/ Register

Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Getting a "B" grade in ssllabs testing

Discussion in 'Domains, DNS, Email & SSL Certificates' started by radbrad, Aug 19, 2020.

Tags:
Previous Thread Next Thread
Loading...
  1. Aug 19, 2020 #1
    radbrad

    radbrad Member

    34
    3
    8
    Feb 15, 2020
    Ratings:
    +4
    Local Time:
    8:37 AM
    Hi eva,
    My website uses letsencrypt ssl and cloudflare ssl set. I checked my url in ssllabs.com and found the grade "B" in all its tests. Can you tell what is the reason for a lower grade? How can i improve it to "A"

    Regards
     
  2. Aug 19, 2020 #2
    eva2000

    eva2000 Administrator Staff Member

    50,930
    11,809
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,268
    Local Time:
    1:07 PM
    Nginx 1.25.x
    MariaDB 10.x
    should list the reason on ssllabs results page, usually related to TLSv1.0 and TLSv1.1 support still being enabled for TLS protocols. If you have Cloudflare, just set in SSL/TLS tab minimum TLS version to TLSv1.2 to disable TLSv1.0 and TLSv1.1. Note, if you have older visitors using older browser/devices which only support TLSv1.1 and lower, they will no longer be able to visitor your server. Modern web browsers have/are deprecating TLSv1.1 and lower anyway but if you have older users/devices, remember they will be affected.
     
  3. Aug 19, 2020 #3
    radbrad

    radbrad Member

    34
    3
    8
    Feb 15, 2020
    Ratings:
    +4
    Local Time:
    8:37 AM
    In that case, I will leave it as it is. There may be some users using older devices.
     
  4. Apr 13, 2023 #4
    Kintaro

    Kintaro Member

    104
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    4:07 AM
    1.15.x
    MariaDB 10
    me too... is THIS the actual way to disable tls 1.0 and 1.1?

    I just tried without success as running:
    Code (Text):
    ./switch-nginx-ciphers.sh testssl mydomain.com:443

    results in:
    Code (Text):
     Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 h2, http/1.1 (offered)

    I wan expecting TLS 1 and 1.1 not offered, and TLS 1.2 and 1.3 OK.

    /usr/local/nginx/conf/ssl_include.conf
    Code (Text):
    ssl_session_cache      shared:SSL:10m;
ssl_session_timeout    60m;
ssl_protocols  TLSv1.2 TLSv1.3;

    /etc/centminmod/custom_config.inc
    Code (Text):
    CLANG='n'
DEVTOOLSETSEVEN='y'
NGINX_DEVTOOLSETGCC='y'
CLOUDFLARE_ZLIB='y'
MARCH_TARGETNATIVE='n'
LIBRESSL_SWITCH='n'
LETSENCRYPT_DETECT='y'
SSL_PROTOCOL_MODERN='y'


    I restarted nginx (nginx version: nginx/1.21.6 (130423-004559-centos7-kvm-8d04cd1)

    I noticed this:
    Code (Text):
    #openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
     
    Last edited: Apr 13, 2023
  5. Apr 13, 2023 #5
    eva2000

    eva2000 Administrator Staff Member

    50,930
    11,809
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,268
    Local Time:
    1:07 PM
    Nginx 1.25.x
    MariaDB 10.x
    what does output for this command show, wrap output in BBCODE CODE tags
    Code (Text):
    grep -rin 'ssl_protocols' /usr/local/nginx/conf
     
  6. Apr 13, 2023 #6
    Kintaro

    Kintaro Member

    104
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    4:07 AM
    1.15.x
    MariaDB 10
    Code (Text):
    /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf:23:        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
/usr/local/nginx/conf/ssl_include.conf:3:ssl_protocols  TLSv1.2 TLSv1.3;


    so is phpmyadmin_ssl.conf that keeps TLSv1 and v1.1 alive?
    can I edit it manually or there's a procedure to follow?
     
  7. Apr 14, 2023 #7
    eva2000

    eva2000 Administrator Staff Member

    50,930
    11,809
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,268
    Local Time:
    1:07 PM
    Nginx 1.25.x
    MariaDB 10.x
    You can manually edit it though I've just updated Centmin Mod 130.00beta01 with a fix to take the phpmyadmin_ssl.conf into account https://community.centminmod.com/threads/update-ssl_protocol_modern-routine-in-130-00beta01.23729/ :)
     
  8. Apr 14, 2023 #8
    Kintaro

    Kintaro Member

    104
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    4:07 AM
    1.15.x
    MariaDB 10
    Done
    Now sslabs grade is "A".

    Thank you
     
Previous Thread Next Thread
Loading...

.