• Some problems about Internationalized domain name

    E.g. xn--fiq7iq58bfy3a8bb.xn--fiqs8s Text is "互联网中心.中国".   Title cannot be displayed in reports.   And during analysis, there is a chance to jump to an analysis page that is not the domain name. xn--...
    Junhui Deng
    last modified by Junhui Deng
  • Key Exchange strength

    I'm trying to understand the grading scheme for Key Exchange strength. I'm currently getting a grade of 90%. My servers have both RSA/4096 and ECC/384 keys on them, using KxECDHE only.   The grading guide, ...
    Ken Schultz
    last modified by Ken Schultz
  • Regarding RFC 7627 on Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension will become a mandatory TLS extension

    Does Qualys SSL Server test will make this "extended Master secret" TLS extension mandatory to get A+ grade?
    Sajeev S
    last modified by Sajeev S
  • ssltest runs on almost every visit of https://www.ssllabs.com/ssltest/analyze.html?d=fqdn

    Hi   The results of the ssltest at https://www.ssllabs.com/ssltest/analyze.html?d=fqdn are sometimes cached, but not a lot. When visiting the URL, most of the times the entire test is run again - which takes a ...
    Dick Visser
    last modified by Dick Visser
  • SSL tab test on my host showing "Unable to resolve domain name"

    dns dnsname   I am trying to test my service host name which is hosted in AWS. I always get "Unable to resolve domain name" error. I want to understand more and want to get some logs depicting which cname i...
    Sourabh Agarwal
    last modified by Sourabh Agarwal
  • SSL Server Test Bug

    Has anyone else noticed a bug with the SSL server test recently when completing a standard scan?   I have recently completed some regular SSL server scans and noticed on a couple of occasions that the scan which...
    Ricky Hartland
    last modified by Ricky Hartland
  • SSL Labs Changelog

    Version 2.0.7Released to production on 14th January 2020   Fixes SSLLabs sometimes tests different hostname than what was submitted (Qualys Community, #769) Updates  Make Client Test more accessi...
    Ivan Ristić
    last modified by Nayan Kakati
  • SSL Report Query

    I have run an SSL Report against a URL and it confirms that we have a certificate related to the URL but because we have multiple services behind a Port Forwarding setup it doesn't show which of the servers is showing...
    Brian Kent
    last modified by Brian Kent
  • DNS CAA not being tested correctly on SSL Labs

    Hi there,   I have DNS CAA configured at the subdomain level, and it tests correctly when I use the DNS Spy: CAA record validator.   However, when I test through SSL Server Test (Powered by Qualy...
    Sage Gwatkin
    last modified by Sage Gwatkin
  • TLS 1.3 on Windows Server 2019

    Hello,   I tried to enable TLS 1.3 on Windows Server 2019(IIS 10), for some reason this doesn't work well. In oposite of Windows server 2016 there are some changes. I changed the registry settings to change th...
    Bart Kock
    last modified by Bart Kock
  • Deprecated SSH Cryptographic Settings

    We ran qualys security tool on servers and found "SSH Cryptographc Settings" vulnerability in the report. We followed steps given in below links, but still we are getting same  vulnerability message in the repor...
    kasim shaik
    last modified by kasim shaik
  • False Grade F via SSLLabs API

    Hi,   I run regularly scan of some selected sites using SSL Labs API. On the 5th of December, I've noticed that one of the sites has received the grade F by automated scan. When I ran the scan manually via SSL L...
    last modified by pessoft
  • Weak Signature Algorithm in Bundle

    We buy our certs from Godaddy and run a server that requires us to combine the server cert and the provided bundle that Godaddy provides in the zip file when we download the cert.    A vulnerability scan of...
    Cred Sucheck
    last modified by Cred Sucheck
  • Why does IE 11 report ECDH key exchange of 255 bits?

    One of our clients asked us to report the Internet Explorer connection details of various cloud services.   Slightly odd, as I hope no one is using IE any more. Certainly a product I've stayed well clear of for ...
    Simon Waters
    created by Simon Waters
  • I get only 529 error response from API

    I have been using the "official" SSLLabs API client called ssllabs-scan (from GitHub - ssllabs/ssllabs-scan: A command-line reference-implementation client for SSL Labs APIs, designed for automated … ) for the ...
    Ollivier Robert
    last modified by Ollivier Robert
  • A+ score - but only weak ciphers available?

    Hi,   I'm struggling to understand how a website can score A+ although _only_ weak ciphers are available (Example). Would an A+ not create a false view on security in this case? Why does the marking of CBC ciph...
    last modified by jprueter
  • When did Qualys start reporting on IDEA ciphers?

    I am curious if others have seen an uptick in Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) detection caused by 3DES but also for IDEA ciphers which suffer the same flaw. ...
    last modified by adamc
  • Testing Android x vs. Chrome on Android x

    Seeing Android 7.0 reduced the list of available curves to just prime256v1 I wonder how to test a server for compatibility considering the current client list in SSL Labs. As I understand, „Android 7.0&ldqu...
    Matthias Wächter
    last modified by Matthias Wächter
  • SSL Test with wrong Android 4.4 config

    Hi! On your Android 4.4 page (Qualys SSL Labs - Projects / User Agent Capabilities: Android 4.4.2) you have configured the wrong cipher suites. According to <uses-sdk> | Android Developers  Android 4.4 is...
    André Glöckner
    last modified by André Glöckner
  • K9-mail and Android 4.4.2 ciphers

    Currently I have the following set in Dovecot on my server:   ssl_cipher_list = AES128+EECDH:AES128+EDH   When I connect with Thunderbird 31.4 I see the following in the log:   ECDHE-ECDSA-AES128-GCM...
    Bob Watson
    last modified by Bob Watson