Can I increase the Key Exchange and Cipher Strength I'm using for a 100% score on SSLabs?

I'm not sure it its part of the certificate or something else - but does anyone know if its possible - and also how I could start to increase both the Key Exchange and Cipher Strength so I can achieve a 100% score on all 4 bars on SSLABS - or where I would even start to go about that?

At the moment they are both on 90%

Thank you in Advance if anyone can help with this.

Dilation

My domain is: paypcns.co.uk

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Google Cloud (Also using cloudflare for CDN)

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

Hi @Dilation,

The A+ that you already score there puts you probably in the top 1% of web sites by cryptographic security, so I'm not sure that you really need to make any more changes.

However, you could consider going to

and choosing "Modern" there—hopefully the Modern configuration can get you the highest SSL Labs ratings if you really feel you need them.

As it seems that your site is intended for use by the general public, I would suggest that it might be best for you to be happy with your A+ because the majority of the changes that improve your score on SSL Labs have some cost to compatibility with older browsers.

If I understand correctly, SSL Labs is unhappy that your server continues to support these four ciphersuites

Cipersuite Bits
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) ECDH x25519 (eq. 3072 bits RSA) FS 256

although conceivably removing support for them would reduce your browser compatibility somewhat (I don't know offhand whether this is the case).

6 Likes

Another resource to add to the excellent ones @schoen has already provided:


A word of caution: be careful how much you harden your webserver configuration lest you alienate increasing numbers of your visitors.

3 Likes

It isn't the certificate. It's (almost) never the certificate. When SSLLabs gives you a score, 99.99% of that score is your server configuration--the only way your cert affects the score is if it isn't trusted, you're serving the wrong one, you're serving the wrong intermediate, or something along those lines.

5 Likes

Hi @Dilation

Can I increase the Key Exchange and Cipher Strength

no, you can't increase these things.

Your domain uses Cloudflare, so you use the Cloudflare configuration. Your server configuration is invisible, only Cloudflare sees that.

4 Likes

The two 90% results could only reach 100% if you avoid using 128 bit completely (only use 256 or higher).
But, in your case, that won't be possible for several reasons (some already having been pointed out):

  1. Your site uses CloudFlare - it is subject to their implementation (not under your control).
  2. The site uses TLSv1.3 (which is much like a package deal and difficult to remove any ciphers from).

That said, 100% as compared to 90% doesn't really mean anything.
To say that 90% doesn't mean that 10% of anything bad is being allowed to happen.
(i,e. Does NOT imply you are 90% protected/safe)

3 Likes

I know the extra 10% isn't a biggie - its just my perfectionism kicking in - but would be nice to be able to get it to 100%...

If I was not using cloudflare would it be possible then? or to use 256 etc?

Dilation

"Security" isn't really quantifiable as a "score" like SSL Labs presents. (And I'm sure the people at Qualys know that, but people really like compressing complicated evaluations into a simple single number.)

Cloudflare is using secure settings, and your configuration is fine. Here, I'll give you the 100% that you're looking for:

:100:%

If there is some break in AES-128 such that AES-256 or ChaCha20 or whatever becomes a substantially better choice for some reason, I suspect Cloudflare will be one of the first ones to update their configurations.

4 Likes

It's not so much the score I want but more - I like to have things as secure as possible.

So if im reading this right - I am at the moment as secure as possible as I can be if using cloudflare?

Would it be possible to be even more secure if i was not using cloudflare and made some changes?


also mozila cypher thing said this but i don't know how i would link these things up to my actual GC apache server to change things....

# generated 2020-12-16, Mozilla Guideline v5.6, Apache 2.4.41, OpenSSL 1.1.1d, modern configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.6

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
    SSLCertificateKeyFile   /path/to/private_key

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# modern configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Or would that be a better question to ask the bitnami wordpress guys since its that im running atm?

