Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SSL Labs Check- StartSSL Cert - OSCP Error & VestaCP
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SSL Labs Check- StartSSL Cert - OSCP Error & VestaCP

DeanDean Member
edited February 2015 in Help

Hi, Was wondering if anyone had managed to get higher than an A rating when using: StartSSL and VestaCP.

I've got the SSL cert installed, with intermediate certificate. I've also got VestaCP setup.
Anyone have any ideas how to get rid of the "OCSP ERROR" that pops up in their reports?

https://www.ssllabs.com/ssltest/analyze.html?d=editmy.org

Also, how about: IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch Fail3

Comments

  • I always scored A+ with https://cipherli.st/

    Thanks to @Raymii

    Thanked by 2Umair Gunter
  • Brill, thanks. Will take a look after

  • The settings on https://cipherli.st will get you an A+. If you need an alternative SSL checking tool, try my other project: https://tls.so/

    Thanked by 2Umair Gunter
  • Ok, fixed the OCSP error - still only getting an A :(

  • berkayberkay Member
    edited February 2015

    About stapling, you have to include all intermediate certs and connect to your web server for a few times first to get stapling working. I know it works with StartSSL so investigate your installation.

    https://wiki.mozilla.org/Security/Server_Side_TLS Intermediate cipher list gets an A+ if I remember correctly.

  • @Raymii said:
    The settings on https://cipherli.st will get you an A+. If you need an alternative SSL checking tool, try my other project: https://tls.so/

    That looks pretty helpful ... :)

    The test url is not working fo me. (https://z1s.org/ssl/)

  • Has anyone else got it working with VestaCP? I've followed the cipherli.st and it's still not working.

  • jarjar Patron Provider, Top Host, Veteran
    edited February 2015

    Keep in mind that an absolutely flawless score on some SSL test is not a real measure of security, and quite often will be accomplished by removing conveniences for no real positive gain other than a higher score on some website. There will always be clients that use older software and clients that use updated software do not see a decrease in security by your allowing the other clients to use less secure connections. For me, it ends up driving support requests by clients who are just going to get a virus eventually anyway. You've always got to weigh your individual needs and what's reasonable while maintaining a secure environment. You can't secure a client's machine by forcing good SSL ciphers.

    @DeanClinton said:
    Has anyone else got it working with VestaCP? I've followed the cipherli.st and it's still not working.

    Odd, that site isn't even loading for me. What files are you placing the rules in? Should be something like /home/admin/conf/web/shttpd.conf and /home/admin/conf/web/snginx.conf. Restart nginx and apache.

    Or for the Vesta panel, /usr/local/vesta/nginx/conf/nginx.conf. Restart service named vesta (has it's own nginx installation separate from the one serving your sites).

    Thanked by 1Blanoz
  • @Umair said:
    The test url is not working fo me. (https://z1s.org/ssl/)

    That should redirect you to https://tls.so

  • DeanDean Member
    edited February 2015

    I'm going to reinstall and start again... it's driving me mad..

    Thanks @Jar - I somehow managed to screw up Vesta's NGinx config so i'm reinstalling and will go back to beginning :)

  • DeanDean Member
    edited February 2015

    Ok i've got A+ with only adding a couple of lines.
    The OCSP error is still gone (which is good)... but it's not working :( - also shows OCSP stapling No

    I'll leave it till tomorrow and see if it rights itself incase it's their end.

  • darn.. ocsp still showing bad request :(

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    You've to enable HTTP Strict Transport Security with Long Duration to get A+ Rating: https://www.ssllabs.com/ssltest/analyze.html?d=manage.syncserve.net

  • Yeah got all that. It's OCSP not working..

  • howardsl2howardsl2 Member
    edited February 2015

    For optimal (A+) SSL Ciphers and OCSP Stapling, please refer to the latest article on my tech blog:
    https://blog.ls20.com/optimizing-nginx-config-for-your-website-or-blog/

    Also included are useful Nginx optimization tips such as XSS protection, identifying bots and advanced logging.

Sign In or Register to comment.