Questions about SSL Test

[wlanboy]

I am using Qualys SSL Labs https://www.ssllabs.com tests to check my ssl certificates and ssl configuration.


Rating looks good but I do have some questions regarding the "open items".

1. Chain issues: Contains anchor
   Looks like the "AddTrust External CA Root" certificate is "sent by server" and is "In trust store" of the Browser.
   Cannot imagine why this is an issue.
   I always added the whole cert chain within the ca file - whithout any warnings.
2. IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch
   As far as I know I have to enable insecure ciphers to support IE 6. So this cannot be an issue, or?
3. Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits
   Same here - I am using 4096 bits dh.

Thats it.
Looking forward on the opinions on the three "open items" of the test result.

Thanks @Dylan - report is now fine.

 

[d2d4j]

Hi

I'm sorry I cannot see your full domain test, but just thought I'd mention licensecart (mike) has instructions to get an A+ rating on his website knowledge base.

You can check out our test server rating but it's not vps, so I'm not sure if it counts on this forum - 3sh.co.uk

Many thanks

John

 

[Dylan]

1. Chain issues: Contains anchor
   Looks like the "AddTrust External CA Root" certificate is "sent by server" and is "In trust store" of the Browser.
   Cannot imagine why this is an issue.
   I always added the whole cert chain within the ca file - whithout any warnings.
2. IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch
   As far as I know I have to enable insecure ciphers to support IE 6. So this cannot be an issue, or?
3. Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits
   Same here - I am using 4096 bits dh.

1. This isn't an issue as in "it's not allowed" or "it's insecure." It's technically fine to include the root, but the extra, redundant certificate increases handshake latency. Some people care about eking out every possible bit of performance; if you don't, you can safely ignore that message. There's no reason or benefit to include the certificate, though.
2. and 3. are purely informational -- they don't reduce your score (to the contrary; including the compatible ciphers would). They're just letting you know in case you need compatibility with older systems.

If you want to turn that A into an A+, all you need to do is enable HSTS.

 

[wlanboy]

Hi I'm sorry I cannot see your full domain test, but just thought I'd mention licensecart (mike) has instructions to get an A+ rating on his website knowledge base. You can check out our test server rating but it's not vps, so I'm not sure if it counts on this forum - 3sh.co.uk Many thanks John

It is my main domain wlanboy.com

 

[wlanboy]

1. Chain issues: Contains anchor
   Looks like the "AddTrust External CA Root" certificate is "sent by server" and is "In trust store" of the Browser.
   Cannot imagine why this is an issue.
   I always added the whole cert chain within the ca file - whithout any warnings.
2. IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch
   As far as I know I have to enable insecure ciphers to support IE 6. So this cannot be an issue, or?
3. Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits
   Same here - I am using 4096 bits dh.

1. This isn't an issue as in "it's not allowed" or "it's insecure." It's technically fine to include the root, but the extra, redundant certificate increases handshake latency. Some people care about eking out every possible bit of performance; if you don't, you can safely ignore that message. There's no reason or benefit to include the certificate, though.
2. and 3. are purely informational -- they don't reduce your score (to the contrary; including the compatible ciphers would). They're just letting you know in case you need compatibility with older systems.

If you want to turn that A into an A+, all you need to do is enable HSTS.

Thank you a lot to pointing me to HSTS. 
Why do they not add that note to their report?

 

[clarity]

Thanks for bringing this up again @wlanboy. I went and upgrade my personal site to an A+ rating with this little bit of motivation.