When the SSL Labs SSL Server Test be fixed with regard to DROWN Attack test? Until it is, the test produces grade in some cases is incorrect and valueless.
Disable SSLv2 in configuration for IP 188.8.131.52. Removing completely is left to your choice.
Can you please explain problem you are facing?
You can see issue here regarding test results for one of my domains:
SSL Server Test: password-sentry.com (Powered by Qualys SSL Labs)
The DROWN test result is incorrect. It is looking at wrong IP address of another web server.
Please check this URL : https://censys.io/ipv4?q=6c18d9cc3e2356aea4128785c3d3383133f0aed1fabf8c2c0d9de8aa81a9b572
We are using CenSys API, after that we do live test to confirm. Can you please check that link if 184.108.40.206 belong to you or not?
220.127.116.11 belongs to me, and resolves to password-sentry.com
18.104.22.168 does not belong to me, and does not resolve to password-sentry.com
Please take a look at URL, IP was attached to your domain earlier. I am able to ping that IP. Can you please re-check again about that IP does not belong to you?
Command: openssl s_client -connect 22.214.171.124:443 -ssl2
depth=0 OU = Domain Control Validated, CN = www.password-sentry.com
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate
Ciphers common between both SSL endpoints:
RC4-MD5 RC2-CBC-MD5 DES-CBC3-MD5
SSL handshake has read 1389 bytes and written 358 bytes
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Key-Arg : 1FD8E8E929B9B2E6
It belongs to your domain. Please verify once again.
That is IP of old server that hosted password-sentry.com. Current server that hosts password-sentry.com has IP 126.96.36.199. Changed over five weeks ago.
Both of them gives exact certificate information. Disable SSLv2 for IP - 188.8.131.52.
Have no access one way or the other to 184.108.40.206 since does not belong to me or any of my domains. Why is test checking the 220.127.116.11 ip when that IP does not resolve to password-sentry.com? I'm guessing you are seeing old SSL certificate on old server at 18.104.22.168. Solution to have old SSL certificate uninstalled from 22.214.171.124 server? Still, I don't see why that server is even involved in the testing.
With the help of Censys API, we check if any other server is using same "Key" as your domain(This is where we get IP - 126.96.36.199). If key is same, we do further tests on that IP to check if SSLv2 is enabled and give rating F.
So, to fix this, I just need to uninstall the SSL certificates from the old 188.8.131.52 server?
Web host is not going to edit config on a box not mine. Besides, that box is an old one that they are scrapping. My contact was surprised as he thought the box and IP was taken down. He is looking into it so the IP is unreachable and the SSL certificate is uninstalled. Not needed since site on another box with another IP with its own SSL certificate. Hopefully this will fix this.
IP taken down. Now have A- rating. Now, just have to address Forward Secrecy to get A or A+. Thanks for your tireless and invaluable assistance!
Retrieving data ...