[ssllabs.com]Grade capped to C


#1

Hello,

Been trying to fix the all day.

Server: Apache 2.4.23
OS: CentOS 7.2 64 bits
ssl.conf: http://pastebin.com/2R8XYZ52
httpd.conf: http://pastebin.com/a76LwsAH
domain: dav.bregnedal.dk

Need more info? :slight_smile:


#2

https://mozilla.github.io/server-side-tls/ssl-config-generator/

This site can help you fix some of the problems SSLLabs has detected, by tightening up configuration. You pick your options, then paste the configuration they recommend into your Apache configuration files.

There are some radio buttons, of course “Apache” is fine for the type of server
Type in your version of Apache, and if you know it, the version of OpenSSL installed.

Now, you have to choose Old, Intermediate, or Modern. This will trade off who can visit your site versus the level of security delivered. “Old” lets almost anyone whose computer doesn’t belong in a museum use the site, but at a cost of giving this “C” grade cap because it is dangerously insecure. If you can afford to insist visitors should have a web browser, or phone or whatever built in the last 10 years pick “Intermediate” and most problems reported by SSLLabs will disappear.

If you are very worried about security, e.g. because your site has very sensitive data like medical results, you should pick “Modern” even though people will need an up-to-date web browser to read it.


#3

The ssl.conf you posted cannot be the one used for the website under test. SSLv3 is definitely enabled for your domain but ssl.conf clearly disables it. Watch out what config is actually used, then come back.


#4

Apache do use it, if i add junk to the ssl.conf Apache crash


#5

Check the following settings in your site config, SSLProtocol & SSLCipherSuite. Mine are set to the following.

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!MEDIUM:!LOW:!CAMELLIA:!SEED:!DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:+3DES:3DES"

If you use those settings that should take care of your errors and improve your site score.


#6

A- Works for me, thanks for the help :slight_smile:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.