Security Sidebar: Improving Your SSL Labs Test Grade
Encrypt everything. That's what Google Chairman Eric Schmidt recently said. His comments were in response to various surveillance efforts that he considered government overreach and censorship. His rationale...if you are going to spy on everything I send across the Internet, then I'll simply encrypt it all so you can't read it. Other companies like Facebook, Twitter, Yahoo, and many others have taken similar steps. In addition, Mark Nottingham (chairman of the group developing the new HTTP/2 protocol) said, "I believe the best way that we can meet the goal of increasing use of TLS on the Web is to encourage its use by only using HTTP/2 with https:// URIs."
With all this encryption momentum from giants in the industry, the HTTPS path has been paved and everyone who wants to stay relevant will have to get on board. So, the world is moving to "encrypt everything" and you want to follow suit. Unfortunately, there are many different options to consider when implementing SSL on your web server. Wouldn't it be nice to just have a checkbox that said "click here for SSL implementation"? It's not that simple.
Fortunately, there are many different web-based tools that allow you to score the effectiveness of your web server's SSL implementation. Many of these tools provide recommendations on how to improve your web server's security and make it stronger and more efficient. Some of these include Wormly, SSL Shopper, DigiCert, and GlobalSign to name a few. Some of these tools just give you basic certificate information while others dig a little deeper into performance and known vulnerability status. There's no magic formula or mandate that forces any of these tools to look at one thing over another, so they all test things a little bit differently.
That said, the undisputed industry thought leader in this space is Qualys SSL Labs. Qualys does a great job of conducting a comprehensive inspection of the SSL implementation on your web server. Some may question the need for having a good grade on the SSL Labs test, but imagine a customer checking, for example, their bank website and finding a bad grade for SSL implementation. If my bank had a failing grade on SSL implementation, it would certainly get my attention and it might make me think twice about moving my money and my business elsewhere. Even though an organization may not totally agree with the way Qualys approaches web server testing, it's still important to understand their testing methodology so as to align SSL implementation practices with their recommendations.
How does SSL Labs approach web server testing? They have a fairly short and easy to read SSL Server Rating Guide that outlines the exact methodology they use for testing. Their approach consists of 4 steps:
- Look at a certificate to verify that it's valid and trusted
- Inspect server configuration in three categories:
- Protocol support
- Key exchange support
- Cipher support
- Combine the category scores into an overall score (a score of zero in any category will push the overall score to zero), then calculate an overall letter grade
- Apply a series of rules to handle aspects of server configuration that cannot be expressed via numerical scoring
The final letter grade is based on the following overall numerical score:
Numerical Score |
Letter Grade |
>= 80 |
A |
>= 65 |
B |
>= 50 |
C |
>= 35 |
D |
>= 20 |
E |
< 20 |
F |
Who knew you could get an "E" grade?!? I'm pretty sure I've received every other letter grade on that scale at some point in my life, but never an E. By the looks of where it fits on the scale, I don't want to start now.
One other note about the grading scale...in certain situations the standard A-F grades are not quite applicable and are out of scope. To handle this, SSL Labs has introduced the "M" grade (certificate name mismatch) and the "T" grade (site certificate is not trusted). So, when you are reviewing your score and you see the "M" or the "T" you don't have to wonder what happened with the scoring results.
Anyway, let's quickly look at each of the 4 areas they test.
Certificate Inspection
Three certificate types are currently in use: domain-validated, organization-validated, and extended-validation (EV) certificates. SSL Labs only requires that a certificate be correct and does not go beyond that basic requirement. They do recommend EV certificates for higher-value web sites but they have no way of knowing the purpose of each web site so they simply check to make sure the site's certificate is valid and trusted. However, they do note some certificate issues that will immediately result in a zero score:
- Domain name mismatch
- Certificate not yet valid
- Certificate expired
- Use of a self-signed certificate
- Use of a certificate that is not trusted (unknown CA or some other validation error)
- Use of a revoked certificate
- Insecure certificate signature (MD2 or MD5)
- Insecure key
Server Configuration
The three criteria used for server configuration are protocol support (30% of grade), key exchange (30% of grade), and cipher strength (40% of grade).
Protocol support is graded against the following criteria:
Protocol |
Score |
SSL 2.0 |
0% |
SSL 3.0 |
80% |
TLS 1.0 |
90% |
TLS 1.1 |
95% |
TLS 1.2 |
100% |
They start with the score of the best protocol used on your web server and then add the score of the worst protocol and then divide the total by 2. This doesn't account for any protocols in between the best and worst on your site, but that's why it's important to understand how they calculate all this stuff. For example, if your site supports SSL 3.0, TLS 1.1, and TLS 1.2, your score would be (100 + 80) / 2 = 90. How would you increase that score? Well, if you continued support for TLS 1.1 and TLS 1.2 and dropped support for SSL 3.0, your score would move up to (100 + 95) / 2 = 97.5.
