https://johanneskueber.com/tags/lets-encrypt/Recent content in Lets-Encrypt on johanneskueber.comHugoen_USThu, 14 May 2026 00:00:00 +0000https://johanneskueber.com/posts/2026-05-14-envoy-gateway-ssllabs-a-plus/Thu, 14 May 2026 00:00:00 +0000https://johanneskueber.com/posts/2026-05-14-envoy-gateway-ssllabs-a-plus/<p>This article documents the Envoy Gateway configuration required to achieve an A+ rating on Qualys SSL Labs, with the rationale for each setting.</p> <hr> <h2 id="1-tls-security-background">1. TLS security background</h2> <p>Before any application data flows over <code>https://</code>, the TLS session completes two steps:</p> <ol> <li><strong>Authentication.</strong> The server presents an X.509 certificate signed by a trusted Certificate Authority.</li> <li><strong>Key agreement and encryption.</strong> Client and server negotiate a session key via a cipher suite (key exchange, signature, bulk cipher, MAC) and encrypt the channel.</li> </ol> <p>Weaknesses in this chain enable specific attack classes:</p>