I simply do not understand why i have two certification paths and how i can exchange the SHA1 one with a SHA256 one.
Could you explain me what to do? Some browsers are complaining about it though SSL Lab says it's A+.
It's hard to be certain because you didn't tell us your hostname and I can't check your configuration, but I think those browsers complaining are doing so because they're buggy and can't choose a SHA2 certificate path, even though it is available to them. It's actually a combination of browser, library, operating system, and CA problems.
Normally, you can’t do anything about it. It just means that there *is* a validation path involving a known and still valid SHA1 cert.
In your case, you could improve your score by not sending that very certificate in the first place which you’re actually doing. You should only send your own certificate and all higher-level certs *except* for any root (==self-signed) certificate. Perhaps that is the reason for some browsers or other web clients to refuse the connection. Note: Chain issues … contains anchor. But even if you weren’t offering it, the validation chain down to this browser-implanted certificate would still exist.
Your choice for offering 3DES is also not the best (but that wasn’t your question).
i know i have 3 certs (the second one duplicate) in my crt file.
I removed the third one because it is a duplicate of the second one.
Should i remove the first one too?
And what do you mean with 3DES? I searched for 3DES in my ciphers but couldn't find it. What do i have to do?
My ciphers are: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
Sorry, this topic is really new for me.
On Windows, Chrome is complaining because of the intermediate that expires in 2022 (your server even sends it twice, another small misconfiguration). Replace it with the intermediate that expires in 2017:
I did it but can't tell if it changed something. I went back to twitter and asked the person who had the issue to try it again. Thanks!
What else can i do to increase the website security? How can i get 100% everywhere?
Is it a bad thing to have my Class2 cert from StartSSL?
For 100% protocol support your site should support TLS 1.2 only. Are you sure there are no TLS 1.0 and TLS 1.1 clients? If so, disable those and be happy!
For 100% key exchange use at least 4096-bit RSA or 384-bit ECC keys. In case of using RSA and supporting DHE suites, also use at least 4096-bit Diffie-Hellman parameters.
100% cipher strength is achieved by supporting 256-bit encryption only. But unless you support and prioritize CHACHA20_POLY1305 cipher, Chrome will show "obsolete cryptography" message. Your server will also negotiate obsolete cryptography with Firefox and Googlebot. 90% is enough!
Regardless of the validation level, StartSSL has some common problems:
1. Intermediate certificate caching can trigger Chrome SHA1 warning despite your server sending SHA2 chain.
2. OCSP can return "certificate unknown" for 6 hours after certificate issuance.
3. OCSP often goes down. I have seen SSL Labs "OCSP read time out" warnings and Symantec Cryptoreport using CRL for validation because of OCSP inaccessibility.
4. Any certificate is valid for the main domain. Even if you need SAN certificate for example.com subdomains only, the certificate will be valid for example.com itself. It also weakens security.
5. No ECC certificates. Microsoft IIS users either live with Chrome "obsolete cryptography" or enable DHE suites with default 1024-bit parameters, thus weakening security.
6. No support for Certificate Transparency. Customers with Extended Validation certificates should implement custom TLS extension on their servers for the green bar in Chrome.
7. For new domains you should wait at least for 3 days. With Comodo, I was able to obtain Organization Validation certificate in 10 hours after domain registration with addPeriod status.
Thanks for all the information. That really helps to be able to evaluate our status.
What a shitty decision to use StartSSL, but it is cheap and that was the key for us as a startup.
The hostname can be seen in the screenshot attached to the first post: it's www.stomt.com
Ah, indeed. Thanks for pointing that out. Having looked at the report, I can confirm that the server is sending an all-SHA2 chain. If there are any warnings there, they are going to be because of bugs I mentioned earlier.
Retrieving data ...