Why does SSL Labs now consider CBC suites weak? Why does SSL labs now mark CBC 256 suites as weak, although equivalent GCM and ChaCha20 are considered strong? Until a few months ago, it was unmarked in reports (neither explicitly as weak or strong), and it is still unmarked in their client lists
Qualys SSL Scan weak cipher suites which are secure according to . . . I am testing my application SSL configuration in Qualys SSL Labs and as a result, I have this cipher suites labeled as weak: But according to https: ciphersuite info all of these cipher suites are secure or even recommended How should I interpret this? Do you think that all these "weak" cipher suites should be disabled?
How can you check and analyze SSL ports other than 443? SSL Labs does this on purpose I didn't know this But here's the rationale It's listed inside their Read This First document: Commonly Requested Features Checking of IP addresses without hostnames; SSL Labs is designed to test public web servers services We define public as having a DNS record and running on the official port for the given
SSL Labs uses the Mozilla trust store - Information Security Stack Exchange SSL Labs says this at the bottom of a scan result with trust problems: Unknown Certificate Authority In order for trust to be established, we must have the root certificate of the signing Certificate Authority in our trust store SSL Labs does not maintain its own trust store; instead we use the store maintained by Mozilla
SSL TLS: How to fix Chain issues: Contains anchor According to nginx documentation the ssl_trusted_certificate parameter contains trusted CA certificates used to verify client certificates and OCSP responses if ssl_stapling is enabled and the list of these certificates will not be sent to clients
weak cipher suites Qualys SSL Labs test SSLLabs checks server side supported ciphers cause the cipher used in a SSL TLS connection is the higher supported by the client and the server So, if the server supports SSLv2 and TLSv1 2 for example, and a client supports only SSLv2 the connection will be established using the insecure SSLv2 and not the secure option TLSv1 2
SSL Labs report question: Is Insecure Renegotiation possible if weak . . . On one server, we have removed weak cipher suites and insecure protocols to try to pass SSLScan SSL Labs One outstanding problem is Insecure Renegotiation I read that: The Apache Software Foundation has reported an issue that may occur when the SSLCipherSuite directive is used to upgrade a cipher suite
Hardening SSL TLS on Azure Cloud Service for A+ on Qualys SSL Labs? We're using this powershell script as our Azure Cloud Service (PaaS) startup script and we're at an A- on the Qualys SSL Labs test Specifically we're losing points for the following reasons: Forward Secrecy : With some browsers (more info) Downgrade attack prevention : No, TLS_FALLBACK_SCSV not supported (more info)
tls - Why does SSL Labs say that POODLE is mitigated if a server . . . Here are some of the considerations SSL Labs has to deal with when scoring a situation like this: Some servers have an operational need to support a wide variety of old or unpatched clients Prioritizing stream ciphers over CBC ciphers can partially mitigate POODLE from a server's perspective, leaving it up to the client to support the best it can
How do I know which cipher suites can be disabled? As SSL Server Test from Qualys SSL Labs is designed for testing publicly accessible web servers, we can assume this is a web application All current versions of major browsers are able to handle TLS 1 2+ with the recommended cipher suites from RFC 7525, 4 2 , making it a good starting point for a highly secure configuration: