Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section Web Server
  • Search

SSL test scored "B" due to Key Exchange very low, why?

Questions regarding the Web Server
Apache + Nginx, Nginx + PHP5-FPM
Post Reply
  • Print view
Advanced search
6 posts • Page 1 of 1
baijianpeng
Posts: 301
Joined: Tue Dec 22, 2015 2:06 pm

SSL test scored "B" due to Key Exchange very low, why?
  • Quote

Post by baijianpeng » Fri Dec 25, 2015 12:39 am

I tested my SSL status at: https://www.ssllabs.com/ssltest/, the result score is "B", because the "Key Exchange" part rating is very low.

What is the cause? Is it from VestaCP, or my SSL Certificate? Or my mal-operations?

How to improve this low rating on Key Exchange?

Thank you.

PS: Why I can not find the image attachment button on this forum?
Top
baijianpeng
Posts: 301
Joined: Tue Dec 22, 2015 2:06 pm

Re: SSL test scored "B" due to Key Exchange very low, why?
  • Quote

Post by baijianpeng » Fri Dec 25, 2015 1:02 am

After some search, it seems that VestaCP does NOT has a file named dhparam.pem in the folder: /etc/ssl/certs/ .

Why?

Can I manually generate this file as other tutorials said to harden the SSL configuration of VestaCP?

I hope VestaCP will by default offer hardened SSL/TLS configurations.

Thank you.
Top
ttcttctw
Posts: 26
Joined: Thu May 28, 2015 2:49 am
Contact:
Contact ttcttctw
Website

Re: SSL test scored "B" due to Key Exchange very low, why?
  • Quote

Post by ttcttctw » Fri Dec 25, 2015 5:29 pm

Vesta Panel default a Self-Signed SSL File, because you need to buy your own SSL Certificate.
There is no such a Universal SSL Certificate, so it's impossible to make Vesta to do that.
Top
baijianpeng
Posts: 301
Joined: Tue Dec 22, 2015 2:06 pm

Re: SSL test scored "B" due to Key Exchange very low, why?
  • Quote

Post by baijianpeng » Sat Dec 26, 2015 12:35 am

I think you did not understand what I said. The file "dhparam.pem" is not a certificate.
Top
tjebbeke
Collaborator
Posts: 783
Joined: Mon May 11, 2015 8:43 am
Contact:
Contact tjebbeke
Website

Os: CentOS 6x
Web: apache + nginx
Re: SSL test scored "B" due to Key Exchange very low, why?
  • Quote

Post by tjebbeke » Sat Dec 26, 2015 10:47 am

You can generate your own dhparam.pem, It is possible to achieve an A + score.

Code: Select all

ssl_ciphers        "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_dhparam         /etc/nginx/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
Top
baijianpeng
Posts: 301
Joined: Tue Dec 22, 2015 2:06 pm

Re: SSL test scored "B" due to Key Exchange very low, why?
  • Quote

Post by baijianpeng » Sat Dec 26, 2015 4:30 pm

Yes, I generated new dhparams.pem file and added it to nginx.conf, now I get "A" score in SSL test!

Thank you!
Top
Post Reply
  • Print view
6 posts • Page 1 of 1

Return to “Web Server”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

cron

Login  •  Register

I forgot my password