# Questions about SSL Test



## wlanboy (Sep 13, 2015)

I am using Qualys SSL Labs https://www.ssllabs.com tests to check my ssl certificates and ssl configuration.


Rating looks good but I do have some questions regarding the "open items".


*Chain issues: Contains anchor*
Looks like the "AddTrust External CA Root" certificate is "sent by server" and is "In trust store" of the Browser.
Cannot imagine why this is an issue.
I always added the whole cert chain within the ca file - whithout any warnings.
*IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch*
As far as I know I have to enable insecure ciphers to support IE 6. So this cannot be an issue, or?
*Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits*
Same here - I am using 4096 bits dh.
Thats it.
Looking forward on the opinions on the three "open items" of the test result.

Thanks @Dylan - report is now fine.


----------



## d2d4j (Sep 13, 2015)

Hi

I'm sorry I cannot see your full domain test, but just thought I'd mention licensecart (mike) has instructions to get an A+ rating on his website knowledge base. 

You can check out our test server rating but it's not vps, so I'm not sure if it counts on this forum - 3sh.co.uk

Many thanks

John


----------



## Dylan (Sep 13, 2015)

wlanboy said:


> *Chain issues: Contains anchor*
> Looks like the "AddTrust External CA Root" certificate is "sent by server" and is "In trust store" of the Browser.
> Cannot imagine why this is an issue.
> I always added the whole cert chain within the ca file - whithout any warnings.
> ...




This isn't an issue as in "it's not allowed" or "it's insecure." It's technically fine to include the root, but the extra, redundant certificate increases handshake latency. Some people care about eking out every possible bit of performance; if you don't, you can safely ignore that message. There's no reason or benefit to include the certificate, though.
and 3. are purely informational -- they don't reduce your score (to the contrary; including the compatible ciphers would). They're just letting you know in case you need compatibility with older systems.
If you want to turn that A into an A+, all you need to do is enable HSTS.


----------



## wlanboy (Sep 13, 2015)

d2d4j said:


> Hi I'm sorry I cannot see your full domain test, but just thought I'd mention licensecart (mike) has instructions to get an A+ rating on his website knowledge base. You can check out our test server rating but it's not vps, so I'm not sure if it counts on this forum - 3sh.co.uk Many thanks John



It is my main domain wlanboy.com


----------



## wlanboy (Sep 13, 2015)

Dylan said:


> wlanboy said:
> 
> 
> > *Chain issues: Contains anchor*
> ...


Thank you a lot to pointing me to HSTS. 
Why do they not add that note to their report?


----------



## clarity (Sep 14, 2015)

Thanks for bringing this up again @wlanboy. I went and upgrade my personal site to an A+ rating with this little bit of motivation.


----------

