Perfecting httpd(8) for ssllabs

OpenBSD ships with a built-in webserver, http(8). It has sane and neat defaults, like perfect forward secrecy ciphers, proper kex and TLSv1.2. Roman Zolotarev has written an excellent starting point for newcomers.

If you desire to go the extra mile, here is how to score an A+ and 100% for the certificate, protocol, kex and cipher categories, some additional config is needed. Using this configuration, it can be achieved:


  listen on * tls port 443
  hsts {
    preload 
    subdomains
  }
  alias "www.h3artbl33d.nl"
  root "/htdocs/h3artbl33d.nl"
  tls {
    certificate "/etc/ssl/h3artbl33d.nl.fullchain.pem"
    key "/etc/ssl/private/h3artbl33d.nl.key"
    ciphers "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
    dhe "auto"
    ecdhe "P-384"
  }
  location "/.well-known/acme-challenge/*" {
    root { "/acme", strip 2 }
  }
}

server "h3artbl33d.nl" {
  listen on * port 80
  alias "www.h3artbl33d.nl"
  block return 301 "https://h3artbleed.nl$REQUEST_URI"
}```