SSL Labs Cipher Strength < 100%, why? How do I make it?

https apache2 security-certificate
6,158

The picture basically depicts two things:

  1. All ciphers listed in SSLCipherSuite in your Apache2 configuration, which are defined as RSA+*, in my case I had RSA+AESGCM256:RSA+AES256:RSA+AES defined, are designated as weak.

  2. Technically speaking, it does not like the 128-bit ones, I believe, for grading purposes.

So, for instance, you may define the following to be SSL Labs match while being PCI DSS, NIST, and HIPAA guidance compliant, which you may test on ImmuniWeb:

we can be either totally specific and to disable any cipher older than TLSv1.2 with:

## The protocols to enable:
## Available values: all, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
## SSLv2 and SSLv3 are no longer supported
# I prefer the latest TLSv1.3 and TLSv1.2 for compatibility reasons
# TLSv1 / TLSv1.1 are 20 / 13 years old, so decided to disable them
SSLProtocol    -all    +TLSv1.3 +TLSv1.2

## SSL Cipher Suites:
## List the ciphers that the client is permitted to negotiate. See the
## ciphers(1) man page from the openssl package for list of all available options.
# I can always run `openssl ciphers` to find all currently available ciphers
# As for TLSv1.3 the TLS_AES_128_GCM_SHA256 is mandatory as per RFC 8446:
# https://tools.ietf.org/html/rfc8446#section-9
# I use only AES ciphers as they get hugely accelerated by AES-NI
SSLCipherSuite    TLSv1.3    TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
SSLCipherSuite    SSL        ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256

or being non-specific, which I no longer recommend:

SSLCipherSuite ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:DH+AES256:!aNULL:!MD5:!DSS:!eNULL:!ADH:!EXP:!LOW:!PSK:!SRP:!RC4

Afterwards, you should see the result as follows, which, at the moment of writing my previous version of this post was:

cipher suites strong

Which, at the moment of writing my previous version of this post gave you SSL Labs - Cipher strength score equal to 100%:

ssl labs result

Share:
6,158
LinuxSecurityFreak
Author by

LinuxSecurityFreak

Updated on September 18, 2022

Comments

  • LinuxSecurityFreak
    LinuxSecurityFreak over 1 year

    I am in a progress of trying (again) to get maximum (or almost maximum) score on SSL Labs with my site.

    I currently do not understand, why it does not give me full Cipher strength score.

    Now, it looks like this:

    SSL Labs Cipher Strength < 100%

    SSL Labs - Cipher strength score is less than 100%, why? And how do I make it full?

    OS: GNU/Linux Debian 9.4 with Apache 2.4.25.

    At a closer look, I found the following, which might reveal, what is wrong:

    cipher suites weak

  • Mark Young
    Mark Young over 4 years
    What about CHACHA?
  • LinuxSecurityFreak
    LinuxSecurityFreak over 4 years
    @qräbnö I do not use ChaChaPoly cipher, as my server is AES CPU accelerated, and these ciphers are not, therefore I do not use them myself, feel free to do so, though.
  • mınxomaτ
    mınxomaτ almost 4 years
    Worth noting that CBC are now marked as weak. This doesn't affect grading yet, but it might soon.
  • Michael Yaeger
    Michael Yaeger over 3 years
    Can you share the compatibility chart for your test? I'm looking for maximum compatibility (mostly older Safari versions) with the strongest ciphers.
  • LinuxSecurityFreak
    LinuxSecurityFreak over 3 years
    @MichaelYaeger Unfortunately, I no longer have the web server, so I can't.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL not working on home page
StartSSL certificate gives SEC_ERROR_REVOKED_CERTIFICATE in Firefox and ERR_CERT_AUTHORITY_INVALID in Chrome
Redirect from secure https to http for only one page
Apache ssl-enabled vhost returns random 400 bad request
Change ssl port of apache2 server. (ERR_SSL_PROTOCOL_ERROR)
Access other folder then /var/www/html in Apache2 over http
Are the ssl-cert-snakeoil.pem and ssl-cert-snakeoil.key unique per installation?
How to disable TLS 1.0, TLS 1.1 on Apache
Avoiding SSL certificate errors with Amazon S3 subdomain
Disable TLS1.0 and TLS 1.1 through cPanel