logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> How-to's & Documentation & Tips View previous topic :: View next topic
Reply to topic   Topic: Test Your SSL Server Now! SSL Labs
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Tue 13 Jul '10 21:18    Post subject: Test Your SSL Server Now! SSL Labs Reply with quote

Ivan Ristic (mod_security author) has a fantastic tool on his site to test your SSL configuration.

Go to http://www.ssllabs.com , at the bottom enter your domain name for a detailed security assessment of your SSL server.


Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 13 Jul '10 22:12    Post subject: Reply with quote

I made that test. It tells me that I use insecure SSL 2.0. How can I turn that off in httpd.conf? Yepp I'm to lazy for RTFM Wink
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 13 Jul '10 22:20    Post subject: Reply with quote

SSLProtocol all -SSLv2

Edit:

Actually, if you are speaking of this one:
SSL 2.0+ Upgrade Support

The only way to remove it is to disable sslv3 as well.
SSLProtocol +TLSv1

Doing that and removing DES cipher during my new OSSL build, I have been able to achieve a overall score of 90.

My first score was a 76, second (DES removed) was 85, now a 90. I wonder what clients are around that are not compatible with this setup. Should I even care becomes the next question.

This test is a Kobayashi Maru as it seems impossible to get a 100 today cause as far as I know TLS/1.2 is nothing more than theory at this time. TLS1.1 will be in OSSL 1.0.1 IIRC, that still leaves the server unable to get a 100.

Edit 2:

Doing this actually changed the PCI Complaint flag from No to Yes


Last edited by glsmith on Wed 14 Jul '10 3:05; edited 1 time in total
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 22 Jul '10 21:05    Post subject: Reply with quote

I wonder how you could get such a good result. My first try today with startcom certs is by 61 point.

Since you know the Kobayashi Maru test, you must have seen Star Trek Wink
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Thu 22 Jul '10 21:16    Post subject: Reply with quote

First I had a very bad score with a self-signed certificate.

I installed a certificate from https://www.startssl.com/ and now A88.

I changed also my strings in my httpd-ssl.conf to:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!aNULL:!LOW

Try that strings, if you have a bad score.

Btw: startssl (startcom) is very cheap for ~39 Euro you have a wildcard/multidomain certicate for 2 years.

Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 22 Jul '10 23:13    Post subject: Reply with quote

Indeed! I forgot this Embarassed

Code:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateChainFile /path/to/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ca.pem



So now it is 79 points

Only the Cipher Strength still laggs with 60 points. I guess I have to compile SSL maybe again, but I don't know if that is so clever. As Gregg mentioned which client will be compatible with such an encryption?

OK adding
Code:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


Than I have 91 points, without recompiling OSSL
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 23 Jul '10 2:20    Post subject: Reply with quote

3 words ... I Love StartSSL!
Been using their class 1s for years now, even when IE didn't like them.

Edit:7-23-10

I just stumbled onto this ... vague in a sense but interesting
Overclocking SSL
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Sat 24 Jul '10 10:27    Post subject: Reply with quote

I wonder that he prefers 128 bit RC4 to the AES 256 bit. Ok he told that it is 3 times faster. Is there any benchmark?
Bad that some parts are only for apache 2.3
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sat 24 Jul '10 22:24    Post subject: Reply with quote

I'd imagine abs.exe for the benchmark.
Back to top
k.anderson3454



Joined: 24 Dec 2010
Posts: 1

PostPosted: Fri 24 Dec '10 3:47    Post subject: Reply with quote

This is complicated.
Back to top
kitteh



Joined: 22 Sep 2011
Posts: 2

PostPosted: Fri 23 Sep '11 2:25    Post subject: Reply with quote

hey, this is a nice tool Smile I got an 85 when I ran my site (it gave me an A that must not be too bad!)
Looks like my weakest area was the "Key Exchange" but it doesn't say anything else about it in the details, is there something I can do to improve that aspect?


Last edited by kitteh on Tue 03 Jan '12 17:18; edited 1 time in total
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Fri 23 Sep '11 11:17    Post subject: Reply with quote

If you create a key, make sure that your key size is 4096 and not 2048.
Back to top
west



Joined: 29 Nov 2011
Posts: 1
Location: Romania

PostPosted: Tue 29 Nov '11 1:32    Post subject: Reply with quote

Doing this actually changed the PCI Complaint flag from No to Yes
Back to top


Reply to topic   Topic: Test Your SSL Server Now! SSL Labs View previous topic :: View next topic
Post new topic   Forum Index -> How-to's & Documentation & Tips