AnsweredAssumed Answered

SSL labs test gives F rating

Question asked by Naresh Bhanushali on Jun 12, 2014
Latest reply on Jun 16, 2014 by Ivan Ristić

Hi all,

I have few websites which are behind firewall and have a Barracuda loadbalancer incorporated for loadbalancing the web request between two apache servers.

Recently, company's security team raised alert for weak SSL configuration. I being a novoice in SSL, did some surfing and adjusted the following on both of my web servers.

- Disabled SSLv2 and disabled SSLv3

- Enabled TLSv1.1 and TLSv1.2

- Added the new strong cipher

 

My apache version is 2.2.15 and ssl version 1.0.1e-fips.

but still in the ssl test, I am getting "F" rating with below mentioned shortcomings.

- SSLv2 enabled

- Vulnerable to BEAST attack

- Cipher strength weak

- HTTP strict-transport-security should be enabled ( not supported with current version of apache)

 

SSL version check on local system yeilds SSLv2 and SSLv3 is disabled.

 

I suspect, due to barracuda load-balancer, I am getting such rating. Can you please help me in proving me right.

Outcomes