Forum Discussion
SSLlabs.com test capped to B
I am running 11.4.1 with HF9. My current SSL ciphers options are: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1
Test for the certificate gives me B
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
From the tests to Diffie-Hellman implementation, I see:
Good News! This site uses a unique or infrequently used 1024-bit Diffie-Hellman group. You are likely safe, but it's still a good idea to generate a unique, 2048-bit group for the site.
Did anyone manage to get A/A+ on version 11.4.1?
Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.
More information on SSL labs grading:
- Hannes_RappNimbostratus
Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.
More information on SSL labs grading:
- Rajesh_06_15705NimbostratusHere are nmap results for the certificate Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-08-24T00:00:00 | Not valid after: 2016-10-26T12:00:00 | MD5: bc3f 8d7a bd1e c80d aea7 ed33 d984 bda5 |_SHA-1: 6a4f c348 93db 9664 d02c 7e27 d1f0 e76c f8ae c8c0 | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key |_ least strength: C
- Rajesh_06_15705NimbostratusMade changes to ciphers to: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1 This cipher set gave me A on ssllabs.com test
- Hannes_Rapp_162Nacreous
Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.
More information on SSL labs grading:
- Rajesh_06_15705NimbostratusHere are nmap results for the certificate Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-08-24T00:00:00 | Not valid after: 2016-10-26T12:00:00 | MD5: bc3f 8d7a bd1e c80d aea7 ed33 d984 bda5 |_SHA-1: 6a4f c348 93db 9664 d02c 7e27 d1f0 e76c f8ae c8c0 | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key |_ least strength: C
- Rajesh_06_15705NimbostratusMade changes to ciphers to: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1 This cipher set gave me A on ssllabs.com test
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com