SSLlabs checker results

dash-crypto
#1

Hi,

I’ve got a free plan.

Is there a way to get a better SSL labs grade (I get an A+, but just a 90 rating in key exchange and cipher strenght)?

Is there a way to get OCSP stapling working? SSL labs does not recognize it.

Thank you very much.

#2

I’ve never seen SSL that’s 100 in all areas. Stapling is there, but Must Staple is not.

Is there something that’s not working for you because of this?

3 Likes
#3

I temporarily set the minimum to TLS 1.3 and, even though the “cipher suites” box only shows green/strong ciphers, it still shows a 90 in cipher strength. I guess you can’t get a 100 there?

1 Like
#4

My server is cPanel, with Nginx proxy by Engintron.
Before adding Cloudflare (for speed mainly), I had 100 in chyphers with my Nginx configuration (only TLS 1.2, strong chyphers:

# Protocols & Ciphers
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_prefer_server_ciphers on;

It’s still 100 on one of my domains, waiting to switch to Cloudflare as well.

Key exchange is different (I think we would need at least 4096 keys/certs for 100 in that)

1 Like
#5

This seems as good as a place as any to ask my question regarding the latest POODLE variants. Considering that by the end of this month Qualys will be giving failing grades to susceptible servers using any CBC cypher suite with TLSv1.2 or below, and considering TLSv1.3 isn’t vulnerable but does throw errors with HSTS, what’s a good solution to ensure one’s site(s) are not slapped with failing grades from Qualys?

What happens to those of us not in control of or own servers come end of May when most of Cloudlflare's TLSv1.2 cyphersuites end up failing our ratings on https://www.ssllabs.com due to semi-new POODLE variants?
#6

Can you elaborate/link? The TLS version should have nothing to do with HSTS.

1 Like
#7

Absolutely. I fully agree re: TLSv1.3 should funtctions fine with HSTS; however, and I perhaps should have expanded on my statement to include “HSTS Preload Lists via Google”, Google does not agree, at least via its current Preload technology. Please see the attached screenshots.
I’ve also included Mozilla’s TLS Observatory’s “Modern” rating, which is a nice little bonus though not one to compensate for the rest of the ecosphere all being out-of-sync insofar as agreeing on properly securing the internet, when strictly using TLSv1.3 for the interest of anyone who may be interested in suich things, as with TLSv1.2 set as a minumum version, said TLS Observatory rates the setup as “Non-compliant” but does note that “Please note that non-compliance simply means that the server’s configuration is either more or less strict than a pre-defined Mozilla configuration level.”, though as the visual “?” projects faily well, said note can be quite confusing as it states one’s current configuration “…is either more or less strict than a pre-defined Mozilla configuration [recommendation]…”.

To reproduce: Temporarily set one’s minimum TLS verson to 1.3, go to https://observatory.mozilla.org from where one may go to Google’s HSTS Preload service at https://hstspreload.org as well as direct links to multiple other good services.


#8

This is just because their testing website doesn’t impliment 1.3, using TLS 1.2 Is not an inherit requirement for the HSTS preload list. If you really want to enroll in preload with 1.3 only, you could either temporarily enable 1.2 or submit a pull request to chromium manually.

https://golang.org/pkg/crypto/tls/

TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable it, set the GODEBUG environment variable (comma-separated key=value options) such that it includes “tls13=1”.

#9

I’ve been preloaded for some time now. Regardless, this still does not address my initial inquiry. Any ideas on that? Thank-you.

closed #10