Forum Discussion
Roy_Jee
Nimbostratus
NimbostratusGet A Grade on SSL LAB for VIP
HI ,
I am looking for Cipher string to get A grade on SSL lab for my VIP .Currently these are the ratings.Thanks in advance .
- Mark_Gallagher
Altocumulus
Try this one which I found in a thread on the old devcentral:
!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!3DES:-MD5:-SSLv3:-RC4I also have the following options enabled in the SSL client profile: no SSLV3, no TLSv1, and no TLSv1.1.
Here's how it comes out on SSL labs:
I find that I can get similar results locally using nmap's nse script to enum-ssl-ciphers like so:
PS C:\Users\user\nmap-7.70> .\nmap.exe -sV --script ssl-enum-ciphers -p 443 hostname.organization.com Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-27 12:33 Eastern Daylight Time Nmap scan report for 123.123.123.123 Host is up (0.00s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http httpd |_http-server-header: | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Service Info: OS: OS; CPE: cpe:/o:cpe Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.81 secondsIt's nice to not be dependent on an external resource for a quick, repeatable check and also not forget to hide the results.
Good luck!
Roy_JeeCan u please suggest a cipher string for V 13.0 as grade has been changed but Weak Cipher s issue still persists .
Here is the string :
!SSLv2:!TLSv1:!TLSv1_1:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!SSLv3
- Mark_Gallagher
This works but I think you'll definitely see downlevel client failures:
!SSLv2:!TLSv1:!TLSv1_1:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:!ECDHE+AES:!RSA+AES-GCM:!RSA+AES:!ECDHE+3DES:!RSA+3DES:!SSLv3
JGCumulonimbus
Try this one:
!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ADH-DES-CBC3-SHA:!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!SSLv3.
