AnsweredAssumed Answered

Problem with handshake simulations

Question asked by icnseo on Mar 20, 2014
Latest reply on Mar 20, 2014 by Ivan Ristić

Hello there.

I've maded some changes on my server configuration and now i have problems with some of simulations :

 

https://www.ssllabs.com/ssltest/analyze.html?d=sync.icnseo.com

 

 

Handshake Simulation
Android 2.3.7   No SNI 2Protocol or cipher suite mismatchFail3
Android 4.0.4TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
Android 4.1.1TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
Android 4.2.2TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
Android 4.3TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
Android 4.4.2TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030 FS256
BingBot Dec 2013   No SNI 2Protocol or cipher suite mismatchFail3
BingPreview Dec 2013Protocol or cipher suite mismatchFail3
Chrome 33 / Win 7  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f FS128
Firefox 24.2.0 ESR / Win 7TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
Firefox 27 / Win 8  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f FS128
Googlebot Oct 2013TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
IE 6 / XP   No FS 1   No SNI 2Protocol or cipher suite mismatchFail3
IE 7 / VistaTLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
IE 8 / XP   No FS 1   No SNI 2Protocol or cipher suite mismatchFail3
IE 8-10 / Win 7  RProtocol or cipher suite mismatchFail3
IE 11 / Win 7  RProtocol or cipher suite mismatchFail3
IE 11 / Win 8.1  RProtocol or cipher suite mismatchFail3
Java 6u45   No SNI 2Protocol or cipher suite mismatchFail3
Java 7u25Protocol or cipher suite mismatchFail3
Java 8b132TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f FS128
OpenSSL 0.9.8yProtocol or cipher suite mismatchFail3
OpenSSL 1.0.1eTLS 1.2TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030 FS256
Safari 5.1.9 / OS X 10.6.8TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
Safari 6 / iOS 6.0.1  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028 FS256
Safari 7 / iOS 7.1  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028 FS256
Safari 6.0.4 / OS X 10.8.4  RTLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
Safari 7 / OS X 10.9  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028 FS256
Yahoo Slurp Oct 2013TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014 FS256
YandexBot 3.0   No FS 1   No SNI 2Protocol or cipher suite mismatchFail3
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).

 

My current nginx configuration is :

 

ssl_session_cache       builtin:1000  shared:SSL:5m;

        ssl_session_timeout     10m;

        ssl_stapling            on;

        ssl_stapling_verify     on;

        ssl_ecdh_curve          secp521r1;

       ssl_prefer_server_ciphers on;

       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

       ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;


Is there anything that i missed ?

Outcomes