When the SSL Labs SSL Server Test be fixed with regard to DROWN Attack test? Until it is, the test produces grade in some cases is incorrect and valueless.
Disable SSLv2 in configuration for IP 220.127.116.11. Removing completely is left to your choice.
Can you please explain problem you are facing?
You can see issue here regarding test results for one of my domains:
SSL Server Test: password-sentry.com (Powered by Qualys SSL Labs)
The DROWN test result is incorrect. It is looking at wrong IP address of another web server.
Please check this URL : https://censys.io/ipv4?q=6c18d9cc3e2356aea4128785c3d3383133f0aed1fabf8c2c0d9de8aa81a9b572
We are using CenSys API, after that we do live test to confirm. Can you please check that link if 18.104.22.168 belong to you or not?
22.214.171.124 belongs to me, and resolves to password-sentry.com
126.96.36.199 does not belong to me, and does not resolve to password-sentry.com
Please take a look at URL, IP was attached to your domain earlier. I am able to ping that IP. Can you please re-check again about that IP does not belong to you?
Command: openssl s_client -connect 188.8.131.52:443 -ssl2
depth=0 OU = Domain Control Validated, CN = www.password-sentry.com
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate
Ciphers common between both SSL endpoints:
RC4-MD5 RC2-CBC-MD5 DES-CBC3-MD5
SSL handshake has read 1389 bytes and written 358 bytes
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Key-Arg : 1FD8E8E929B9B2E6
It belongs to your domain. Please verify once again.
That is IP of old server that hosted password-sentry.com. Current server that hosts password-sentry.com has IP 184.108.40.206. Changed over five weeks ago.
Both of them gives exact certificate information. Disable SSLv2 for IP - 220.127.116.11.
Have no access one way or the other to 18.104.22.168 since does not belong to me or any of my domains. Why is test checking the 22.214.171.124 ip when that IP does not resolve to password-sentry.com? I'm guessing you are seeing old SSL certificate on old server at 126.96.36.199. Solution to have old SSL certificate uninstalled from 188.8.131.52 server? Still, I don't see why that server is even involved in the testing.
With the help of Censys API, we check if any other server is using same "Key" as your domain(This is where we get IP - 184.108.40.206). If key is same, we do further tests on that IP to check if SSLv2 is enabled and give rating F.
So, to fix this, I just need to uninstall the SSL certificates from the old 220.127.116.11 server?
Web host is not going to edit config on a box not mine. Besides, that box is an old one that they are scrapping. My contact was surprised as he thought the box and IP was taken down. He is looking into it so the IP is unreachable and the SSL certificate is uninstalled. Not needed since site on another box with another IP with its own SSL certificate. Hopefully this will fix this.
IP taken down. Now have A- rating. Now, just have to address Forward Secrecy to get A or A+. Thanks for your tireless and invaluable assistance!
Retrieving data ...