[BlueOnyx:21835] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

[Michael Stauber]

Hi Dirk,

> blueonyx server with enabled SSL actually only get a B rating at 
> https://www.ssllabs.com/ssltest/analyze.html

What the hell? I had checked it just a few days ago and we were getting
a rock solid "A" with them. If so, then their evaluation criteria must
just have changed or something else is amiss.

Ah, wait. This is a 5209R with all updates and a LE cert:

https://www.ssllabs.com/ssltest/analyze.html?d=5209r.smd.net&s=38.114.102.16

It still gets a solid "A".

Yes, low on the priority list it uses ciphers recently identified as
weak, because Microsoft fucked up their implementation:

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 	256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK 256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 	128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK 128

But that doesn't affect the "A"-rating.

> Reasons for that:
> - Forward Secrecy is not enabled

Forward Secrecy: Yes (with most browsers)   ROBUST (more info)

> - Certificate Transparency is not available

I think that may be your problem and it's why you got the "B". As far as
I recall you get that when the intermediate is missing.

-- 
With best regards

Michael Stauber