Key exchange is graded against the following criteria:
Key Exchange |
Score |
Weak key (Debian OpenSSL flaw) |
0% |
Anonymous key exchange (no authentication) |
0% |
Key or DH parameter strength < 512 bits |
20% |
Exportable key exchange (limited to 512 bits) |
40% |
Key or DH parameter strength < 1024 bits (e.g., 512) |
40% |
Key or DH parameter strength < 2048 bits (e.g., 1024) |
80% |
Key or DH parameter strength < 4096 bits (e.g., 2048) |
90% |
Key or DH parameter strength >= 4096 bits (e.g., 4096) |
100% |
Cipher strength is the final piece of the server configuration equation. Servers can support varying strengths of ciphers, so SSL Labs scores the cipher strength the same way they do the protocol strength...take the score of the strongest cipher, add the score of the weakest cipher, and divide by 2. The scores for each cipher are as follows:
Cipher Strength |
Score |
0 bits (no encryption) |
0% |
< 128 bits (e.g., 40, 56) |
20% |
< 256 bits (e.g., 128, 168) |
80% |
>= 256 bits (e.g., 256) |
100% |
Sample Web Server
Let's say your web server has the following configuration:
- Valid and trusted certificate
- Protocol support for TLS 1.0 and TLS 1.1
- RSA key with 2048 bit strength
- Cipher algorithm is AES/CBC with 256 bit strength
In this case, you would score a 92.5 for protocol support, a 90 for key exchange, and a 100 for cipher strength. Protocol support accounts for 30% of the overall grade, so you multiply 92.5 by 30%. Key exchange is also 30% of the overall grade, and cipher strength is 40% of the overall grade. Using these values, you would score a (92.5 * 30%) + (90 * 30%) + (100 * 40%) = 94.75. Converting this numerical score to a Letter Grade would yield an overall "A" score. Congratulations!
Important Things to Consider...
SSL Labs periodically changes their grading criteria and methodology based on changes in technology. Here are some changes that they have published (updated Feb 2018):
- SSL 2.0 is not allowed (results in an automatic "F")
- Insecure renegotiation is not allowed (results in an automatic "F")
- Vulnerability to the BEAST attack caps the grade at B
- Vulnerability to the CRIME attack caps the grade at C (previously capped at "B" but changed in the May 2015 test version)
- The test results no longer show the numerical score (0-100) because they realized that the letter grade (A-F) is more useful (they still calculate the numerical score...they just don't show it to you)
- No longer require server-side mitigation for the BEAST attack
- Support for TLS 1.2 is now required to get an A grade. Without it, the grade is capped at a B
- If vulnerable to the Heartbleed attack, automatic "F" grade
- If vulnerable to the OpenSSL CVE-2014-0224 vulnerability, automatic "F" grade
- Keys below 2048 bits (e.g., 1024) are now considered weak, and the grade is capped at a B
- Keys under 1024 bits are now considered insecure (results in an automatic "F")
- Warnings have been introduced as part of the rating criteria. In most cases, warnings are about issues that do not yet affect the grade, but likely will in the future. Server administrators are advised to correct the warnings as soon as possible. Some examples are:
- Warning: RC4 is used with TLS 1.1 or newer protocol. Because RC4 is weak, the only reason to use it is to mitigate the BEAST attack. For some, BEAST is still a threat. Because TLS 1.1 and newer are not vulnerable to BEAST, there is no reason to use RC4 with them
- Warning: No support for Forward Secrecy
- Warning: Secure renegotiation is not supported
- Grade A- is introduced for servers with generally good configuration that have one ore more warnings
- Grade A+ is introduced for servers with exceptional configurations. At the moment, this grade is awarded to servers with good configuration, no warnings, and HTTP Strict Transport Security support with a max-age of at least 6 months
- MD5 certificate signatures are now considered insecure (results in an automatic "F")
- Clarified that insecure certificate signatures affect the certificate score. This has always been the case for MD2
- Clarified that the strength of DHE and ECDHE parameters affects key exchange scoring. This has always been the case, but previous revisions of the text were not clear about it
- An A+ score is not awarded to servers that use SHA1 certificates
- Overall grade is capped at C if vulnerable to POODLE attack
- An A+ score is not awarded to servers that don’t support TLS_FALLBACK_SCSV
- Overall grade is capped at "B" if SSL 3 is supported
- Overall grade is capped at "B" if RC4 is supported
- Overall grade is capped at "B" if the certificate chain is incomplete
- Servers that have SSL 3.0 as their best protocol automatically get an "F"
- If using weak DH parameters (less than 1024 bits), grade is automatically set to "F"
- If using weak DH parameters (less than 2048 bits), grade capped at "B"
- If using export cipher suites, grade is automatically set to "F"
- If vulnerable to CRIME attack, best grade is capped at "C" (was "B" prior to May 2015 test version)
- Cap grade at "C" if RC4 is used with TLS 1.1+
- Cap grade at "C" if not supporting TLS 1.2
- Fail servers that support only RC4 suites
- Detect when RSA exponent 1 is used. This is insecure and gets an automatic "F"
- Hosts that have HPKP issues can't get an A+ grade
- Servers vulnerable to DROWN attack get an automatic "F" grade
- If vulnerable to CVE-2016-2107 (Padding oracle in AES-NI CBC MAC check), grade is an automatic "F"
- Introduce a penalty (grade capped at C) for using 3DES (and other ciphers with block sizes of 64 bits) with TLS 1.1+
- SHA1 certificates are no longer trusted; results in a "T" grade
- Introduced an explicit penalty for using cipher suites weaker than 112 bits. This was necessary to address a flaw in the SSL Labs grading algorithm that didn't sufficiently penalize these weak suites.
