AnsweredAssumed Answered

Knowing which particular cipher lowered my score?

Question asked by Dan Mahoney on May 8, 2018
Latest reply on May 8, 2018 by j-mailor

Hey all,

 

I'm trying (let's say, to settle an argument), to get a perfect SSL Labs score to prove it's possible with our current software (Apache 2.4, OpenSSL 1.0.1u).

 

Certificate is easy, of course -- just get a 4096 bit one.  Protocol is easy too -- just turn off everything but TLS 1.2.

 

It's where I come to the Key Exchange and Cipher suites that this gets a bit more hairy to read.  It's clear that for any given exchange, there are three "things" that we can see a grade on.

 

1) The number of bits in the key exchange, (which I guess here is the smaller, lighter text???)

 

2) The number of "bits" of the session key (shown in the key name, as well as down the right column).

 

3) Whether or not SSL Labs decided to color it *green*.  By all UI standards, you'd think that the non-green things would be the problem, even though some of them are DH 4096/256.  The only difference I can see is that "GCM" ciphers are all green, and "CBC" ones are all not.

What causes the "greenness", and is it related to my score?

 

This is the cipher suites I'm using: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH, so I'm guessing to get 8 "results", it's basically two different key exchange methods with each of those four suites?  (2*4 == 8)


This seems unclear.  Which thing is hurting me?


On a different subject -- I'm using a custom DH params file.  I know how to *generate* a dhparam file, but not how to *parse* one.  That is to say, what openssl config would I put in to show me a command line that could have made it?  Google fails me here.

Outcomes