SSL Labs Cipher Strength < 100%, why? How do I make it?
The picture basically depicts two things:
All ciphers listed in
SSLCipherSuite
in your Apache2 configuration, which are defined asRSA+*
, in my case I hadRSA+AESGCM256:RSA+AES256:RSA+AES
defined, are designated as weak.Technically speaking, it does not like the 128-bit ones, I believe, for grading purposes.
So, for instance, you may define the following to be SSL Labs match while being PCI DSS, NIST, and HIPAA guidance compliant, which you may test on ImmuniWeb:
we can be either totally specific and to disable any cipher older than TLSv1.2 with:
## The protocols to enable:
## Available values: all, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
## SSLv2 and SSLv3 are no longer supported
# I prefer the latest TLSv1.3 and TLSv1.2 for compatibility reasons
# TLSv1 / TLSv1.1 are 20 / 13 years old, so decided to disable them
SSLProtocol -all +TLSv1.3 +TLSv1.2
## SSL Cipher Suites:
## List the ciphers that the client is permitted to negotiate. See the
## ciphers(1) man page from the openssl package for list of all available options.
# I can always run `openssl ciphers` to find all currently available ciphers
# As for TLSv1.3 the TLS_AES_128_GCM_SHA256 is mandatory as per RFC 8446:
# https://tools.ietf.org/html/rfc8446#section-9
# I use only AES ciphers as they get hugely accelerated by AES-NI
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
or being non-specific, which I no longer recommend:
SSLCipherSuite ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:DH+AES256:!aNULL:!MD5:!DSS:!eNULL:!ADH:!EXP:!LOW:!PSK:!SRP:!RC4
Afterwards, you should see the result as follows, which, at the moment of writing my previous version of this post was:
Which, at the moment of writing my previous version of this post gave you SSL Labs - Cipher strength score equal to 100%:
LinuxSecurityFreak
Updated on September 18, 2022Comments
-
LinuxSecurityFreak over 1 year
I am in a progress of trying (again) to get maximum (or almost maximum) score on SSL Labs with my site.
I currently do not understand, why it does not give me full Cipher strength score.
Now, it looks like this:
SSL Labs - Cipher strength score is less than 100%, why? And how do I make it full?
OS: GNU/Linux Debian 9.4 with Apache 2.4.25.
At a closer look, I found the following, which might reveal, what is wrong:
-
Mark Young over 4 yearsWhat about CHACHA?
-
LinuxSecurityFreak over 4 years@qräbnö I do not use ChaChaPoly cipher, as my server is AES CPU accelerated, and these ciphers are not, therefore I do not use them myself, feel free to do so, though.
-
mınxomaτ almost 4 yearsWorth noting that CBC are now marked as weak. This doesn't affect grading yet, but it might soon.
-
Michael Yaeger over 3 yearsCan you share the compatibility chart for your test? I'm looking for maximum compatibility (mostly older Safari versions) with the strongest ciphers.
-
LinuxSecurityFreak over 3 years@MichaelYaeger Unfortunately, I no longer have the web server, so I can't.