Author |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Tue 13 Jul '10 21:18 Post subject: Test Your SSL Server Now! SSL Labs |
|
|
Ivan Ristic (mod_security author) has a fantastic tool on his site to test your SSL configuration.
Go to http://www.ssllabs.com , at the bottom enter your domain name for a detailed security assessment of your SSL server.
Steffen |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Tue 13 Jul '10 22:12 Post subject: |
|
|
I made that test. It tells me that I use insecure SSL 2.0. How can I turn that off in httpd.conf? Yepp I'm to lazy for RTFM |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Tue 13 Jul '10 22:20 Post subject: |
|
|
SSLProtocol all -SSLv2
Edit:
Actually, if you are speaking of this one:
SSL 2.0+ Upgrade Support
The only way to remove it is to disable sslv3 as well.
SSLProtocol +TLSv1
Doing that and removing DES cipher during my new OSSL build, I have been able to achieve a overall score of 90.
My first score was a 76, second (DES removed) was 85, now a 90. I wonder what clients are around that are not compatible with this setup. Should I even care becomes the next question.
This test is a Kobayashi Maru as it seems impossible to get a 100 today cause as far as I know TLS/1.2 is nothing more than theory at this time. TLS1.1 will be in OSSL 1.0.1 IIRC, that still leaves the server unable to get a 100.
Edit 2:
Doing this actually changed the PCI Complaint flag from No to Yes
Last edited by glsmith on Wed 14 Jul '10 3:05; edited 1 time in total |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Thu 22 Jul '10 21:05 Post subject: |
|
|
I wonder how you could get such a good result. My first try today with startcom certs is by 61 point.
Since you know the Kobayashi Maru test, you must have seen Star Trek |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Thu 22 Jul '10 21:16 Post subject: |
|
|
First I had a very bad score with a self-signed certificate.
I installed a certificate from https://www.startssl.com/ and now A88.
I changed also my strings in my httpd-ssl.conf to:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!aNULL:!LOW
Try that strings, if you have a bad score.
Btw: startssl (startcom) is very cheap for ~39 Euro you have a wildcard/multidomain certicate for 2 years.
Steffen |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Thu 22 Jul '10 23:13 Post subject: |
|
|
Indeed! I forgot this
Code: |
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem
|
So now it is 79 points
Only the Cipher Strength still laggs with 60 points. I guess I have to compile SSL maybe again, but I don't know if that is so clever. As Gregg mentioned which client will be compatible with such an encryption?
OK adding
Code: |
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
|
Than I have 91 points, without recompiling OSSL |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 23 Jul '10 2:20 Post subject: |
|
|
3 words ... I Love StartSSL!
Been using their class 1s for years now, even when IE didn't like them.
Edit:7-23-10
I just stumbled onto this ... vague in a sense but interesting
Overclocking SSL |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Sat 24 Jul '10 10:27 Post subject: |
|
|
I wonder that he prefers 128 bit RC4 to the AES 256 bit. Ok he told that it is 3 times faster. Is there any benchmark?
Bad that some parts are only for apache 2.3 |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Sat 24 Jul '10 22:24 Post subject: |
|
|
I'd imagine abs.exe for the benchmark. |
|
Back to top |
|
k.anderson3454
Joined: 24 Dec 2010 Posts: 1
|
Posted: Fri 24 Dec '10 3:47 Post subject: |
|
|
This is complicated. |
|
Back to top |
|
kitteh
Joined: 22 Sep 2011 Posts: 2
|
Posted: Fri 23 Sep '11 2:25 Post subject: |
|
|
hey, this is a nice tool I got an 85 when I ran my site (it gave me an A that must not be too bad!)
Looks like my weakest area was the "Key Exchange" but it doesn't say anything else about it in the details, is there something I can do to improve that aspect?
Last edited by kitteh on Tue 03 Jan '12 17:18; edited 1 time in total |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Fri 23 Sep '11 11:17 Post subject: |
|
|
If you create a key, make sure that your key size is 4096 and not 2048. |
|
Back to top |
|
west
Joined: 29 Nov 2011 Posts: 1 Location: Romania
|
Posted: Tue 29 Nov '11 1:32 Post subject: |
|
|
Doing this actually changed the PCI Complaint flag from No to Yes |
|
Back to top |
|