[BlueOnyx:21848] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl
Dirk Estenfeld
dirk.estenfeld at blackpoint.de
Wed Mar 14 02:28:41 -05 2018
Hello Michael,
maybe to get some clearance on this issue.
This are the CipherSuits which are actually active at the 5209R Servers:
SSLCipherSuite HIGH:!LOW:!MEDIUM:!DH:!ADH:!EXP:!SSLv2:!SSLv3:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:!SHA:
-> unfortunately no PFS
Are this the SSLCipherSuite you set in the Scripts for adding SSL Support to a site or is this not the actual value?
This is the CipherSuits which are actually active at the 5208R Server
SSLCipherSuite HIGH:!LOW:!SEED:!DSS:!SSLv2:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:
-> PFS is enabled
Best regards,
Dirk
---
blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel
-----Ursprüngliche Nachricht-----
Von: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Dirk Estenfeld
Gesendet: Mittwoch, 14. März 2018 08:12
An: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Betreff: [BlueOnyx:21847] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl
Hello Michael,
thank you for your email.
No an additional download for an intermediate certificate is not the reason for a B-rating.
I have another server with all intermediates on stock and this server also have a B-rating.
Also enabling HSTS is not a guarantee for an A-rating.
I have a site also with HSTS enabled and it gets a B-rating.
The problem is that the actual configuration at the 5209R Servers do not have PFS enabled.
I can reproduce on each 5209R we have and this are several servers.
If you want I can give you some login information to check this.
Please check the Ciphers to enable PFS. This will bring back the A-rating.
Best regards,
Dirk
---
blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel
-----Ursprüngliche Nachricht-----
Von: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Michael Stauber
Gesendet: Dienstag, 13. März 2018 17:24
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:21839] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl
Hi Dirk,
> are there different Ciphers for your and other 5209R Servers?
During the base-apache updates in the last 2-3 weeks to deal with the
SSL issues I went in an optimized our ciphers a little further. The
ciphers themselves didn't change much and it was just a small tweak. But
I also turned off TLSv1.0 while I was at it.
This change will not have permeated through all Vsites yet *if* their
configuration hasn't been updated through a GUI mandated change of the
configuration. I specifically decided against forcing a write out of the
new configuration to existing Vsites, because that would rock the boat
too much for just a trivial gain.
> Please check:
> https://www.ssllabs.com/ssltest/analyze.html?d=www.eloquia.com and
> https://www.ssllabs.com/ssltest/analyze.html?d=www.excite-werbeagentur.de
It's as I thought. Please go to the results page and under
"Certification Paths" click on the button to expand.
For both you will see:
"Path #1: Trusted." It lists twice "sent by server" and then "In trust
store".
For "Path #2: Trusted" you see four entries. First two are "sent by
server", third is "Extra download" (this is the problem!) and finally
"in trust store" for item four.
So the problem is that for this intermediate listed under "3" (COMODO
RSA Certification Authority) the browser needs to make an extra
download, as your server is not sending that particular intermediate.
That extra-download results in the downgrading of the rating. The point
I'm unsure about is why your cipher list for these two is massively
shortened, resulting in the "This server does not support Forward
Secrecy with the reference browsers." That *could* be related.
Please check and make sure that you've got all intermediates uploaded.
Then also check if /etc/httpd/conf/vhosts/siteX for the Vsite
www.eloquia.com and check what the "SSLCipherSuite" for that says. It
should not be massively different from the one listed in
/etc/httpd/conf.perl/00-default-vsite.pl
> Funny fact
> A 5208R (Scientific Linux 6.9) I get a A+
> https://www.ssllabs.com/ssltest/analyze.html?d=www.blackpoint.de
Yes, that's easily explained: "HTTP Strict Transport Security (HSTS)
with long duration deployed on this server."
As it currently is 5207R/5208R/5209R do get a solid "A" in their default
configuration. This has been the case for the last year or two. If you
*also* enable HSTS you do get an "A+".
However: HSTS is a server wide config option. If you do have Vsites that
don't have SSL enabled, then enabling HSTS will cause you problems. That
is why we cannot enable HSTS by default and leave the ability to enable
that option to the server admin.
--
With best regards
Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list