Ssltest on ssllabs


#1

Hello i generated certificate for my domain sslpower.ml wtih this command ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --rsa-key-size 4096

and then created config for ssl (apache2)

ServerAdmin admin@sslpower.ml ServerName sslpower.ml ServerAlias www.sslpower.ml DocumentRoot /var/www/sslpower.ml ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/letsencrypt/live/sslpower.ml-0001/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/sslpower.ml-0001/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/sslpower.ml-0001/fullchain.pem SSLEngine on SSLCompression off SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128" SSLHonorCipherOrder on SSLProtocol TLSv1.2 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

I tested ssl on https://www.ssllabs.com/ssltest/analyze.html?d=sslpower.ml
but everything is 100% expect key exchange. can someone help me raise key exchange to 100%? :slight_smile:


#2

One question: why would you have everything on 100%? Do you have the illusion (no offence) that everything on 100% is actually better and/or safer?

Also, you haven’t added www.sslpower.ml to your certificate, so users surfing to https://www.sslpower.ml are getting a certificate mismatch error…


#3

yes, think that. is it wrong? :open_mouth: my friend said me that if i will have everything on 100% it will be safer.


#4

how can i fix it? i used this command to generate cert ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --rsa-key-size 4096 and writed sslpower.ml.


#5

Depends, for some reason I can’t get the apache plugin of the client “see” my ServerAlias, but you could try to specify both hostnames on the command line with -d sslpower.ml -d www.sslpower.ml, so the client will actually use both.

Furthermore, you’re referring to cert.pem as wel as fullchain.pem in your Apache configuration. This results in the Chain issues Incorrect order, Extra certs error on SSLLabs. Depending on your Apache version, you’ll have to choose:

Apache version 2.4.8 or higher: only use SSLCertificateFile, pointing to fullchain.pem (that file includes the chain ánd your cert)
Apache version lower than 2.4.8: point SSLCertificateFile to cert.pem and SSLCertificateChainFile to chain.pem (and not fullchain, because then you’ll sending your own certificate twice…)


#6

Yes, your friend is wrong IMHO. By only using 256 bits ciphers, you’re forcing ciphers which aren’t implementing 256 bits GCM AES to use the CBC mode of operation, which is broken.

However, 100% on the Key Exchange is quite possible without breaking stuff, but I’d want to mention the issue with the whole “I must have 100%!!!11” thingy…

For 100% Key Exchange, add the following somewhere in your Apache configuration:

SSLOpenSSLConfCmd ECDHParameters Automatic
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1

I’m still not entirely sure the first one is needed, but with these two items, my Apache accepts all three ECC curves, so SSLLabs will grant you 100%.


#7

Thank you. i fixed first problem with www.

I had version: Apache/2.4.7 (Ubuntu) but i updated to version: Apache/2.4.20 (Ubuntu) and then i restarted apache
and it says * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile takes one argument, SSL Server Certificate file (’/path/to/file’ - PEM or DER encoded)
Action ‘configtest’ failed.

how can i fix it? :slight_smile:


#8

Well, what did you put on line 11? Apache says it’s wrong :stuck_out_tongue:


#9

nothing… :smiley: line 11 is this… SSLCertificateChainFile /etc/letsencrypt/live/sslpower.ml-0002/fullchain.pem


#10

Perhaps the Apache error message handling thingy messes up the line counting, you should look at the SSLCertificateFile. And obvious you didn’t read my previous post entirely, because you’re still pointing the SSLCertificateChainFile directive to fullchain.pem :wink:


#11

i fixed problem on line 11 :smiley: i had 2 spaces there… :smiley:
now it works

But bro, i think i dont understand you :smiley:

I have this in config
SSLCertificateFile /etc/letsencrypt/live/sslpower.ml-0002/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sslpower.ml-0002/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sslpower.ml-0002/fullchain.pem
Can you write me what i have to change? :slight_smile:


#12

A) I already did 27 minutes ago
B) It’s better to understand it yourself than someone telling you to do something you don’t actually understand.


#13

oh, i didn’t read your post entirely. now i changed it . thank you :slight_smile:


#14

Thank you, now i have 100% exchange.

But what i should do with ciphers? i think i dont understand you. should i use only GCM?


#15

Congratulations, you’ve got a 4x100% score. Now your site isn’t accessible by a lot of (mainly) old clients and using a old-fasioned, proven weak mode of operation in modern ciphers :wink:

Not everyone is sharing the same opinion. Some people even say 256 bits AES is less secure than 128 bits AES (many interesting links in that topic). I don’t agree with that specific statement by the way.

But all agree the GCM mode of operation is way better than the CBC mode of operation. Unfortunately, removing CBC altogether from your cipher list will result in many, MANY clients refusing a connection to your server, because most modern browsers will only accept 128 bits GCM because of “performance reasons”. If you look at your current configuration, still about 50% of clients is using the CBC mode of operation…

So it depends in what you believe is safer… After reading a lot about it ofcourse :wink:


#17

#18

Do you have OpenSSL version 1.0.2d or higher? Can you give me a hostname which isn’t working, so we can look cat the SSLLabs results?