I can't seem to figure out why this site receives an F grade:
Qualys SSL Labs - Projects / SSL Server Test / smack.ht.vc
Sorry, that was a bug in the development version, which I introduced last night. It should be fixed now.
Looks like we had the same thought at the same time! dev.ssllabs 1.14.2 gives F ratings with no stated reason
THIS. IS. FUNNY. AS. HELL.
Qualys SSL Labs - Projects / SSL Server Test / ssllabs.com
This site too!?
Qualys SSL Labs - Projects / SSL Server Test / dev.ssllabs.com
Yes, that's just a bug in a key exchange rating.
This is just a development, we can expect everything. Even goto fail is still always negative, though I reported this bug 2 weeks ago.
As far as I can see the problem could be the DHE.
All servers with DHE (both 1024 and 2048 Bit) get the F and Servers with not DHE (no PFS only and ECDHE + no PSF) get a better rating.
My 4096-bit DHE servers also got an F, though it is the highest available.
Ran the test for my ECC server and got A+, but the bug seems to be fixed anyway.
No, I was wrong! 1.14.3 still gives an F.
RSA 4096 with DHE 4096:
Which CAs issue ECC certificates? I have a couple Comodo PositiveSSL certificates but never had an option for ECDSA. Maybe this would be better discussed in a separate thread.
Comodo and Symantec.
Have no experience with Symantec, since their offers are expensive and business only, but Comodo issues you an ECDSA certificate after you submit your ECC CSR, it is that's simple!
FYI, I couldn't reproduce your bug. I have thus downgraded its priority until I have more time to spend on troubleshooting. I suspect it has to deal with connection speed and the time out until I decide a connection has failed.
Development times out faster, but for goto fail I rarely see "The test timed out. You might have a firewall that's interfering". Most of the time I see "Your user agent is not vulnerable". How could it, if port 10443 works?
This false negative is even when connecting through 100 Mbps 802.11n Wi-Fi.
From yesterday i had the same problem with API.
On Qualys SSL Labs (not dev.) i had
But if i use API (now API use engineVersion 1.14.5):
In the morning.... when I looked on the dashboard and saw total F grade...
Servers with RC4 enabled still seem to receive F-ratings without any explanation: Qualys SSL Labs - Projects / SSL Server Test / casesearch.stlucieclerk.com (too bad we need RC4 for compatibility with vendor services )
DHE is also (mistakenly?) marked as weak.
RC4 servers get a B, these is a warning about this.
You get an F because of a key exchange rating bug.
Your DH size is 1024 bits which is not enough. Should be at least 2048.
I posted because the key exchange bug does not seem to be fixed completely - it is for some servers (i.e. the SSLLabs site), not others (i.e. casesearch).
How can DH strength be increased on IIS 7.5? I can't seem to find anything on Google about it.
I will also prioritize DHE over RSA in the cipher suite order. Not that much uses DHE still anyway, just Android 2.3.7 and OpenSSL 0.9.8...
And of course the move to SHA2 will be fun...
My first thought was "since when does IIS 7.5 support DHE???", then I looked closer, its AES mode is AEAD GCM, fine .
While TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256 where included, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 were not. The latter were not included because, for some unknown reason, Microsoft chose to use weak Diffie-Hellman parameters.
Disable them because of this: MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014
Ok, thanks, makes sense. I have disabled DHE on any affected servers and they are awaiting until afterhours for a restart.
Could IIS DHE be discussed in it's own thread ?
I think the F rating is fixed in the last dev version so the thread could be closed.
Retrieving data ...