I generated SSL certificate for my domain and it works fine in all of the browsers. Nevertheless, I analyzed it using SSLReport and the following issues were identified. By the way, SSLReport issued Grade F to this certificate.
Here are the issues that were identified:
1.This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. MORE INFO »
2. This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO »
3. This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
4. The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO »
5. This server accepts RC4 cipher, but only with older protocols. Grade capped to B. MORE INFO »
6. This server does not support Authenticated encryption (AEAD) cipher suites. Grade will be capped to B from March 2018. MORE INFO »
Is there a way to get these issues resolved with settings or by some other means when generating an SSL certificate?
The certificate is not the cause of the bad grade.
The insecure use of the certificate is the problem.
Security is done by the web server and the web admin.
This site is useful to get modern/up-to-date/best-practice cipher suite settings:
These are all issues with your server configuration as opposed to the certificate in use. You might post your config files for guidance, but you also might have better luck trying to search for known-good configurations and then coming back with anything that doesn’t make sense.
Additionally, due to the DROWN vulnerability, it would be prudent to consider the certificate’s key compromised, revoke it, fix the vulnerability (by disabling SSL 2), and issue a new certificate with a new key.
Edit: The other configuration issues, while serious, don’t compromise the RSA key.
Edit: I was wrong. DROWN doesn’t compromise your key either. Yay!
You do still need to fix it, though.
Thank you, is there something similar for Windows 2008r2 server running IIS?
Not sure, don’t use Windows.
These links may be helpful:
I’m not totally sure about the trustworthiness of the IISCrypto tool, but it does come with a “Best Practices” template which looks like what you need.
Thank you everyone. Will start working on fixing server configuration.
Setting best configuration using IISCrypto did the trick after server was restarted. All good now. Thanks all
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.