A+ rating on ssllabs.com


#1

We’ve set up our current certificate on fashion.net to achieve an A+ rating on ssllabs.com; will certificates issued by Let’s Encrypt automatically include the latest cipher suites, add TLS_FALLBACK_SCSV as well as HTTP Strict Transport Security with long duration? We followed a procedure similar to this https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/


#2

The certificate does neither “contain” any cipher suites nor “support” TLS_FALLBACK_SCSV. All these things are subject to the server configuration.
If you run a big e-commerce site, you propably want to use an extended validation (EV) certificate, showing your visitors a “green bar”. This can’t be provided by Let’s Encrypt (at least for the start :wink: because the validation process requires some manual interaction.
However, given the correct server configuration, there should be no reason to not get an A+ rating for a site running with a certificate from Let’s Encrypt.

(@moderator: I get the feeling that this support area is going to be used for SEO - maybe you want to prevent that?)


#3

Thank you @klk. Our current setup in httpd.conf below. I assume if we do everything manually, there will be no problems at all. If we use Let’s Encrypt automated service, however, how will the new certificate replace our current one while we keep our own configurations?

LoadModule ssl_module modules/mod_ssl.so

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

<VirtualHost *:443>
ServerName fashion.net
ServerAlias www.fashion.net
DocumentRoot /xxxx/fashion/htdocs
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
SSLEngine on
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLCertificateKeyFile /xxxx/myserver.key
SSLCertificateFile /xxxx/fashion_net.crt
SSLCertificateChainFile /xxxx/fashion_net.ca-bundle