[BlueOnyx:21837] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Tue Mar 13 11:02:05 -05 2018 

Hello Michael,

are there different Ciphers for your and other 5209R Servers?

Please check: 
https://www.ssllabs.com/ssltest/analyze.html?d=www.eloquia.com		and
https://www.ssllabs.com/ssltest/analyze.html?d=www.excite-werbeagentur.de

both 5209R and both B-Rating

Funny fact 
A 5208R (Scientific Linux 6.9) I get a A+
https://www.ssllabs.com/ssltest/analyze.html?d=www.blackpoint.de

Can you please investigate a little bit further.

Thank you and best regards
Dirk
---

blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel


-----Ursprüngliche Nachricht-----
Von: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Michael Stauber
Gesendet: Dienstag, 13. März 2018 16:07
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:21835] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

Hi Dirk,

> blueonyx server with enabled SSL actually only get a B rating at 
> https://www.ssllabs.com/ssltest/analyze.html

What the hell? I had checked it just a few days ago and we were getting
a rock solid "A" with them. If so, then their evaluation criteria must
just have changed or something else is amiss.

Ah, wait. This is a 5209R with all updates and a LE cert:

https://www.ssllabs.com/ssltest/analyze.html?d=5209r.smd.net&s=38.114.102.16

It still gets a solid "A".

Yes, low on the priority list it uses ciphers recently identified as
weak, because Microsoft fucked up their implementation:

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 	256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK 256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 	128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK 128

But that doesn't affect the "A"-rating.

> Reasons for that:
> - Forward Secrecy is not enabled

Forward Secrecy: Yes (with most browsers)   ROBUST (more info)

> - Certificate Transparency is not available

I think that may be your problem and it's why you got the "B". As far as
I recall you get that when the intermediate is missing.

-- 
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list