This greatly helped me to configure my standalone Erlang server running a Phoenix app to go from grade B to grade A+.
The current recommend ciphers suite from SSL labs are as per I have in my configuration:
# LINKS:
# - Phoenix:
# + https://elixirforum.com/t/making-ssl-tests-all-pass-for-phoenix-lets-encrypt/3507/11
# - Erlang:
# + http://ezgr.net/increasing-security-erlang-ssl-cowboy
# - Cipher Suites:
# + Best Ciphers - https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites
# + Mapping - https://testssl.sh/openssl-rfc.mapping.html
# + OWASP - https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
config :rumbl, Rumbl.Endpoint,
http: [port: 4000],
url: [
host: System.get_env("APP_URL") || "${APP_URL}",
port: System.get_env("APP_URL_HTTPS_PORT") || "${APP_URL_HTTPS_PORT}"
],
force_ssl: [
hsts: true
],
https: [
port: System.get_env("APP_HTTPS_PORT") || "${APP_HTTPS_PORT}",
keyfile: System.get_env("APP_SSL_KEY_PATH") || "${APP_SSL_KEY_PATH}",
certfile: System.get_env("APP_SSL_CERT_PATH") || "${APP_SSL_CERT_PATH}",
cacertfile: System.get_env("APP_SSL_INTERMEDIATE_CERT_PATH") || "${APP_SSL_INTERMEDIATE_CERT_PATH}",
dhfile: System.get_env("APP_SSL_DHPARAMS_PATH") || "${APP_SSL_DHPARAMS_PATH}",
versions: [:'tlsv1.2'],
ciphers: ~w(
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
)c,
secure_renegotiate: true,
client_renegotiation: false,
reuse_sessions: true,
honor_cipher_order: true,
max_connections: :infinity
],
cache_static_manifest: "priv/static/manifest.json",
server: true
