Hi Dirk, > blueonyx server with enabled SSL actually only get a B rating at > https://www.ssllabs.com/ssltest/analyze.html
What the hell? I had checked it just a few days ago and we were getting a rock solid "A" with them. If so, then their evaluation criteria must just have changed or something else is amiss. Ah, wait. This is a 5209R with all updates and a LE cert: https://www.ssllabs.com/ssltest/analyze.html?d=5209r.smd.net&s=38.114.102.16 It still gets a solid "A". Yes, low on the priority list it uses ciphers recently identified as weak, because Microsoft fucked up their implementation: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128 But that doesn't affect the "A"-rating. > Reasons for that: > - Forward Secrecy is not enabled Forward Secrecy: Yes (with most browsers) ROBUST (more info) > - Certificate Transparency is not available I think that may be your problem and it's why you got the "B". As far as I recall you get that when the intermediate is missing. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx