New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SSL Labs Check- StartSSL Cert - OSCP Error & VestaCP
Hi, Was wondering if anyone had managed to get higher than an A rating when using: StartSSL and VestaCP.
I've got the SSL cert installed, with intermediate certificate. I've also got VestaCP setup.
Anyone have any ideas how to get rid of the "OCSP ERROR" that pops up in their reports?
https://www.ssllabs.com/ssltest/analyze.html?d=editmy.org
Also, how about: IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch Fail3
Comments
I always scored A+ with https://cipherli.st/
Thanks to @Raymii
Brill, thanks. Will take a look after
The settings on https://cipherli.st will get you an A+. If you need an alternative SSL checking tool, try my other project: https://tls.so/
Ok, fixed the OCSP error - still only getting an A
About stapling, you have to include all intermediate certs and connect to your web server for a few times first to get stapling working. I know it works with StartSSL so investigate your installation.
https://wiki.mozilla.org/Security/Server_Side_TLS Intermediate cipher list gets an A+ if I remember correctly.
That looks pretty helpful ...
The test url is not working fo me. (https://z1s.org/ssl/)
Has anyone else got it working with VestaCP? I've followed the cipherli.st and it's still not working.
Keep in mind that an absolutely flawless score on some SSL test is not a real measure of security, and quite often will be accomplished by removing conveniences for no real positive gain other than a higher score on some website. There will always be clients that use older software and clients that use updated software do not see a decrease in security by your allowing the other clients to use less secure connections. For me, it ends up driving support requests by clients who are just going to get a virus eventually anyway. You've always got to weigh your individual needs and what's reasonable while maintaining a secure environment. You can't secure a client's machine by forcing good SSL ciphers.
Odd, that site isn't even loading for me. What files are you placing the rules in? Should be something like /home/admin/conf/web/shttpd.conf and /home/admin/conf/web/snginx.conf. Restart nginx and apache.
Or for the Vesta panel, /usr/local/vesta/nginx/conf/nginx.conf. Restart service named vesta (has it's own nginx installation separate from the one serving your sites).
That should redirect you to https://tls.so
I'm going to reinstall and start again... it's driving me mad..
Thanks @Jar - I somehow managed to screw up Vesta's NGinx config so i'm reinstalling and will go back to beginning
Ok i've got A+ with only adding a couple of lines.
The OCSP error is still gone (which is good)... but it's not working - also shows OCSP stapling No
I'll leave it till tomorrow and see if it rights itself incase it's their end.
darn.. ocsp still showing bad request
You've to enable HTTP Strict Transport Security with Long Duration to get A+ Rating: https://www.ssllabs.com/ssltest/analyze.html?d=manage.syncserve.net
Yeah got all that. It's OCSP not working..
For optimal (A+) SSL Ciphers and OCSP Stapling, please refer to the latest article on my tech blog:
https://blog.ls20.com/optimizing-nginx-config-for-your-website-or-blog/
Also included are useful Nginx optimization tips such as XSS protection, identifying bots and advanced logging.