Dilation

Well, the most secure system would be air-gapped, and not serve data to anybody. That's presumably not what you're looking for if you're trying to serve web pages on the public Internet. So you need to start defining "secure as possible" and what threats you're trying to protect against. If you turn off some ciphers and/or TLS 1.2, then you would be "more secure" against an adversary intercepting traffic between your user and your server, but there would be less users that could connect to your site.

Unless there's some options somewhere in your Cloudflare configuration (which there might be; I'm not personally a Cloudflare user), then very likely yes.

Unlikely. Again, you'd need to define what threats you're trying to protect against. If you're worried about Cloudflare itself knowing about your user traffic then yes, you'd be more secure not using Cloudflare. If you're worried about your users telling other people about what's on your site when you thought you were only telling certain users that information, then having different ciphers or a different provider won't help. If you're worried about a major world government intercepting communications between your servers and your users, then, maybe, but then you really need to look at more important things than what's on your Qualys report first.

If Cloudflare is the endpoint handling the encryption to your users, then its configuration is the only thing that will show up in the Qualys report.


If you're interested in why the "CBC" ciphers are reported as "Weak" by Qualys, and you're not afraid of a little bit of math, then you might want to read this article by Cloudflare from a few years ago. The short of it is that CBC has some weaknesses in some cases, but you might not be able to turn it off yet if you want maximum compatibility with systems trying to visit your site.

And you can look at their current configuration, and a link to their Github where they show you the changes to cipher suites over time:

But really, having a company that's paying attention to and ensuring that their servers are using current encryption standards is going to do much more for keeping you "as secure as possible" than running your own server and then forgetting to come back in a few years to check what cipher suites it should be configured with then.

4 Likes

I guess if I had to define it... I am looking to give my customers the most secure website possible to use that will protect them from any known threats on SSL / TLS etc - especially when transferring sensitive data (e.g. Credit card numbers)..

In terms of backwards compatibility, TLS 1.2 is only really needed it seems now if someone is still using an old browser on windows 7 still (and windows 7 has reached its end of life now) and I still need to test this - but i cant imagine chrome and Firefox don't still update to the newest versions of themselves (with TLS 1.3 support) etc.

As such I am not sure if I even really need to deal with those edge cases of people who have somehow forced stopped their own browser updates and are using windows 7 or older still.

(at least that's what my research I have done so far tells me - which means of course I could be wrong)


As a side note - I only have TLS 1.2 enabled because curiously SSLabs actually gives an A score instead of an A+ score with it disabled for some reason - which doesn't make much sense for me since only TLS 1.3 is more secure than having both TLS 1.2 and 1.3 enabled as far as i can tell. (Would love any insights into why that happens - and drops a grade for being more secure apparently)


Also yes I was also curious why the last 2 bars are 90% and not 100% - is it absolutely those Weak ciphers? or could it be something else?.

Disabling TLS 1.2 gets rid of the weak ciphers but drops a grade to A and still says 90% on the last 2 bars anyway - even with no cloudflare at all if i remember rightly.

so not sure why they are even 90% and not 100% and its does kind of bug me not knowing why if I'm honest :slight_smile:

Dilation

1 Like

You have done this. I'd be much more worried about what happens to those credit card numbers once they're on your server, or worried about people putting fraudulent credit card number in, than worried about which secure-enough cipher suite was used to get the data from the user to your server.

Well, looking at your Qualys report's handshake simulation, if you turned off TLS 1.2 you wouldn't be able to get users from Android 8 or earlier, IE 11 or (pre-chromium) Edge (even on Windows 10), Safari 10 or earlier, and probably some web crawlers (as it says Googlebot, Yahoo Slurp, and so forth only use TLS 1.2). I don't know how accurate Qualys's estimations of protocol negotiations are, but if it were me, I'd rather people be able to find my site in search engines and submit me those credit card numbers over TLS 1.2 rather than not have them find my site working at all. At some point, yes perhaps some point soon, disabling TLS 1.2 could be a normal thing, but I don't think we're at that point for sites wanting to be generally available on the Internet quite yet. Maybe give it another year or two. There is no known or theoretical break in TLS 1.2 at this time.

