Eddy Nigg (StartCom Ltd.) wrote: > Eddy Nigg (StartCom Ltd.): >> Frank Hecker: >>> I tried out my own site on it, and got a C. >> >> LOL, I got a A 80 :-) > > Actually it doesn't honor SAN DNS extension...but it's a cute utility. > Reached a A 82 as well, just need to use the CN value of the certificate.
After regenerating the server private key (using a 2048-bit modulus), getting a new certificate (from StartCom), and changing the server ciphersuites, I managed to get a score of 84 (A), which matches the highest scores reported for other sites: http://tlsreport.layer8.net/reports/www.hecker.org?protocol=https Benjamin Black still hasn't published a detailed discussion of how the scoring is done, but here's some basic info based on my and others' experiences: * As Mohamad Badra previously noted, enabling EDH ciphersuites will greatly improve your score (enabling you to get a 100 score for "key exchange"). * Enabling only ciphersuites with FIPS-compliant algorithms gets you a couple of points at least. (I'm just using AES-256 and 3DES, with SHA-1; no RC4, no MD5.) * As Eddy noted, you get a higher score on the "weak certificate" test if the site name used matches what's in the CN (as opposed to what's in SubjAltName). In my case the CN is www.hecker.org, while SAN has both www.hecker.org and hecker.org; the TLSreport score for the site accessed through www.hecker.org is 9 points higher than when accessed through hecker.org (84 vs. 75). I have no good ideas as to how to further improve the score beyond 84. In particular, I'm puzzled as to how one might further improve the score on the "default cipher" and "overall ciphers" measures. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto