I generated SSL certificate for my domain and it works fine in all of the browsers. Nevertheless, I analyzed it using SSLReport and the following issues were identified. By the way, SSLReport issued Grade F to this certificate.
Here are the issues that were identified:
1.This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. MORE INFO »
2. This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO »
3. This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
4. The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO »
5. This server accepts RC4 cipher, but only with older protocols. Grade capped to B. MORE INFO »
6. This server does not support Authenticated encryption (AEAD) cipher suites. Grade will be capped to B from March 2018. MORE INFO »
Is there a way to get these issues resolved with settings or by some other means when generating an SSL certificate?
The certificate is not the cause of the bad grade.
The insecure use of the certificate is the problem.
Security is done by the web server and the web admin.
These are all issues with your server configuration as opposed to the certificate in use. You might post your config files for guidance, but you also might have better luck trying to search for known-good configurations and then coming back with anything that doesn’t make sense.
Additionally, due to the DROWN vulnerability, it would be prudent to consider the certificate’s key compromised, revoke it, fix the vulnerability (by disabling SSL 2), and issue a new certificate with a new key.
Edit: The other configuration issues, while serious, don’t compromise the RSA key.
Edit: I was wrong. DROWN doesn’t compromise your key either. Yay!
I’m not totally sure about the trustworthiness of the IISCrypto tool, but it does come with a “Best Practices” template which looks like what you need.
