• Securing your network and devices

    Lily and I have been having an interesting conversation about security on another thread.   So I decided to move it out into its own thread.   At home, I have a testing lab.   I use a Fortine...
    Michael McKenney
    created by Michael McKenney
  • Failed to obtain certificate, Cross-signed certificates

    Hello!   SSL Server Test: secure.simplepay.hu (Powered by Qualys SSL Labs)    Could it be that Sectigo's cross-signed certificate causes this problem? Sectigo Knowledge Base    Please advi...
    Viktor Szépe
    created by Viktor Szépe
  • SSLHandshakeException: Failed to negotiate the use of secure renegotiation

    I am using java 1.8.0_191 on my web server, I am writing a code which will call external web service which has following details Secure Renegotiation Not supported   ACTION NEEDED  Secure...
    Nikhil Patil
    last modified by Nikhil Patil
  • OCSP Stapling on SSLLabs reports no

    I just renewed and rekeyed my Godaddy certificates.  I setup OCSP Staping and the test shows NO.    When I test at the server level   echo QUIT | openssl s_client -connect wp.michaelmckenney.co...
    Michael McKenney
    last modified by Michael McKenney
  • Servers that only support TLS 1.3 shouldn't be downgraded

    Servers that support TLS 1.3 and don't support any of the lower versions should not be downgraded to an "A" from an "A+".
    George R
    last modified by George R
  • SSL Cert/Website

    Guys,   Just to let you know, there seems to be some discrepancy for the results from this website (SSL Server Test (Powered by Qualys SSL Labs).   So I have a Cisco router with ssl vpn, and the results sa...
    Chris Yeo
    last modified by Chris Yeo
  • Alternate IP for DNS resolution for Qualys SSL Server Test

    Hello,   Is there a way to specify an alternate IP for DNS resolution of a website before the SSL Server Test is run?    For instance, our production website www.mywebsite.com is currently hosted behi...
    Nobody Special
    last modified by Nobody Special
  • Is there a risk for "Secure Renegotiation: Not Supported"

    Hi,     Is there a risk/security vulnerability for "Secure Renegotiation: Not Supported"?     Thanks, Jack
    Jack son
    last modified by Jack son
  • Apache 2.2 site (no OCSP stapling) gets OCSP alert

    I'm intrigued as to why shows the "OCSP ERROR: Request failed with OCSP status: 6" alert together with "OCSP stapling = No". Another site, on the same server, using the same cert issuer, along with the same SSLCACert...
    last modified by gaia
  • Weak StartCom CA SHA1 only for Path #1

    Hi,   I don't understand why I have two trusted paths and why the StartCom Certification Authority certificate of the Path #1 is weak (= SHA1) and what is the solution to solve this. Thanks in advance.   ...
    Gaspard d'Hautefeuille
    last modified by Gaspard d'Hautefeuille
  • Handshake simulation

    I have a question about the handshake simulation. I've sometimes seen that this lists a cipher that is somewhere at the bottom of the server's preferred order list despite there being a cipher "above" that the client ...
    Anand Bhat
    last modified by Anand Bhat
  • Shall I know why TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 being treated as weak?

    Shall I know why TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 being treated as weak? When did it become weak? Thanks.
    Tianyi Shui
    last modified by Tianyi Shui
  • API Scan result is missing important objects

    I'm using the ssllabsscanner.py file here to perform the SSL Scan in PyCharm. It works and provides a response, but I am missing important objects mentioned in the documentation: https://github.com/ssllabs/ssllabs-sc...
    Canis Lobo
    last modified by Canis Lobo
  • Result strange when server uses dual EC plus RSA cert

    made an Issue Result strange when server uses dual EC plus RSA cert · Issue #797 · ssllabs/ssllabs-scan · GitHub    attached the complete scan result ...
    Max Mueller
    last modified by Max Mueller
  • EFT Cipher suite not showing up in scan

    I am running EFT Enterprise by Globalscape on a 2016 Server OS. I get an A+ from the Qualys scan at this URL (https://exfer01.jp.ftitechnology.com) however for some reason the following two ciphers do not get picked u...
    Sean Wasta
    last modified by Sean Wasta
  • Cloudfront and Session resumption (caching) - No (IDs assigned but not accepted)

    Can get my reports on Cloudfront sites to level A. I think to get to A+ I need a way to solve this issue: Session resumption (caching) No (IDs assigned but not accepted)   Any ideas on how to crack that one?
    Greg Pagendam-Turner
    last modified by Greg Pagendam-Turner
  • Where are these properties in the API response?

    These properties are available in the UI when performing a scan at SSL Server Test (Powered by Qualys SSL Labs), but they don't seem to have corresponding properties in the API response:   Revocation Status...
    Canis Lobo
    last modified by Canis Lobo
  • Assessment failed: Directive already specified: max-age

    I keep getting this error message.  Any ideas on what the issue is?  Thanks in advance.
    S Close
    last modified by S Close
  • Regarding RFC 7627 on Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension will become a mandatory TLS extension

    Does Qualys SSL Server test will make this "extended Master secret" TLS extension mandatory to get A+ grade?
    Sajeev S
    last modified by Sajeev S
  • how to disable TLS_RSA_WITH_AES in windows

    Hello, I'm trying to fix my Cipher suite validation on: SSL Server Test (Powered by Qualys SSL Labs)  the validation says that the following ciphers ar weak: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   W...
    Bart Kock
    last modified by Bart Kock