SSL Lab score from B to A, how?

Hi all,

I wonder what else I need to do to get my A score from SSL Lab, it shows the following messages:

  • This server accepts RC4 cipher, but only with older protocols. Grade capped to B.
  • This server supports TLS 1.0 and TLS 1.1. Grade capped to B.

This is what I have changed on the server, but it seems to have no effect, I did restart all services several times after my changes.

Changed:

MTA Setting [default]: SMTP-AUTH available, TLS disabled.

MDA Settings:
SSL Minimum Protocol: TLSv1.2
SSL Cipher Suite: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!D ES:!3DES:!MD5:!PSK:!ADH:!LOW@STRENGTH [removed the [!RC4]

MSA Settings:
Custom Submission Port SSL: Yes
Submission [587]

Perhaps there are other locations where settings need to be changed?

Any help much appreciated.

Hi Nico

Sorry for late reply, we visited our grandcildren and did not arrive back until late last night.

MTA Setting [default]: SMTP-AUTH available, TLS disabled this needs to be MTA Setting [default]: SMTP-AUTH available, TLS available (I think is an option) so a connection can upgrade if conditions met

To gain an A (or A+) at quayls, you need to disable TLSv1.0 and TLSv1.1, leaving just TLSv1.2 working.

Set your ciphers to high

This should gain an A rating.

To gain an A+, you need to set Strict Transport Security (HSTS) (which you do from vhost file)

Please be aware though, a lot of people think they need the highest rating but they do not. You need to look at what services you offer and consider your clients. They may not have the capability in smart devices or computers to connect securely at highest level and some may go elesewhere for service.

If you leave (as we do) TLSv1 and TLSv1.1 availble, if a conneciton could use TLSv1.2 it will but if not, tries TLSv1.1 and then TLSv1.0 before dropping to non secure (email). so you offer best to your clients for connectability before dropping to non secure.

Your clients may not want or could afford to buy newest devices to use TLSv1.2

I hope that helps a little

Many thanks

John

Hi John,
Thanks very much for your reply, much appreciated.
I do understand by doing so you would limit customers, but this is for a server which I want to be secure as possible and is not hosting any customers.
Those changes I made had no effect at all, hence I was asking for help here in the hope someone has done this before me.

Kind regards
Nico

Hi John,
My Protocol support in SSL labs is now green, still B status.
I modified my /etc/httpd/conf.d/ssl.conf and added the -TLSv1 -TLSv1.1 in the SSLProtocol section.
Still the RFC4 issue to sort.
Kind regards,
Nico

Your right it seems that according to SSL Lab, in the handshake Simulation Android 8 > have an issue they seem to do TLS 1.2 >h2, more to sort out…