[BlueOnyx:21839] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

Michael Stauber mstauber at blueonyx.it
Tue Mar 13 11:23:37 -05 2018 

Hi Dirk,

> are there different Ciphers for your and other 5209R Servers?

During the base-apache updates in the last 2-3 weeks to deal with the
SSL issues I went in an optimized our ciphers a little further. The
ciphers themselves didn't change much and it was just a small tweak. But
I also turned off TLSv1.0 while I was at it.

This change will not have permeated through all Vsites yet *if* their
configuration hasn't been updated through a GUI mandated change of the
configuration. I specifically decided against forcing a write out of the
new configuration to existing Vsites, because that would rock the boat
too much for just a trivial gain.

> Please check: 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.eloquia.com		and
> https://www.ssllabs.com/ssltest/analyze.html?d=www.excite-werbeagentur.de

It's as I thought. Please go to the results page and under
"Certification Paths" click on the button to expand.

For both you will see:

"Path #1: Trusted." It lists twice "sent by server" and then "In trust
store".

For "Path #2: Trusted" you see four entries. First two are "sent by
server", third is "Extra download" (this is the problem!) and finally
"in trust store" for item four.

So the problem is that for this intermediate listed under "3" (COMODO
RSA Certification Authority) the browser needs to make an extra
download, as your server is not sending that particular intermediate.

That extra-download results in the downgrading of the rating. The point
I'm unsure about is why your cipher list for these two is massively
shortened, resulting in the "This server does not support Forward
Secrecy with the reference browsers." That *could* be related.

Please check and make sure that you've got all intermediates uploaded.

Then also check if /etc/httpd/conf/vhosts/siteX for the Vsite
www.eloquia.com and check what the "SSLCipherSuite" for that says. It
should not be massively different from the one listed in
/etc/httpd/conf.perl/00-default-vsite.pl

> Funny fact 
> A 5208R (Scientific Linux 6.9) I get a A+
> https://www.ssllabs.com/ssltest/analyze.html?d=www.blackpoint.de

Yes, that's easily explained: "HTTP Strict Transport Security (HSTS)
with long duration deployed on this server."

As it currently is 5207R/5208R/5209R do get a solid "A" in their default
configuration. This has been the case for the last year or two. If you
*also* enable HSTS you do get an "A+".

However: HSTS is a server wide config option. If you do have Vsites that
don't have SSL enabled, then enabling HSTS will cause you problems. That
is why we cannot enable HSTS by default and leave the ability to enable
that option to the server admin.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list