• Grade capped to "B" due to weak DH parameter

    Hi,   Ssltest reports "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B". Certificate is backed by BigIP F5, which is limited to 1024 DH primes but is not subject to the ...
    Olivier BOËL
    last modified by Olivier BOËL
  • Question about clearing entry

    Can Qualys clear an entry in the SSLLABS test? I added HSTS and I cannot get it to update its scan results. I made the same change to a number of other domains and it the refresh scan detected just fine. It won't upda...
    Robert Glus
    last modified by Robert Glus
  • TLS 1.0/1.1 Grading Change Date

    As recently detailed in the changelog and the updated blog post, SSL Labs has moved the the grading change for TLS 1.0/1.1 to January. I assume this was to match what was believed to be Chrome's timeline regardin...
    Kerzyte .
    last modified by Kerzyte .
  • Cipher Suites to Grading Mapping

    Does SSLLabs provide a mapping on cipher suites with its corresponding grades? I'd like to get a list of cipher suites that SSLLabs tests for along with the grade SSLLabs would give that specific cipher suite.
    jim toby
    last modified by jim toby
  • Test shows TLS 1.1 enabled when it is not

    Here is what is set in my httpd.conf SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11 SSLProtocolEnable TLSv12 SSLCipherSpec ALL NONE SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSLCipherSpec TLSv12 TLS_E...
    Eddie Clement
    last modified by Eddie Clement
  • Does SSL Labs scan for BREACH?

    Hello, I was running SSL Labs scans against our web service and website. Does the scan detect BREACH vulnerability? If not, what could I use to detect this?   Thanks, Sam
    Sam Robertson
    last modified by Sam Robertson
  • SSL Labs Changelog

    Version 1.36.2 Released to production on 11 October 2019   Updates Prepone grade change for supporting TLS1.0/1.1 to January 2020, Also changed in Summary messages   Version 1.36.1 Release to producti...
    Ivan Ristić
    last modified by Yash KS
  • SSL Labs: Read This First

    Bugs and Known Issues You'll find a record of known issues on this page. Please report new problems here. Please don't use the issue tracker to report suggestions about grading changes.   Commonly Requested Featu...
    Ivan Ristić
    last modified by Robert Dell'Immagine
  • Windows 2012R2 only weak ciphers listed / still A rating

    Hi,   When scanning a website hosted on Windows 2012R2 we get an A rating but when looking at the details only weak ciphers are llisted. I have used the nartac IISCrypto Utility and used the PCI 3.2 template ...
    Stephan van Hienen
    last modified by Stephan van Hienen
  • Signature Verification Failed Vulnerability - Sectigo CA "USERTrust ECC Certification Authority"

    Do the qualys scanners have the new Sectigo CA "USERTrust ECC Certification Authority"  in the trusted store? We are getting vulnerability from Qualys scan reports stating that it's unable to get&#...
    John Soares
    last modified by John Soares
  • Why is TLS_RSA_WITH_AES_128_GCM_SHA256 considered weak cipher

    I ran a test on a site and it showed TLS_RSA_WITH_AES_128_GCM_SHA256 is a weak cipher, but according to IBM Knowledge Center it shows to be a medium to high strength cipher.   Table 1. Medium and high strength TL...
    Eddie Clement
    last modified by Eddie Clement
  • Two SSL certificates appearing on scan results (https://www.ssllabs.com/ssltest/)

    What can I do to remove the second certificate? The unknown certificate is causing errors to some users. The URL is kimarineadventures.com. Thank you in advance.
    Querwin Guron
    last modified by Querwin Guron
  • Conditions of SSL Scanning TLS 1.0 /1.1 enabled

    I have an Azure service fabric environment with no applications (clean environment). I disabled TLS 1.0 / 1.1 in the  5 nodes of this cluster. But when I scan using the SSL Lab, it shows that TLS 1.0 / 1.1 is st...
    Catherine Li
    last modified by Catherine Li
  • No grading on failed HPKP check

    I'm using the ssllabs api to monitor the gradings of our certificates via powershell, see below. But on sites that have a failed HPKP check i don't get a grading object back in the json, while if i check the same sit...
    ronald van den berg
    last modified by ronald van den berg
  • How to speed up the scanning process?

    Hello, I'm a Ph.D. student in U.S. I am using ssllabs-scan to download certificates of a bunch of domains.  Recently I found that around 20 mins are needed for scanning a single domain which is too slow for me....
    Zhiju Yang
    last modified by Zhiju Yang
  • Problems with renegotiation testing on SSL Labs reports

    SSL Labs server reports such as https ://www.ssllabs.com/ssltest/analyze.html?d=buy.itunes.apple.com (sorry, link brken to make the URL readable) have *two* links to more info about secure renegotiation at https://co...
    Andrew Aitchison
    last modified by Andrew Aitchison
  • Cipher Suite for have A+ score

    Hi, some years ago I set up my server with a good Cipher Suite that actually continue score A+ on SSL LABS but i see there are 4 weak configuration. I want remove this and replace with a good one but don't know what c...
    |Mark|
    last modified by |Mark|
  • SSL Certificate related vulnerabilities.

    SSL Certificate - Subject Common Name Does Not Match Server FQDN QID: 38170 System: windows server 2012 Cert. used: wildcard from Symantec RESULTS: Certificate #0 CN=*.....com,OU=....,O=.....,L=...,C=... (*......com) ...
    Md. Imran Hosan
    last modified by Md. Imran Hosan
  • Why SSLLAB gives TLS 1.0 enabled when it is not?

    Hello all, I have two services with the same configuration running in Azure as an App Service. We recently changed the SSL configuration to use 1.1 as minimum version for TLS. After the change, when running the SSLLAB...
    Moisés García
    last modified by Moisés García
  • Dual ECDSA/RSA certs weird Safari results?

    Hello, when setting up an Apache server with with both an ECDSA cert and an RSA cert, I get puzzling results with SSL Labs when I add weak TLS_RSA_WITH_AES_128|256_CBC_SHA RSA based ciphers to the end of the list Saf...
    Valérie Martin
    last modified by Valérie Martin