CHALLENGE for the A+ 100% Junkies


#1

Since there are some 100% A+ junkies here on the board i have an nice chellenge :slightly_smiling:
Try to tget an A+ with for times 100% rating on ssllabs and with the same setup also an A+ rating on htbridge.
I think this would be impossible, only if you run different setups for the two different test clients.

https://www.ssllabs.com/ssltest/analyze.html
https://www.htbridge.com/ssl/


Confirmation about PCI Compliance
#2

With wank compliances like NIST, it’s natural that one is going to be contrary to the other.

For example, NIST apparently mandates TLS_RSA_WITH_AES_128_CBC_SHA support, which will automatically prevent you from getting 100% in the cipher strength category on ssllabs.

You can’t have both by definition.

Edit: One interesting thing, htbridge claims vulnerability to TLS POODLE, whereas ssllabs doesn’t. So who is right?


#3

[quote=“TCM, post:2, topic:8648”]
NIST apparently mandates TLS_RSA_WITH_AES_128_CBC_SHA support
[/quote]This is also mentioned in RFCs. Modern standards mandate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and its ECDSA equivalent.

[quote=“TCM, post:2, topic:8648”]
which will automatically prevent you from getting 100% in the cipher strength category on ssllabs
[/quote]Cipher strength rating must not be 100% anyway. It prevents Firefox and Googlebot from negotiating modern crypto mandated by standards. Chrome and Android >= 5.0 also in case of no CHACHA20_POLY1305.

There are 2 real problems:

  1. High-Tech Bridge checker doesn’t give A+ to sites without TLS 1.1 support. If you support TLS 1.2 only, A is a max.
  2. It considers 2 months too short for HPKP, recommends 6 months instead, despite 2 months being recommended by standards and set as a possible maximum by browser vendors.

#4

@selecadm hi one point i am not sure about:
You said 100% ciphr would prevent google and FF from negotiating modern crypto.
But googlebot support TLSv1.2 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
And Firefox support TLSv1.2 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Or did you consider it as not so modern because is is not GCM ?

And an Question about 2 months vs 6 months.

  • If the page put the limit to 6 months does it harm or is this only cut to 2 months by the browsers?

SERVER DOES NOT SUPPORT EC POINT FORMAT EXTENSION
The server supports elliptic curves but not the EC_POINT_FORMAT TLS extension.

This may be an nice point for ssllabs to be checked in future version.


#5

My setup got A+ and I didn’t change anything (today).


#6

@Svavar_Kjarrval on both sides with the same setup ?
Very interesting.


#7

Yep, same setup got A+ on both tests.


#8

Hello @Svavar_Kjarrval,

Keep in mind that @tlussnig is not only talking about A+ but A+ with 100% tests passed ;).

Cheers,
sahsanu


#9

Details, details. :stuck_out_tongue:


#10

Stupid NIST compliance would require adding three non-PFS cipher suits… No way… :stuck_out_tongue: Still got an A+ though. No penalty for the lack of HPKP luckily… :slightly_smiling:


#11

[quote=“tlussnig, post:4, topic:8648”]
You said 100% ciphr would prevent google and FF from negotiating modern crypto.But googlebot support TLSv1.2 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAAnd Firefox support TLSv1.2 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAOr did you consider it as not so modern because is is not GCM ?
[/quote]Of course! Only AEAD.

[quote=“tlussnig, post:4, topic:8648”]

  • If the page put the limit to 6 months does it harm or is this only cut to 2 months by the browsers?
    [/quote]Latter.

[quote=“Osiris, post:10, topic:8648”]
Stupid NIST compliance would require adding three non-PFS cipher suits… No way…
[/quote]It seems to penalize only the lack of TLS 1.1 support.


#12

Got A+ both tests. Nice! Here I got Apache with Linux.


#13

Hm maybe i should have written the 100% in bold. Since the challenge was not only A+


#14

Yeah… But I noticed that after and I working on it. Thanks man.


#15

Should you, though, really? That seems like a recipe for overfitting to the wrong parameters.


#16

No it is for guys that love ratings and try to full fill them without thinking if the rating is ok or not.
It is comparable to the movie “War Games” where they teach the super computer that an world war
winner is not always be an winner. And also that it is important to read carefully.


#17

No, actually you will have trouble to get 100% in both tests. I satisfied that way. In the High-Tech test you are asked to follow the NIST guideline which demands you to enable some mandatory ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256

Just to keep our posts more informative, for people wondering about the Cipher Suites, you may wanna check this page at Mozilla Wiki:
https://wiki.mozilla.org/Security/Server_Side_TLS


#18

For each who is eager to get an challenge :slight_smile:
https://observatory.mozilla.org/
Here it is even more checked. Not only tls an some header. Even i had to do some structural work to get full points.