• Servers that only support TLS 1.3 shouldn't be downgraded

    Servers that support TLS 1.3 and don't support any of the lower versions should not be downgraded to an "A" from an "A+".
    George R
    last modified by George R
  • Expiry of certificates in the chain should affect the score

    Today's expiration of the 20-year "USERTrust RSA Certification Authority" certificate has prompted me to notice that, although the SSL Report does note in the detail that a certificate in the chain has expired, this d...
    Jon Ribbens
    last modified by Jon Ribbens
  • Disabled SSL 3, now can't get back to A+

    We had an A+ but was downgraded. I corrected the new issues found and used IIS Crypto to verify best practice settings. After making changes we are only at an A. The only two indicators the SSL Labs gives me are below...
    John Wycoff
    last modified by John Wycoff
  • Failed to obtain certificate, Cross-signed certificates

    Hello!   SSL Server Test: secure.simplepay.hu (Powered by Qualys SSL Labs)    Could it be that Sectigo's cross-signed certificate causes this problem? Sectigo Knowledge Base    Please advi...
    Viktor Szépe
    created by Viktor Szépe
  • SSLHandshakeException: Failed to negotiate the use of secure renegotiation

    I am using java 1.8.0_191 on my web server, I am writing a code which will call external web service which has following details Secure Renegotiation Not supported   ACTION NEEDED  Secure...
    Nikhil Patil
    last modified by Nikhil Patil
  • SSL Cert/Website

    Guys,   Just to let you know, there seems to be some discrepancy for the results from this website (SSL Server Test (Powered by Qualys SSL Labs).   So I have a Cisco router with ssl vpn, and the results sa...
    Chris Yeo
    last modified by Chris Yeo
  • Alternate IP for DNS resolution for Qualys SSL Server Test

    Hello,   Is there a way to specify an alternate IP for DNS resolution of a website before the SSL Server Test is run?    For instance, our production website www.mywebsite.com is currently hosted behi...
    Nobody Special
    last modified by Nobody Special
  • Is there a risk for "Secure Renegotiation: Not Supported"

    Hi,     Is there a risk/security vulnerability for "Secure Renegotiation: Not Supported"?     Thanks, Jack
    Jack son
    last modified by Jack son
  • Apache 2.2 site (no OCSP stapling) gets OCSP alert

    I'm intrigued as to why shows the "OCSP ERROR: Request failed with OCSP status: 6" alert together with "OCSP stapling = No". Another site, on the same server, using the same cert issuer, along with the same SSLCACert...
    last modified by gaia
  • Weak StartCom CA SHA1 only for Path #1

    Hi,   I don't understand why I have two trusted paths and why the StartCom Certification Authority certificate of the Path #1 is weak (= SHA1) and what is the solution to solve this. Thanks in advance.   ...
    Gaspard d'Hautefeuille
    last modified by Gaspard d'Hautefeuille
  • Handshake simulation

    I have a question about the handshake simulation. I've sometimes seen that this lists a cipher that is somewhere at the bottom of the server's preferred order list despite there being a cipher "above" that the client ...
    Anand Bhat
    last modified by Anand Bhat
  • Shall I know why TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 being treated as weak?

    Shall I know why TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 being treated as weak? When did it become weak? Thanks.
    Tianyi Shui
    last modified by Tianyi Shui
  • API Scan result is missing important objects

    I'm using the ssllabsscanner.py file here to perform the SSL Scan in PyCharm. It works and provides a response, but I am missing important objects mentioned in the documentation: https://github.com/ssllabs/ssllabs-sc...
    Canis Lobo
    last modified by Canis Lobo
  • Result strange when server uses dual EC plus RSA cert

    made an Issue Result strange when server uses dual EC plus RSA cert · Issue #797 · ssllabs/ssllabs-scan · GitHub    attached the complete scan result ...
    Max Mueller
    last modified by Max Mueller
  • SSL Labs Known Issues & SSL Labs IP Source IP Addresses

    This page documents the known issues with the SSL Labs code running in production (i.e., www.ssllabs.com).   If your issue is listed as fixed in the latest development version, check it at: https://dev.ssllabs.c...
    Ivan Ristić
    last modified by Robert Dell'Immagine
  • EFT Cipher suite not showing up in scan

    I am running EFT Enterprise by Globalscape on a 2016 Server OS. I get an A+ from the Qualys scan at this URL (https://exfer01.jp.ftitechnology.com) however for some reason the following two ciphers do not get picked u...
    Sean Wasta
    last modified by Sean Wasta
  • Cloudfront and Session resumption (caching) - No (IDs assigned but not accepted)

    Can get my reports on Cloudfront sites to level A. I think to get to A+ I need a way to solve this issue: Session resumption (caching) No (IDs assigned but not accepted)   Any ideas on how to crack that one?
    Greg Pagendam-Turner
    last modified by Greg Pagendam-Turner
  • Where are these properties in the API response?

    These properties are available in the UI when performing a scan at SSL Server Test (Powered by Qualys SSL Labs), but they don't seem to have corresponding properties in the API response:   Revocation Status...
    Canis Lobo
    last modified by Canis Lobo
  • Assessment failed: Directive already specified: max-age

    I keep getting this error message.  Any ideas on what the issue is?  Thanks in advance.
    S Close
    last modified by S Close
  • Regarding RFC 7627 on Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension will become a mandatory TLS extension

    Does Qualys SSL Server test will make this "extended Master secret" TLS extension mandatory to get A+ grade?
    Sajeev S
    last modified by Sajeev S