I made the required changes but don't get the A+ rating, still A. Forward Secrecy is enabled, which is good. I don't actually see scores for the bar graph but I do see certain ones don't go to the 100%. One was the Protocol Support. However, if I disable TLSv1 and TLSv1.1, then Protocol Support goes to 100%.
I'm wondering what clients wouldn't be able to connect if I disable TLSv1.0 and TLSv1.1. I'd imagine if a client supports TLSv1.1, it probably supports TLSv1.2. Is there a list or any website that can test my website to see what browsers / OS's won't be able to connect? I'm okay with dropping TLSv1.0 and TLSv1.1 support if it means people using XP won't be able to connect but 99% of the internet users out there will be able. But if dropping support for TLSv1.0 and TLSv1.1 means only 10% of the users will be able to connect, I'd like to not drop it. Any suggestions from anyone? Thanks! On Sat, Jul 16, 2016 at 3:59 PM, Spork Schivago <[email protected]> wrote: > Wow, thank you Dr. James Smith! I am going to try your cipher list and > see if I can get the A+ rating. That's exactly what I'm after. Are > there any other drawbacks besides losing support for Java 6 and IE 6 > clients? I originally started writing my website to be IE 6 compatible > but after learning a good bit, I've decided that was a horrible idea. > Even if users are still using XP, I believe they can at least install IE 8, > however, people who are still running Windows XP should highly consider > upgrading if they're getting on the internet, I'd think. > > Thank you!!! > > Ken > > On Sat, Jul 16, 2016 at 2:44 AM, Dr James Smith <[email protected]> wrote: > >> I use: >> >> SSLProtocol all -SSLv2 -SSLv3 >> SSLHonorCipherOrder on >> SSLCipherSuite >> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS >> >> as the setting for ciphers - this gets a A+ rating on the qualys SSL labs >> scoring (although Java 6 + IE 6 clients don't work but that is the >> compromise you need to take) >> >> James >> >> >> On 15/07/2016 22:49, Spork Schivago wrote: >> >>> Hello, >>> >>> I think I figured it out. I removed the DES-CBC3-SHA line from the SSL >>> Cipher Suite list and now this is the output from nmap: >>> >>> | Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's >>> Encrypt/countryName=US >>> | Public Key type: rsa >>> | Public Key bits: 2048 >>> | Signature Algorithm: sha256WithRSAEncryption >>> | Not valid before: 2016-07-13T03:49:00 >>> | Not valid after: 2016-10-11T03:49:00 >>> | MD5: e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee >>> |_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6 >>> | ssl-enum-ciphers: >>> | TLSv1.0: >>> | ciphers: >>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A >>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A >>> | compressors: >>> | NULL >>> | cipher preference: client >>> | TLSv1.1: >>> | ciphers: >>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A >>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A >>> | compressors: >>> | NULL >>> | cipher preference: client >>> | TLSv1.2: >>> | ciphers: >>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A >>> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A >>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A >>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >>> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >>> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >>> | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A >>> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A >>> | compressors: >>> | NULL >>> | cipher preference: client >>> |_ least strength: A >>> >>> Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds >>> >>> >>> With the least strength being A, that's exactly what I want, right? >>> That would mean the ciphers are very strong ones? I'm still trying to >>> learn all of this and now I gotta figure out how to enable "Perfect" >>> Forward Secrecy. Thanks! >>> >> >> >> >> -- >> The Wellcome Trust Sanger Institute is operated by Genome Research >> Limited, a charity registered in England with number 1021457 and a company >> registered in England with number 2742969, whose registered office is 215 >> Euston Road, London, NW1 2BE. >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> >
