amuck-landowner

Questions about SSL Test

wlanboy

Content Contributer
I am using Qualys SSL Labs https://www.ssllabs.com tests to check my ssl certificates and ssl configuration.
wlanboy_com_ssllabs_test.jpg

Rating looks good but I do have some questions regarding the "open items".

  1. Chain issues: Contains anchor
    Looks like the "AddTrust External CA Root" certificate is "sent by server" and is "In trust store" of the Browser.
    Cannot imagine why this is an issue.
    I always added the whole cert chain within the ca file - whithout any warnings.
  2. IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch
    As far as I know I have to enable insecure ciphers to support IE 6. So this cannot be an issue, or?
  3. Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits
    Same here - I am using 4096 bits dh.
Thats it.
Looking forward on the opinions on the three "open items" of the test result.

Thanks @Dylan - report is now fine.

ssl_labs_test_wlanboy_com.jpg
 
Last edited by a moderator:

d2d4j

New Member
Hi

I'm sorry I cannot see your full domain test, but just thought I'd mention licensecart (mike) has instructions to get an A+ rating on his website knowledge base.

You can check out our test server rating but it's not vps, so I'm not sure if it counts on this forum - 3sh.co.uk

Many thanks

John
 

Dylan

Active Member
  1. Chain issues: Contains anchor
    Looks like the "AddTrust External CA Root" certificate is "sent by server" and is "In trust store" of the Browser.
    Cannot imagine why this is an issue.
    I always added the whole cert chain within the ca file - whithout any warnings.
  2. IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch
    As far as I know I have to enable insecure ciphers to support IE 6. So this cannot be an issue, or?
  3. Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits
    Same here - I am using 4096 bits dh.

  1. This isn't an issue as in "it's not allowed" or "it's insecure." It's technically fine to include the root, but the extra, redundant certificate increases handshake latency. Some people care about eking out every possible bit of performance; if you don't, you can safely ignore that message. There's no reason or benefit to include the certificate, though.
  2. and 3. are purely informational -- they don't reduce your score (to the contrary; including the compatible ciphers would). They're just letting you know in case you need compatibility with older systems.
If you want to turn that A into an A+, all you need to do is enable HSTS.
 
Last edited by a moderator:

wlanboy

Content Contributer
Hi I'm sorry I cannot see your full domain test, but just thought I'd mention licensecart (mike) has instructions to get an A+ rating on his website knowledge base. You can check out our test server rating but it's not vps, so I'm not sure if it counts on this forum - 3sh.co.uk Many thanks John

It is my main domain wlanboy.com
 

wlanboy

Content Contributer
  1. Chain issues: Contains anchor
    Looks like the "AddTrust External CA Root" certificate is "sent by server" and is "In trust store" of the Browser.
    Cannot imagine why this is an issue.
    I always added the whole cert chain within the ca file - whithout any warnings.
  2. IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch
    As far as I know I have to enable insecure ciphers to support IE 6. So this cannot be an issue, or?
  3. Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits
    Same here - I am using 4096 bits dh.

  1. This isn't an issue as in "it's not allowed" or "it's insecure." It's technically fine to include the root, but the extra, redundant certificate increases handshake latency. Some people care about eking out every possible bit of performance; if you don't, you can safely ignore that message. There's no reason or benefit to include the certificate, though.
  2. and 3. are purely informational -- they don't reduce your score (to the contrary; including the compatible ciphers would). They're just letting you know in case you need compatibility with older systems.
If you want to turn that A into an A+, all you need to do is enable HSTS.
Thank you a lot to pointing me to HSTS. 
Why do they not add that note to their report?
 

clarity

Active Member
Thanks for bringing this up again @wlanboy. I went and upgrade my personal site to an A+ rating with this little bit of motivation.
 
Top
amuck-landowner