AnsweredAssumed Answered

How to get ssllabs.com/ssltest "Cipher Strength" to 100 points?

Question asked by j-mailor on May 5, 2014
Latest reply on May 8, 2014 by j-mailor

Hi,

for one of our internal web server with business sensitive data I have performed ssllabs.com/ssltest and got "Cipher Strength" of 90 points. Is there a way I can increase this to 100 points? According to SSL_Server_Rating_Guide 100% grade is awarded only to https server with exclusive >= 256 bits, so if I understand correctly in my case all of the 128-bit ciphers (marked with pink rectangles on image bellow) should be removed. How can I do this?

 

Note: We are using Firefox Portable 24 ESR specially set to only use this in house made application, so I can affort to reduce cipher list down to very small number of ciphers supported by this browser version. Also about:config security.tls.version.max parameter is set to 3 which means use TLS v1.2 (TLS 1.2 and TLS 1.1 are by default disabled in Firefox 24 ESR because at the time of this browser version there were some issues with http servers not supporting TLS 1.2/1.1 - because this is not a problem in our case I can affort to have this settings set and so get TLS v1.2 support).

 

My software:

- Apache 2.4.9

- OpenSSL 1.0.1g

- Windows 2008 R2

 

Cipher suite setting in my http server http-ssl.conf file:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

 

Thanks

 

cipher_strength.png

Outcomes