• TLS 1.0 enabled, TLS 1.1 disabled - "A" score

    I have a site that previously had an "A+" score but is now capped at "B" since TLS 1.0 / 1.1 are enabled.   I disabled TLS 1.1 since almost no clients use it, and now I get an "A" score - even though TLS 1....
    David Carlin
    last modified by David Carlin
  • False Grade F via SSLLabs API

    Hi,   I run regularly scan of some selected sites using SSL Labs API. On the 5th of December, I've noticed that one of the sites has received the grade F by automated scan. When I ran the scan manually via SSL L...
    last modified by pessoft
  • API Gateway - Application API Docs (Swagger)

    Module Version API Gateway Documentation FIM 1 https://gateway.qg1.apps.qualys.com/apidocs/fim/v1   FIM 2 https://gateway.qg1.apps.qualys.com/apidocs/fim/v2 ITAM/AI 1 https://gateway.qg1.apps.qualys.com/apid...
    Laura Seletos
    last modified by Laura Seletos
  • Regarding RFC 7627 on Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension will become a mandatory TLS extension

    Does Qualys SSL Server test will make this "extended Master secret" TLS extension mandatory to get A+ grade?
    Sajeev S
    last modified by Sajeev S
  • F grade : Zombie POODLE, Golden DOODLE & 0-length with openssl 1.1.1

    I'm currently using stunnel with openssl 1.1.1 on a ubuntu 18.04.4, with only TLS 1.2 and I'm getting a F grade with ssllabs. I have both CMC and GCM cipher suites. Sometimes I get a A grade, sometimes a F. When I g...
    Maxime Roullier
    last modified by Maxime Roullier
  • Signer Certificate use and management

    I have a certificate database which consists of "Signer Certificates"  "Personal Certificates"  "Certificate Requests"   I have several signer certificates which are expired. Can I delete these expire...
    Carson Austin
    last modified by Carson Austin
  • Does Server Test report ESNI status? Will it in the future?

    Are there any plans for the SSL Labs - Server Test to report on whether the server supports Encrypted Server Name Indication (ESNI)?   If the Server Test already reports on this, can someone direct me to wh...
    Greg Williams
    last modified by Greg Williams
  • TLS 1.1 needed for certificate fetching?

    We have an F5 appliance (LTM 15) where we are tightening down security for the upcoming January 2020 changes: specifically disabling TLS 1.0 and 1.1, and enabling 1.3. TLS 1.2 is already enabled by default.   En...
    Anthony Loost
    last modified by Anthony Loost
  • Dashboards and Reporting Resources - Start Here

    Welcome to Dashboards and Reporting   Welcome to our Dashboards and Reporting space.  Here we will begin to collaboratively and constructively collect relevant legacy ...
    last modified by DMFezzaReed
  • Different ratings...same host

    2 hostnames which both resolve to the same IP address - 1 is an A record and 1 is a CNAME -- get 2 different ratings...one is an A and one is an A+. I have tried 'clearing cache' multiple times to no avail. Any sugges...
    Lauren Dunnevant
    last modified by Lauren Dunnevant
  • Questions about TLS 1.1 protocols showing on the SSL Report.

    My name is Michael Bashore and I am a support engineer for nCino here in Wilmington North Carolina. One of our organization ran the test and saw the 1.1 protocols and is concerned that they are being used and are a we...
    Michael Bashore
    last modified by Michael Bashore
  • TLS Protocol Session Renegotiation Security Vulnerability

    Hello all,   I am having some issues trying to figure out what we need to do about this vulnerability that is showing up for printers...   There are patches and registry hacks to get it remediated for serv...
    Jung Choi
    created by Jung Choi
  • Key Exchange strength

    I'm trying to understand the grading scheme for Key Exchange strength. I'm currently getting a grade of 90%. My servers have both RSA/4096 and ECC/384 keys on them, using KxECDHE only.   The grading guide, ...
    Ken Schultz
    last modified by Ken Schultz
  • QID for CryptoAPI?

    Hi all -   ETA on QID for CryptoAPI?
    Grant Johnson
    last modified by Grant Johnson
  • SSL tab test on my host showing "Unable to resolve domain name"

    dns dnsname   I am trying to test my service host name which is hosted in AWS. I always get "Unable to resolve domain name" error. I want to understand more and want to get some logs depicting which cname i...
    Sourabh Agarwal
    last modified by Sourabh Agarwal
  • SSL Server Test Bug

    Has anyone else noticed a bug with the SSL server test recently when completing a standard scan?   I have recently completed some regular SSL server scans and noticed on a couple of occasions that the scan which...
    Ricky Hartland
    last modified by Ricky Hartland
  • SSL Report Query

    I have run an SSL Report against a URL and it confirms that we have a certificate related to the URL but because we have multiple services behind a Port Forwarding setup it doesn't show which of the servers is showing...
    Brian Kent
    last modified by Brian Kent
  • Deprecated SSH Cryptographic Settings

    We ran qualys security tool on servers and found "SSH Cryptographc Settings" vulnerability in the report. We followed steps given in below links, but still we are getting same  vulnerability message in the repor...
    kasim shaik
    last modified by kasim shaik
  • Public methods available in Groovy Script for invocation on different objects

    av_tagging groovy
    last modified by DMFezzaReed
  • A+ score - but only weak ciphers available?

    Hi,   I'm struggling to understand how a website can score A+ although _only_ weak ciphers are available (Example). Would an A+ not create a false view on security in this case? Why does the marking of CBC ciph...
    last modified by jprueter