• PowerShell script for automated scans

    Hi All   After sorting SSL config at work, I put together a PowerShell script to automate future scans using the API.    You can currently find the script here: https://www.musingitoutloud.com/po...
    Damon Johnstone
    last modified by Damon Johnstone
  • HSTS header not being set by NGINX on error

    I am posting this here just to document this in the public space since some of the SSL Labs folks helped me with it offline and I wanted to make sure the information shared was publicly indexed.   I have a ...
    Eric Rosenberry
    last modified by Eric Rosenberry
  • Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11

    just for info https://technet.microsoft.com/library/security/4010323
    created by Rob_T
  • Time to revisit DNSSEC & DANE/TLSA discussion?

    Time to revisit?   There has been discussion on checking DNSSEC and DANE/TLS.  Prior threads are at:   https://discussions.qualys.com/message/31145?commentID=31145#comment-31145  https://discuss...
    Curtis Villamizar
    last modified by Curtis Villamizar
  • ssl-pusle suggestions how to improve displayed results

    Hi, I have looked at ssl-pulse new data from https://www.trustworthyinternet.org/ssl-pulse/ which are based on ssllabs.com test.   I see very nice graphs, very beautifully presented, nice job.   To make it...
    last modified by j-mailor
  • Cloudbleed

    just for info https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
    created by Rob_T
  • PayPal Gets only B Grades

    I went to log in to PayPal and decided to test their servers' SSL quality. I was shocked to learn that both their servers only got a grade of B, future grade C. Any financial site of this magnitude should ob...
    Paco Hidalgo
    last modified by Paco Hidalgo
  • Thailand's first ever root CA, the first ever SHA-512 on the web!?

    Thailand National Root Certification Authority - G1, the first ever Thai root CA has recently made its way into the Windows Certificate Store resulting in IE/Edge and Chrome as well as plenty others relying on the sam...
  • .NET Framework

    Hello, In addition to the Java tests, could you please add lines for .NET 4.0 and .NET 4.6 ciphers? It'd be useful to know what will be negotiated with them, and whether I am breaking compatibility. Thanks! James
    James Bellinger
    last modified by James Bellinger
  • SHA-1 deprecation countdown

    fyr       MS: https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are prote...
    last modified by Rob_T
  • SSL test fails due to firewall rules on number of states per source IP

    Logging this more for reference rather than as a request, in case it can help others facing the same issue.   I was seeing my SSL tests fail at the 'Determining available cipher suites' step with an 'Assessment ...
    T M
    last modified by T M
  • Multiple Certificates, OCSP Stapling Result

    Now that nginx supports dual certificate configurations, I wonder how OCSP Stapling is supposed to work with it. Beside that I even more wonder how SSL Labs shows the test results. I’d expect a result based on e...
    Matthias Wächter
    last modified by Matthias Wächter
  • New Suites in Chrome

    Hi in Chrome  56.0.2906.0 (Android) i found in the ssl client hello some unknown id's and extensions. curve.id     43690 cipherSuite:     14906 exttension.Type     35...
    last modified by tlussnig
  • Apple blocks WoSign (maybe StartSSL too)

    Hi   should there be a warning on ssltest server test when wosign is detected ? https://support.apple.com/en-us/HT202858 https://support.apple.com/en-us/HT204132 StartSSL (which belongs to WoSign now, maybe i...
    last modified by Rob_T
  • Messages when site does not support HTTPS

    I've noticed that the error messages displayed by the server scan are not consistent when sites do not support HTTPS. E.g., Scanning blog.savemymeds.com yields "Assessment failed: No secure protocols supported" but bl...
    Anand Bhat
    last modified by Anand Bhat
  • X25519 key exchange issues

    Issues with X25519: https://dev.ssllabs.com/ssltest/analyze.html?d=x25519.crypto.report&s=2a03%3ab0c0%3a2%3ad0%3a0%3a0%3adf5%3a2001&latest Chrome 51 handshake simulation reports cipher suite TLS_ECDHE_RSA_WIT...
    Ilari Stenroth
    last modified by Ilari Stenroth
  • ENHANCEMENT REQUEST -- End-of-Life (EoL) web clients -- Please replace red text with grey text and devise a plan to warn users about supporting insecure web clients

    There are numerous end-of-life clients listed on the ssllabs tool for "compatibility". The tool really needs to mark these as grey text instead of red text. This is because red indicates a problem to the web serv...
    last modified by smaug
  • ENHANCEMENT REQUEST -- DROWN -- Please replace orange text with grey text

    When the DROWN check fails, due to no fault of the server operating running a secure website and because the Censys data is not always accurate or up to date, then you should mark the text as grey, not orange. Orange ...
    last modified by smaug
  • ECC Cert: Chain Issues?

    Hey there,   I recently started using both an ECC (comodo) and an RSA (geotrust wildcard) cert on www.isc.org, and what we're discovering is that the level of root cert adoption is wildly disparate.   Case...
    Dan Mahoney
    last modified by Dan Mahoney
  • Windows 7 (and 8.1) blocks RC4 now

    just for info...    beside Win 8.1/2012R2 (since August 2016 Updates) now also Windows 7/2008R2 (only when use IE11 !) blocks RC4 by befault since October 2016 Updates. https://github.com/ssllabs/ssllab...
    created by Rob_T