Forum Discussion

Rajesh_06_15705's avatar
Rajesh_06_15705
Icon for Nimbostratus rankNimbostratus
Oct 11, 2015

SSLlabs.com test capped to B

I am running 11.4.1 with HF9. My current SSL ciphers options are: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1

 

Test for the certificate gives me B

 

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

 

From the tests to Diffie-Hellman implementation, I see:

 

Good News! This site uses a unique or infrequently used 1024-bit Diffie-Hellman group. You are likely safe, but it's still a good idea to generate a unique, 2048-bit group for the site.

 

Did anyone manage to get A/A+ on version 11.4.1?

 

  • Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.

     

    More information on SSL labs grading:

     

    https://devcentral.f5.com/articles/security-sidebar-improving-your-ssl-labs-test-grade

     

  • Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.

     

    More information on SSL labs grading:

     

    https://devcentral.f5.com/articles/security-sidebar-improving-your-ssl-labs-test-grade

     

    • Rajesh_06_15705's avatar
      Rajesh_06_15705
      Icon for Nimbostratus rankNimbostratus
      Here are nmap results for the certificate Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-08-24T00:00:00 | Not valid after: 2016-10-26T12:00:00 | MD5: bc3f 8d7a bd1e c80d aea7 ed33 d984 bda5 |_SHA-1: 6a4f c348 93db 9664 d02c 7e27 d1f0 e76c f8ae c8c0 | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key |_ least strength: C
    • Rajesh_06_15705's avatar
      Rajesh_06_15705
      Icon for Nimbostratus rankNimbostratus
      Made changes to ciphers to: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1 This cipher set gave me A on ssllabs.com test
  • Both A and A+ are possible on 11.4.1. You're losing some score because of 1028 bit key, but also 128bit SSL ciphers reduce your score a little. In regards to key strength, you can't do much unless you're willing to renew the certificate immediately. When the time comes, generate a new CSR based on a 4096 bit private key, and request a new certificate as your current one is coming closer to expiration. This is not urgent and can wait.

     

    More information on SSL labs grading:

     

    https://devcentral.f5.com/articles/security-sidebar-improving-your-ssl-labs-test-grade

     

    • Rajesh_06_15705's avatar
      Rajesh_06_15705
      Icon for Nimbostratus rankNimbostratus
      Here are nmap results for the certificate Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-08-24T00:00:00 | Not valid after: 2016-10-26T12:00:00 | MD5: bc3f 8d7a bd1e c80d aea7 ed33 d984 bda5 |_SHA-1: 6a4f c348 93db 9664 d02c 7e27 d1f0 e76c f8ae c8c0 | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange parameters of lower strength than certificate key |_ least strength: C
    • Rajesh_06_15705's avatar
      Rajesh_06_15705
      Icon for Nimbostratus rankNimbostratus
      Made changes to ciphers to: !COMPAT:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE+3DES:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:3DES:!MD5:!EXPORT:!DES:!EDH:!SSLv3:!RC4:!TLSv1 This cipher set gave me A on ssllabs.com test