I have a url s1prdsfbaccess.gmc-uk.org which is a server 2012 r2 box. I can only manage to get an A. Does anyone know if it is possible to get an A+ with server 2012? Thanks
A+ needs TLS Fallback Protection which is not supported by Windows but could be archived by disable TLS 1.0 and 1.1 (so keep TLS 1.2 only) But i worry 2012R2 do not support "TLS_ECDHE_RSA_WITH_AES_xxx_GCM_..." which would also needed afaik. https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%208.1&key=134 (Win 8.1 and 2012R2 have same core)This could be resolved by use a ECDSA Certificate instead of RSA and use "TLS_ECDHE_ECDSA_WITH_AES_xxx_GCM_..." ECDSA will be supported by letsencrypt by Q1 2019https://letsencrypt.org/upcoming-features/
ECDSA certificates are already supported by letsencrypt. the Q1 2019 thing is about using an ECDSA intermediate to sign them.
Thanks for your reply, really useful to know .
I am using digicert and I think I have the instructions on how to get the new cert type .
Microsoft ECC CSR Creation & Install | DigiCert.com
Thanks for the information, you have given me some really useful info. I will go away test some of these and get back to you
Thanks again, really appreciated
Try adding one or more of the following until you achieve A+; your mileage may vary:
NOTE: If you do have to add DHE instead of ECDHE, you'll have to accept the warning about DH public server param (Ys) reuse.
I had to add DHE to achieve even an A with my application. In my case, I did not determine if there was ECDHE and GCM support with the patch. However, the app. did not support HSTS, I was unable to get A+. (In this case I could not use a proxy to add custom headers.)
Hope this helps.
Unfortunally 2012R2 (even with patch) do not supportTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)which are imho the best ciphers for RSA (beside TLS 1.3)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)are no Option cause weak due to no-FS
so you could either use the slowerTLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)if you want to use this be aware of:https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644
or best/fastest solution:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)which would need to use a ECDSA cert instead of RSA
Retrieving data ...