SSL Report produces B rating

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: SSL Verification using

It produced this output: B Rating

My web server is (include version): Apache2.4

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Contabo

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

What’s that exactly? That site doesn’t exist.

Firstly would like to appreciate your efforts in providing SSL for free. I would definitely contribute towards this noble cause after completion of my first assignment with a pay check, till then please bare with me :slight_smile:

I have read through the blogs and letsencrypt forum as well and convinced about the B rating provided by SSL Report however would like to know how I can improve it to A rating?

Attached image of the overall rating.

Thank you for the support.


Sorry about that. I forgot to provide the complete url.

here it is:

on providing the, the report will get generated

In the same summary you’ve made your screenshot from, SSL Labs explains:

This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO »

You can even click on the “More info” link to get, well… More info.

Also, the “Key exchange” bar is yellow. It probably has something to do with that :wink:

A B rating is nothing to worry about. It usually means you made some choices to support older clients instead of going for maximum security.

In your case, it’s because of this:

IE 11 / Win Phone 8.1 TLS 1.2 > http/1.1 TLS_RSA_WITH_AES_128_CBC_SHA256 No FS

You can try and remove the TLS_RSA_WITH_AES_128_CBC_SHA256 cipher from your config, but read this first:

1 Like

You’ve got SSLHonorCipherOrder set to off (its default). This is also the Mozilla recommendation for the “Modern” and “Intermediate compatibility” configurations, because both of those configurations only use strong ciphers.

However, it seems you’ve got some older cipher suits configured. Those configurations could benifit from setting the SSLHonorCipherOrder to “on”. Of course, your cipher suit configuration order should be properly set obviously for that to work, from strongest to weakest.

But read the Mozilla Wiki listed above and perhaps also use the Mozilla SSL Generator while you’re at it.

Thank you Osiris and 9peppe for your suggestions.
I will spend some more time as per your advise, make the changes and report back. Cheers!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.