[ssllabs.com]Grade capped to C

BregnedalSystems · August 4, 2016, 5:42pm

Hello,

Been trying to fix the all day.

Server: Apache 2.4.23
OS: CentOS 7.2 64 bits
ssl.conf: http://pastebin.com/2R8XYZ52
httpd.conf: http://pastebin.com/a76LwsAH
domain: dav.bregnedal.dk

Need more info?

tialaramex · August 4, 2016, 6:59pm

https://mozilla.github.io/server-side-tls/ssl-config-generator/

This site can help you fix some of the problems SSLLabs has detected, by tightening up configuration. You pick your options, then paste the configuration they recommend into your Apache configuration files.

There are some radio buttons, of course “Apache” is fine for the type of server
Type in your version of Apache, and if you know it, the version of OpenSSL installed.

Now, you have to choose Old, Intermediate, or Modern. This will trade off who can visit your site versus the level of security delivered. “Old” lets almost anyone whose computer doesn’t belong in a museum use the site, but at a cost of giving this “C” grade cap because it is dangerously insecure. If you can afford to insist visitors should have a web browser, or phone or whatever built in the last 10 years pick “Intermediate” and most problems reported by SSLLabs will disappear.

If you are very worried about security, e.g. because your site has very sensitive data like medical results, you should pick “Modern” even though people will need an up-to-date web browser to read it.

ecdsa-chacha20 · August 4, 2016, 8:24pm

The ssl.conf you posted cannot be the one used for the website under test. SSLv3 is definitely enabled for your domain but ssl.conf clearly disables it. Watch out what config is actually used, then come back.

BregnedalSystems · August 4, 2016, 9:11pm

Apache do use it, if i add junk to the ssl.conf Apache crash

88keyz · August 5, 2016, 1:28am

Check the following settings in your site config, SSLProtocol & SSLCipherSuite. Mine are set to the following.

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!MEDIUM:!LOW:!CAMELLIA:!SEED:!DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:+3DES:3DES"

If you use those settings that should take care of your errors and improve your site score.

BregnedalSystems · August 5, 2016, 5:52am

A- Works for me, thanks for the help

system · September 4, 2016, 5:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
TLS 1.0/1.1 depreciation Help	3	703	April 13, 2020
CertBot auto configuration for Apache - TLS 1.0 and 1.1 Help	2	2019	August 22, 2019
SSLv3 and Certbot/Apache Help	11	5485	December 31, 2016
Qualys reports F for our SSL certs Server	2	880	May 20, 2018
I have updated openssl-1.0.1e to openssl-1.0.1t but I am still getting an F rating Help	10	2847	August 26, 2016

[ssllabs.com]Grade capped to C

Related topics