I'm not sure how much they've published on their scoring algorithm (as it of course changes over time), but Qualys does have a Best Practices document available which maybe you'd find interesting since you're so interested in Qualys's opinion of how secure a site is.


EDIT: Aha! I found their scoring guide:

5 Likes

That is a very good point - Is there anything I can do about this?


And its not so much just their site - but more in general terms i guess - as it gave me things to think about.


Oh wow - well i did not realise that - I guess I will be leaving TLS 1.2 enabled for now then :slight_smile: - thank you for that golden nugget as I may have ended up turning it off otherwise at some point before the internet is ready :stuck_out_tongue:


Ok so I guess my other question is - I have not read those links yet from cloudflare and disabling some of the ciphers (i.e. the weak ones) - but I defo get the impression that if i tried to do so - there is a good chance I might break something?

Dilation

1 Like

If you want a complete security assessment to understand if you're securing people's credit card numbers correctly, that's probably more than I (or others) can provide in my spare time posting on a forum. There are certainly plenty of qualified security experts out there that you might want to consult with. I was just trying to say that the score you get on Qualys's scan is really just a tiny part of "being as secure as possible" as long as you're not, like, only using broken ciphers.

I think that if you can trust Cloudflare with your traffic, you can probably trust them to stay on top of ensuring that your connections are encrypted with current standards. (Again, I haven't used Cloudflare myself, but I have no reason to think that they're doing a poor job of anything and my understanding is that they're generally well-regarded in the industry.) And one of the main advantages of using a service like theirs is that you're outsourcing that part of staying secure to a company whose job it is to stay on top of that sort of thing. I mean, if you really like staying on top of current security standards and updating your servers' configurations accordingly that's a perfectly fine approach too, but it's the kind of thing that many people prefer to outsource.

4 Likes

as long as its possible to deal with those types of things I am happy :slight_smile:

and yeah i guess I've just always had a thing for computers and cant seem to help jumping down learning rabbit holes :stuck_out_tongue:

It is both a blessing and a curse haha.

Thank you for all your help :slight_smile: you have helped me come to a decision of leaving TLS 1.2 enabled for now until the internet says its broken one day, and also to not mess with those weak ones as it doesn't end in a good outcome when doing so for most people.

Very informative answers and have got me unstuck from an indecision i had before this :slight_smile:

Thanks again you have been really helpful :slight_smile:

Dilation

1 Like
6 Likes

Usually I don't read links straight away but i do click them to check them - and I have just GOT to read this one right now - its somehow perfectly fitting to my situation atm. - Plus the way its formatted is pretty nice to read too haha :slight_smile:

Nice one @Nummer378 :slight_smile:

i tried to also add your answer as a solution but alas I can only have one - but techniqually that is also the solution to this thread as well

Dilation

3 Likes

I just had a random thought - Since my certificate is now issued by cloudflare - what happend to my letsencrypt certificate on the server - is it just redundent now? or is it being used somehow still?

Dilation

1 Like

It's probably used by Cloudflare to secure and encrypt the connection between Cloudflare and your system. So I suppose there is another set of ciphers and configurations that you need to check on to make sure that your customers' data is secured between there and you. That's where you can use the Mozilla recommendations and can probably use the more "modern" configuration since all you need is for Cloudflare to connect to it, not random browsers on the Internet. If you wanted, though, rather than using Let's Encrypt (trusted by "everybody") you could instead use a Cloudflare Origin certificate (just trusted by Cloudflare) if that made things easier for you.

2 Likes

No that works perfectlly for my tinkerer nature to still be able to have it secured to the gills at least for that connection haha...

And ok thats good then - so it didnt make the lets encryrpt certificate redudent or anything like that then :slight_smile:

Dilation

2 Likes