Posts by [CSF] Aleksey Belkov

1) Questions and Answers : Web site : SSL certificate rating (C) (Message 81420) Posted 12 Apr 2017 by [CSF] Aleksey Belkov Post: 1) All servers but one(128.95.160.140) have rating F. At minimum, on all servers must be set only strong encryption( SSLCipherSuite HIGH:!kECDH:!aNULL:!eNULL:!PSK:!DSS:!MD5 )to solve: This server supports insecure cipher suites (see below for details). Grade set to F. 2)To solve: The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. It's needed to upgrade OpenSSL at least to 1.0.1 branch(1.0.1u last) and set: SSLProtocol All -SSLv2 -SSLv3 3) To solve: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. It's needed to upgrade Apache at least to 2.2.30 version: Custom DH parameters and an EC curve name for ephemeral keys, can be added to end of the first file configured using SSLCertificateFile. This is supported in version 2.2.30 or later. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type. You can obtain the appropriate settings in this сonfigurator: https://mozilla.github.io/server-side-tls/ssl-config-generator/