{"id":5115,"date":"2018-03-08T09:18:41","date_gmt":"2018-03-08T14:18:41","guid":{"rendered":"http:\/\/www.carnaghan.com\/?p=5115"},"modified":"2018-03-08T09:18:41","modified_gmt":"2018-03-08T14:18:41","slug":"ssl-labs-rating-woes","status":"publish","type":"post","link":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/","title":{"rendered":"SSL Labs Rating Woes"},"content":{"rendered":"<p>I was recently notified that one of the sites I support was getting a &#8216;C&#8217; rating on <a href=\"https:\/\/www.ssllabs.com\/\">SSL Labs<\/a>. It turned out that there were three main issues that needed to be resolved. Two out of the three were relatively easy to find via the SSL Labs documentation, which required simple fixes to the ssl.conf file.<\/p>\n<ul>\n<li><strong>This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate<\/strong>. This was relatively easy to fix. I resolved it by modifying ssl_protocols in the <strong>ssl.conf<\/strong> file &#8211; thank you Digital Ocean for your<a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability\"><strong> comprehensive write-up<\/strong><\/a> on this!<\/li>\n<li><strong>The server does not support Forward Secrecy with the reference browsers<\/strong>. Again, more simple changes in the ssl.conf file. In case you run into a similar issue, be sure to read this helpful article,\u00a0<strong><a href=\"https:\/\/blog.qualys.com\/ssllabs\/2013\/08\/05\/configuring-apache-nginx-and-openssl-for-forward-secrecy\">Configuring Apache, Nginx, and OpenSSL for Forward Secrecy<\/a><\/strong>.<\/li>\n<\/ul>\n<p>The third issue, however, was not quite as straightforward:\u00a0<strong>This server accepts RC4 cipher, but only with older protocols<\/strong>. I found a number of helpful articles on this stating that by adding !RC4 to exclude RC4 in SSLCipherSuite, will result in mitigation of this vulnerability. I spent quite a bit of time trying different cypher\u00a0list combinations and always including !RC4, however no matter how many times I tweak this, restart httpd\u00a0and revisit SSL Labs, I kept getting the annoying &#8216;B&#8217; grade and RC4 complaint. For anyone facing similar issues, I highly recommend reading\u00a0<a href=\"https:\/\/hynek.me\/articles\/hardening-your-web-servers-ssl-ciphers\/\">Hardening Your Web Server\u2019s SSL Ciphers<\/a>.<\/p>\n<p>In the end, the problem I was facing was due to the fact I had a seperate\u00a0vhosts\u00a0file. I found the solution to my problem described in this very helpful entry on SuperUser,\u00a0<a href=\"https:\/\/superuser.com\/questions\/866738\/disabling-rc4-in-the-ssl-cipher-suite-of-an-apache-server\">Disabling RC4 in the SSL cipher suite of an Apache server<\/a>. The solution described here is to add the SSLCipherSuite specification in the Apache Directives textarea for each vhost. In my case, I had to add my SSLProtocol, SSLHonorCipherOrder, and SSLCypherSuite entries from ssl.conf into my vhosts file under my &lt;virtualHost&gt; tag. As the author of this post comments, it seems strange that it needs to be specified here also. Regardless if you are facing issues getting rid of RC4 and you are running vhosts, be sure to add your entries to your vhosts.conf file in addition to ssl.conf! Hopefully my wasted morning will benefit others.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was recently notified that one of the sites I support was getting a &#8216;C&#8217; rating on SSL Labs. It turned out that there were three main issues that needed to be resolved. Two out of the three were relatively easy to find via the SSL Labs documentation, which required simple fixes to the ssl.conf [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,356],"tags":[],"post_series":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SSL Labs Rating Woes - Ian Carnaghan<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SSL Labs Rating Woes - Ian Carnaghan\" \/>\n<meta property=\"og:description\" content=\"I was recently notified that one of the sites I support was getting a &#8216;C&#8217; rating on SSL Labs. It turned out that there were three main issues that needed to be resolved. Two out of the three were relatively easy to find via the SSL Labs documentation, which required simple fixes to the ssl.conf [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/\" \/>\n<meta property=\"og:site_name\" content=\"Ian Carnaghan\" \/>\n<meta property=\"article:published_time\" content=\"2018-03-08T14:18:41+00:00\" \/>\n<meta name=\"author\" content=\"Ian Carnaghan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@icarnaghan\" \/>\n<meta name=\"twitter:site\" content=\"@icarnaghan\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ian Carnaghan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/\"},\"author\":{\"name\":\"Ian Carnaghan\",\"@id\":\"https:\/\/www.carnaghan.com\/#\/schema\/person\/c689c24d516c51968a88b628860740a5\"},\"headline\":\"SSL Labs Rating Woes\",\"datePublished\":\"2018-03-08T14:18:41+00:00\",\"dateModified\":\"2018-03-08T14:18:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/\"},\"wordCount\":395,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.carnaghan.com\/#\/schema\/person\/c689c24d516c51968a88b628860740a5\"},\"articleSection\":[\"Coding\",\"Cybersecurity\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/\",\"url\":\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/\",\"name\":\"SSL Labs Rating Woes - Ian Carnaghan\",\"isPartOf\":{\"@id\":\"https:\/\/www.carnaghan.com\/#website\"},\"datePublished\":\"2018-03-08T14:18:41+00:00\",\"dateModified\":\"2018-03-08T14:18:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.carnaghan.