- WoSign/StartCom certificates are distrusted and will result in a "T" grade
-
If vulnerable to Ticketbleed (CVE-2016-9244), the grade is an automatic "F"
In addition to these updates, SSL Labs is planning to add more criteria changes in March, 2018. These include:
- Penalty for not using forward secrecy (grade capped at "B"). Not using Forward Secrecy is currently a warning, but will soon affect the actual grade of your web server. They will not penalize sites that use suites without forward secrecy provided they are never negotiated with clients that can do better.
- Penalty for not using AEAD suites (grade capped at "B"). Your site should use secure cipher suites, and AEAD is the only encryption approach without any known weaknesses. Also, the new TLS 1.3 protocol supports only AEAD suites. In their new grading criteria, websites will be required to use AEAD suites to get an "A". However, as with forward secrecy, they will not penalize sites if they continue to use non-AEAD suites provided AEAD suites are negotiated with clients that support them.
- Penalty for Return Of Bleichenbacher Oracle Threat (ROBOT) vulnerability (automatic "F" grade). ROBOT is an attack model based on Daniel Bleichenbacher chosen-ciphertext attack. Bleichenbacher discovered an adaptive-chosen ciphertext attack against protocols using RSA, he demonstrated the ability to perform RSA private-key operations. Researchers have been able to exploit the same vulnerability with small variations to the Bleichenbacher attack. The ROBOT vulnerability was a warning in the past, but will now be used in the grading algorithm. Note: F5 has provided mitigation steps for the ROBOT vulnerability in article K21905460: BIG-IP SSL vulnerability (ROBOT) CVE-2017-6168.
- Penalty for using Symantec Certificates (grade of "T" will be given). Starting March 1, 2018, SSL Labs will give “T” grade for Symantec certificates issued before June 2016.
Hopefully you can start to see how your overall grade can change based on different options and configurations. As SSL Labs changes their grading criteria and testing methodology (i.e. will support for HTTP 2.0 be needed for an "A" grade in the future?) you should stay aware of what they are doing and how your web site is affected by their changes. It's important to check back periodically to see how your grade looks...your customers are certainly checking on you! After all, if you're gonna "encrypt everything" you might as well encrypt it correctly.
Knowing all this, you can more easily configure your web server to go from this grade...
To this grade...
Here's to great web site configurations, effective security, and A+ grades!
- hawksfan1_17948NimbostratusGreat article!
- Sam153_178384NimbostratusNice article John !!!
- I feel its worth noting that in October SSL Labs announced support for a BETA version of an API that would allow for programatic access to the SSL Labs test suite. Notice is available here: http://sourceforge.net/p/ssllabs/mailman/message/32987128/ Example code and docs are here: https://github.com/ssllabs/ssllabs-scan
- ltwagnonRet. EmployeeThanks Josh. Great info to have!
- Jamie_CravensNimbostratusI have a feeling a good SSL Labs score doesn't correspond well w/ a user/client compatibility score.
- Mike_Gorski_625NimbostratusNote how HSTS support is evaluated by SSL Labs - they make a GET against "/" URI and check whether the header is there and that it's at least 180 days - but if your VIP doesn't process requests for "/" or you have a redirect via HTTP::respond or HTTP::redirect then even the iRule to insert the header as part of HTTP_RESPONSE event does not fire - you need to modify the HTTP::respond/HTTP::redirect to include that header
- ltwagnonRet. EmployeeGreat point, Mike! Thanks for the clarification and the recommendations.
- GeneUWG_150657NimbostratusI am using the DEFAULT cipher suite on v12.0.0 HF1 yet get the following from SSL Labs, any suggestions? This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. These two notes were highlighted in the protocol details section: Forward SecrecyWeak key exchange WEAK DH public server param (Ys) reuse Yes And these were highlighted in the Cipher Suite section: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK112
- ltwagnonRet. Employee
Here's a profile configuration that received an A+ grade recently:
ltm profile client-ssl { app-service none cert-key-chain { default { cert default.crt key default.key } } ciphers !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:!DHE:ECDHE+AES-GCM:DHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES:@SPEED defaults-from clientssl inherit-certkeychain false } ltm policy { controls { asm forwarding } requires { http } rules { default { actions { 0 { http-header response insert name Strict-Transport-Security value max-age=15552000 } } ordinal 0 } } strategy first-match
Pingback: https://devcentral.f5.com/s/articles/security-sidebar-improving-your-ssl-labs-test-grade
 
Cheers, Kai