    Great article Eric.

    I noticed your site sets an HSTS header. It might be worth also adding a mention about that in your article.