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SSL Labs Rating Woes\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.carnaghan.com\/#website\",\"url\":\"https:\/\/www.carnaghan.com\/\",\"name\":\"Ian Carnaghan\",\"description\":\"Software Developer, Blogger, Educator\",\"publisher\":{\"@id\":\"https:\/\/www.carnaghan.com\/#\/schema\/person\/c689c24d516c51968a88b628860740a5\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.carnaghan.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.carnaghan.com\/#\/schema\/person\/c689c24d516c51968a88b628860740a5\",\"name\":\"Ian Carnaghan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.carnaghan.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f2aa5baca80c2be728de43a975185d91?s=96&d=retro&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f2aa5baca80c2be728de43a975185d91?s=96&d=retro&r=g\",\"caption\":\"Ian Carnaghan\"},\"logo\":{\"@id\":\"https:\/\/www.carnaghan.com\/#\/schema\/person\/image\/\"},\"description\":\"I am a software developer and online educator who likes to keep up with all the latest in technology. I also manage cloud infrastructure, continuous monitoring, DevOps processes, security, and continuous integration and deployment.\",\"sameAs\":[\"http:\/\/www.carnaghan.com\",\"https:\/\/x.com\/icarnaghan\"],\"url\":\"https:\/\/www.carnaghan.com\/author\/icarnaghan\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SSL Labs Rating Woes - Ian Carnaghan","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/","og_locale":"en_US","og_type":"article","og_title":"SSL Labs Rating Woes - Ian Carnaghan","og_description":"I was recently notified that one of the sites I support was getting a &#8216;C&#8217; rating on SSL Labs. It turned out that there were three main issues that needed to be resolved. Two out of the three were relatively easy to find via the SSL Labs documentation, which required simple fixes to the ssl.conf [&hellip;]","og_url":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/","og_site_name":"Ian Carnaghan","article_published_time":"2018-03-08T14:18:41+00:00","author":"Ian Carnaghan","twitter_card":"summary_large_image","twitter_creator":"@icarnaghan","twitter_site":"@icarnaghan","twitter_misc":{"Written by":"Ian Carnaghan","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/#article","isPartOf":{"@id":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/"},"author":{"name":"Ian Carnaghan","@id":"https:\/\/www.carnaghan.com\/#\/schema\/person\/c689c24d516c51968a88b628860740a5"},"headline":"SSL Labs Rating Woes","datePublished":"2018-03-08T14:18:41+00:00","dateModified":"2018-03-08T14:18:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/"},"wordCount":395,"commentCount":0,"publisher":{"@id":"https:\/\/www.carnaghan.com\/#\/schema\/person\/c689c24d516c51968a88b628860740a5"},"articleSection":["Coding","Cybersecurity"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/","url":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/","name":"SSL Labs Rating Woes - Ian Carnaghan","isPartOf":{"@id":"https:\/\/www.carnaghan.com\/#website"},"datePublished":"2018-03-08T14:18:41+00:00","dateModified":"2018-03-08T14:18:41+00:00","breadcrumb":{"@id":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.carnaghan.com\/ssl-labs-rating-woes\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.carnaghan.com\/"},{"@type":"ListItem","position":2,"name":"SSL Labs Rating Woes"}]},{"@type":"WebSite","@id":"https:\/\/www.carnaghan.com\/#website","url":"https:\/\/www.carnaghan.com\/","name":"Ian Carnaghan","description":"Software Developer, Blogger, Educator","publisher":{"@id":"https:\/\/www.carnaghan.com\/#\/schema\/person\/c689c24d516c51968a88b628860740a5"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.carnaghan.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.carnaghan.com\/#\/schema\/person\/c689c24d516c51968a88b628860740a5","name":"Ian Carnaghan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.carnaghan.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f2aa5baca80c2be728de43a975185d91?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f2aa5baca80c2be728de43a975185d91?s=96&d=retro&r=g","caption":"Ian Carnaghan"},"logo":{"@id":"https:\/\/www.carnaghan.com\/#\/schema\/person\/image\/"},"description":"I am a software developer and online educator who likes to keep up with all the latest in technology. I also manage cloud infrastructure, continuous monitoring, DevOps processes, security, and continuous integration and deployment.","sameAs":["http:\/\/www.carnaghan.com","https:\/\/x.com\/icarnaghan"],"url":"https:\/\/www.carnaghan.com\/author\/icarnaghan\/"}]}},"views":186,"_links":{"self":[{"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/posts\/5115"}],"collection":[{"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/comments?post=5115"}],"version-history":[{"count":0,"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/posts\/5115\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/media?parent=5115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/categories?post=5115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/tags?post=5115"},{"taxonomy":"post_series","embeddable":true,"href":"https:\/\/www.carnaghan.com\/wp-json\/wp\/v2\/post_series?post=5115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}