Sorry for late reply, we visited our grandcildren and did not arrive back until late last night.
MTA Setting [default]: SMTP-AUTH available, TLS disabled this needs to be MTA Setting [default]: SMTP-AUTH available, TLS available (I think is an option) so a connection can upgrade if conditions met
To gain an A (or A+) at quayls, you need to disable TLSv1.0 and TLSv1.1, leaving just TLSv1.2 working.
Set your ciphers to high
This should gain an A rating.
To gain an A+, you need to set Strict Transport Security (HSTS) (which you do from vhost file)
Please be aware though, a lot of people think they need the highest rating but they do not. You need to look at what services you offer and consider your clients. They may not have the capability in smart devices or computers to connect securely at highest level and some may go elesewhere for service.
If you leave (as we do) TLSv1 and TLSv1.1 availble, if a conneciton could use TLSv1.2 it will but if not, tries TLSv1.1 and then TLSv1.0 before dropping to non secure (email). so you offer best to your clients for connectability before dropping to non secure.
Your clients may not want or could afford to buy newest devices to use TLSv1.2
Hi John,
Thanks very much for your reply, much appreciated.
I do understand by doing so you would limit customers, but this is for a server which I want to be secure as possible and is not hosting any customers.
Those changes I made had no effect at all, hence I was asking for help here in the hope someone has done this before me.
Hi John,
My Protocol support in SSL labs is now green, still B status.
I modified my /etc/httpd/conf.d/ssl.conf and added the -TLSv1 -TLSv1.1 in the SSLProtocol section.
Still the RFC4 issue to sort.
Kind regards,
Nico
Your right it seems that according to SSL Lab, in the handshake Simulation Android 8 > have an issue they seem to do TLS 1.2 >h2, more to sort out…