SSL Report produces B rating

sensaba · May 2, 2020, 8:52am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pathxsolutions.com

I ran this command: SSL Verification using ssl-mozilla.org

It produced this output: B Rating

My web server is (include version): Apache2.4

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Contabo

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Osiris · May 2, 2020, 9:01am

What's that exactly? That site doesn't exist.

sensaba · May 2, 2020, 9:01am

Team,
Firstly would like to appreciate your efforts in providing SSL for free. I would definitely contribute towards this noble cause after completion of my first assignment with a pay check, till then please bare with me

I have read through the blogs and letsencrypt forum as well and convinced about the B rating provided by SSL Report however would like to know how I can improve it to A rating?

Attached image of the overall rating.

Thank you for the support.

regards

sensaba · May 2, 2020, 9:02am

Sorry about that. I forgot to provide the complete url.

here it is: https://www.ssllabs.com/ssltest/index.html

on providing the pathxsolutions.com, the report will get generated

Osiris · May 2, 2020, 9:02am

In the same summary you've made your screenshot from, SSL Labs explains:

This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO »

You can even click on the "More info" link to get, well.. More info.

Also, the "Key exchange" bar is yellow. It probably has something to do with that

9peppe · May 2, 2020, 9:03am

A B rating is nothing to worry about. It usually means you made some choices to support older clients instead of going for maximum security.

https://www.ssllabs.com/ssltest/analyze.html?d=pathxsolutions.com&hideResults=on&latest

In your case, it’s because of this:

IE 11 / Win Phone 8.1 TLS 1.2 > http/1.1 TLS_RSA_WITH_AES_128_CBC_SHA256 No FS

You can try and remove the TLS_RSA_WITH_AES_128_CBC_SHA256 cipher from your config, but read this first: https://wiki.mozilla.org/Security/Server_Side_TLS

Osiris · May 2, 2020, 9:12am

You’ve got SSLHonorCipherOrder set to off (its default). This is also the Mozilla recommendation for the “Modern” and “Intermediate compatibility” configurations, because both of those configurations only use strong ciphers.

However, it seems you’ve got some older cipher suits configured. Those configurations could benifit from setting the SSLHonorCipherOrder to “on”. Of course, your cipher suit configuration order should be properly set obviously for that to work, from strongest to weakest.

But read the Mozilla Wiki listed above and perhaps also use the Mozilla SSL Generator while you’re at it.

sensaba · May 2, 2020, 9:21am

Thank you Osiris and 9peppe for your suggestions.
I will spend some more time as per your advise, make the changes and report back. Cheers!

system · June 1, 2020, 9:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.