Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Getting Good Grades on your SSL

David_Holmes_12
Historic F5 Account

on ‎08-May-2012 20:27

If you haven’t tried the SSL Labs site analyzer against your own property, check it out.  Ivan Ristić has conjured up an excellent tool that examines the characteristics of your SSL site against several metrics and then gives your site a grade. If you aren’t a cryptographer (or crypto-groupie) and don’t have time to learn which ciphers are best, if your certificate chain is broken, or you just want to know “Hey, are we good?  I got stuff to do,” then the Ristić site analyzer is for you.

As a control test, here’s the report against a brand new apache2/mod_ssl site using all the defaults with a self-signed certificate. Let’s see how the analyzer grades it.

0151T000003d5RtQAI.jpg

Okay, that definitely tells you something, doesn’t it?  I haven’t seen a grade this bad since I bombed out of Electromagnetism II in College.  The F in this example is given due to the fact that no one can really trust my site because the certificate isn’t signed by anyone that could provide proper third-party trust.  But apart from that, the latest Apache2 (2.2.14) is actually pretty tight.  Over 80 (B+?) for protocol support, key exchange and cipher strength.

Let’s take a look at the world’s most popular (non-search) website.  How does it score?

0151T000003d5RuQAI.jpg

According the analyzer, the Facebook site certificate is perfect and its crypto is grade A all the way.  I think the analyzer is taking points off because Facebook might be accepting client-initiated SSL renegotiations, which would leave a non-accelerated site vulnerable to the famous Renegotiation DoS.  Hardware acceleration mitigates that problem, as does this iRule. 

Thinking of testing your own site?  All you have to do is visit the Qualys SSL Labs SSL Server Test page and enter your domain.  Note, the report of your site will appear publically unless you check the ‘Do not show the results on the boards’ checkbox.  If you are expecting a bad grade, check that box before you run the test! Otherwise you might hang out your dirty SSL laundry for all to see.

0151T000003d5RvQAI.jpg

Disclaimer: Qualys is an F5 partner and I consider Ivan Ristić to be a solid, stand up guy (we did a panel together last week at InfoSec Europe).

Labels:
0 Kudos
Comments
maskodok_143502
Nimbostratus
Nimbostratus
‎09-Feb-2014 01:05
Hi there, You’ve performed an excellent job. I’ll certainly digg it and individually suggest to my friends. I’m confident they will be benefited from this site.
0 Kudos
Version history
Last update:
‎08-May-2012 20:27
Updated by:
Contributors
Copyright © 2023 Khoros, LLC