We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
SSL test scored "B" due to Key Exchange very low, why?
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
SSL test scored "B" due to Key Exchange very low, why?
I tested my SSL status at: https://www.ssllabs.com/ssltest/, the result score is "B", because the "Key Exchange" part rating is very low.
What is the cause? Is it from VestaCP, or my SSL Certificate? Or my mal-operations?
How to improve this low rating on Key Exchange?
Thank you.
PS: Why I can not find the image attachment button on this forum?
What is the cause? Is it from VestaCP, or my SSL Certificate? Or my mal-operations?
How to improve this low rating on Key Exchange?
Thank you.
PS: Why I can not find the image attachment button on this forum?
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: SSL test scored "B" due to Key Exchange very low, why?
After some search, it seems that VestaCP does NOT has a file named dhparam.pem in the folder: /etc/ssl/certs/ .
Why?
Can I manually generate this file as other tutorials said to harden the SSL configuration of VestaCP?
I hope VestaCP will by default offer hardened SSL/TLS configurations.
Thank you.
Why?
Can I manually generate this file as other tutorials said to harden the SSL configuration of VestaCP?
I hope VestaCP will by default offer hardened SSL/TLS configurations.
Thank you.
Re: SSL test scored "B" due to Key Exchange very low, why?
Vesta Panel default a Self-Signed SSL File, because you need to buy your own SSL Certificate.
There is no such a Universal SSL Certificate, so it's impossible to make Vesta to do that.
There is no such a Universal SSL Certificate, so it's impossible to make Vesta to do that.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: SSL test scored "B" due to Key Exchange very low, why?
I think you did not understand what I said. The file "dhparam.pem" is not a certificate.
-
- Collaborator
- Posts: 783
- Joined: Mon May 11, 2015 8:43 am
- Contact:
- Os: CentOS 6x
- Web: apache + nginx
Re: SSL test scored "B" due to Key Exchange very low, why?
You can generate your own dhparam.pem, It is possible to achieve an A + score.
Code: Select all
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_dhparam /etc/nginx/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: SSL test scored "B" due to Key Exchange very low, why?
Yes, I generated new dhparams.pem file and added it to nginx.conf, now I get "A" score in SSL test!
Thank you!
Thank you!