Making SSL tests all pass for Phoenix + Let's Encrypt

This greatly helped me to configure my standalone Erlang server running a Phoenix app to go from grade B to grade A+.

The current recommend ciphers suite from SSL labs are as per I have in my configuration:

# LINKS:
#   - Phoenix:
#     + https://elixirforum.com/t/making-ssl-tests-all-pass-for-phoenix-lets-encrypt/3507/11
#   - Erlang:
#     + http://ezgr.net/increasing-security-erlang-ssl-cowboy
#   - Cipher Suites:
#     + Best Ciphers - https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites
#     + Mapping - https://testssl.sh/openssl-rfc.mapping.html
#     + OWASP - https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
config :rumbl, Rumbl.Endpoint,
  http: [port: 4000],
  url: [
    host: System.get_env("APP_URL") || "${APP_URL}",
    port: System.get_env("APP_URL_HTTPS_PORT") || "${APP_URL_HTTPS_PORT}"
  ],
  force_ssl: [
    hsts: true
  ],
  https: [
    port: System.get_env("APP_HTTPS_PORT") || "${APP_HTTPS_PORT}",
    keyfile: System.get_env("APP_SSL_KEY_PATH") || "${APP_SSL_KEY_PATH}",
    certfile: System.get_env("APP_SSL_CERT_PATH") || "${APP_SSL_CERT_PATH}",
    cacertfile: System.get_env("APP_SSL_INTERMEDIATE_CERT_PATH") || "${APP_SSL_INTERMEDIATE_CERT_PATH}",
    dhfile: System.get_env("APP_SSL_DHPARAMS_PATH") || "${APP_SSL_DHPARAMS_PATH}",
    versions: [:'tlsv1.2'],
    ciphers: ~w(
      ECDHE-ECDSA-AES128-GCM-SHA256
      ECDHE-ECDSA-AES256-GCM-SHA384
      ECDHE-ECDSA-AES128-SHA
      ECDHE-ECDSA-AES256-SHA
      ECDHE-ECDSA-AES128-SHA256
      ECDHE-ECDSA-AES256-SHA384
      ECDHE-RSA-AES128-GCM-SHA256
      ECDHE-RSA-AES256-GCM-SHA384
      ECDHE-RSA-AES128-SHA
      ECDHE-RSA-AES256-SHA
      ECDHE-RSA-AES128-SHA256
      ECDHE-RSA-AES256-SHA384
      DHE-RSA-AES128-GCM-SHA256
      DHE-RSA-AES256-GCM-SHA384
      DHE-RSA-AES128-SHA
      DHE-RSA-AES256-SHA
      DHE-RSA-AES128-SHA256
      DHE-RSA-AES256-SHA256
    )c,
    secure_renegotiate: true,
    client_renegotiation: false,
    reuse_sessions: true,
    honor_cipher_order: true,
    max_connections: :infinity
  ],
  cache_static_manifest: "priv/static/manifest.json",
  server: true
1 Like