Learn about Centmin Mod LEMP Stack today
Register Now

SSL Getting a "B" grade in ssllabs testing

Discussion in 'Domains, DNS, Email & SSL Certificates' started by radbrad, Aug 19, 2020.

Tags:
  1. radbrad

    radbrad Member

    34
    3
    8
    Feb 15, 2020
    Ratings:
    +4
    Local Time:
    10:41 AM
    Hi eva,
    My website uses letsencrypt ssl and cloudflare ssl set. I checked my url in ssllabs.com and found the grade "B" in all its tests. Can you tell what is the reason for a lower grade? How can i improve it to "A"


    Regards
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,537
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    3:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    should list the reason on ssllabs results page, usually related to TLSv1.0 and TLSv1.1 support still being enabled for TLS protocols. If you have Cloudflare, just set in SSL/TLS tab minimum TLS version to TLSv1.2 to disable TLSv1.0 and TLSv1.1. Note, if you have older visitors using older browser/devices which only support TLSv1.1 and lower, they will no longer be able to visitor your server. Modern web browsers have/are deprecating TLSv1.1 and lower anyway but if you have older users/devices, remember they will be affected.
     
  3. radbrad

    radbrad Member

    34
    3
    8
    Feb 15, 2020
    Ratings:
    +4
    Local Time:
    10:41 AM
    In that case, I will leave it as it is. There may be some users using older devices.
     
  4. Kintaro

    Kintaro Member

    106
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    7:11 AM
    1.15.x
    MariaDB 10
    me too... is THIS the actual way to disable tls 1.0 and 1.1?

    I just tried without success as running:
    Code (Text):
    ./switch-nginx-ciphers.sh testssl mydomain.com:443

    results in:
    Code (Text):
     Testing protocols via sockets except NPN+ALPN
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      offered (deprecated)
     TLS 1.1    offered (deprecated)
     TLS 1.2    offered (OK)
     TLS 1.3    not offered and downgraded to a weaker protocol
     NPN/SPDY   not offered
     ALPN/HTTP2 h2, http/1.1 (offered)

    I wan expecting TLS 1 and 1.1 not offered, and TLS 1.2 and 1.3 OK.

    /usr/local/nginx/conf/ssl_include.conf
    Code (Text):
    ssl_session_cache      shared:SSL:10m;
    ssl_session_timeout    60m;
    ssl_protocols  TLSv1.2 TLSv1.3;
    

    /etc/centminmod/custom_config.inc
    Code (Text):
    CLANG='n'
    DEVTOOLSETSEVEN='y'
    NGINX_DEVTOOLSETGCC='y'
    CLOUDFLARE_ZLIB='y'
    MARCH_TARGETNATIVE='n'
    LIBRESSL_SWITCH='n'
    LETSENCRYPT_DETECT='y'
    SSL_PROTOCOL_MODERN='y'
    


    I restarted nginx (nginx version: nginx/1.21.6 (130423-004559-centos7-kvm-8d04cd1)

    I noticed this:
    Code (Text):
    #openssl version
    OpenSSL 1.0.2k-fips  26 Jan 2017
     
    Last edited: Apr 13, 2023
  5. eva2000

    eva2000 Administrator Staff Member

    53,537
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    3:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what does output for this command show, wrap output in BBCODE CODE tags
    Code (Text):
    grep -rin 'ssl_protocols' /usr/local/nginx/conf
     
  6. Kintaro

    Kintaro Member

    106
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    7:11 AM
    1.15.x
    MariaDB 10
    Code (Text):
    /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf:23:        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    /usr/local/nginx/conf/ssl_include.conf:3:ssl_protocols  TLSv1.2 TLSv1.3;
    


    so is phpmyadmin_ssl.conf that keeps TLSv1 and v1.1 alive?
    can I edit it manually or there's a procedure to follow?
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,537
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    3:11 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You can manually edit it though I've just updated Centmin Mod 130.00beta01 with a fix to take the phpmyadmin_ssl.conf into account https://community.centminmod.com/threads/update-ssl_protocol_modern-routine-in-130-00beta01.23729/ :)
     
  8. Kintaro

    Kintaro Member

    106
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    7:11 AM
    1.15.x
    MariaDB 10
    Done
    Now sslabs grade is "A".

    Thank you