It never used to be possible to get an A+ rating, as Java missed a couple of necessary features
wget http://download.java.net/java/GA/jdk9/9/binaries/jdk-9+181_linux-x64_bin.tar.gz
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
By default a 2048 bit key will be created. A 4096 bit key can be created with a parameter
sudo ./certbot-auto certonly --debug --rsa-key-size 4096
see https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#key-exchange
openssl pkcs12 -export -in /etc/letsencrypt/live/domain.com/fullchain.pem -inkey privkey.pem -out domain.p12 -name domain
./jdk-9/bin/javac Test.java
Sudo required for low numbered ports (e.g. 443)
sudo ./jdk-9/bin/java Test 443 /etc/letsencrypt/live/domain.com/domain.p12 PKCS12 changeme \
-Djdk.tls.rejectClientInitiatedRenegotiation=true \
-Dhttps.protocols=TLSv1.1,TLSv1.2 \
-Djavax.net.debug=all
jdk.tls.rejectClientInitiatedRenegotiation=true
https.protocols=TLSv1.2
Add a CAA record to the domain for letsencrypt.org e.g.
CAA = 0 issue "letsencrypt.org"
https://letsencrypt.org/docs/caa/
http://openjdk.java.net/projects/jdk9/
- OCSP Stapling http://openjdk.java.net/jeps/249
- ALPN http://openjdk.java.net/jeps/244
- HTTP2 Client http://openjdk.java.net/jeps/110
- Disable SHA-1 certs http://openjdk.java.net/jeps/288
- SHA-3 Algorithms http://openjdk.java.net/jeps/287