Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

SSL test scored "B" due to Key Exchange very low, why?

https://forum.vestacp.com/viewtopic.php?f=11&t=10127

Page 1 of 1

SSL test scored "B" due to Key Exchange very low, why?

Posted: Fri Dec 25, 2015 12:39 am
by baijianpeng
I tested my SSL status at: https://www.ssllabs.com/ssltest/, the result score is "B", because the "Key Exchange" part rating is very low.

What is the cause? Is it from VestaCP, or my SSL Certificate? Or my mal-operations?

How to improve this low rating on Key Exchange?

Thank you.

PS: Why I can not find the image attachment button on this forum?

Re: SSL test scored "B" due to Key Exchange very low, why?

Posted: Fri Dec 25, 2015 1:02 am
by baijianpeng
After some search, it seems that VestaCP does NOT has a file named dhparam.pem in the folder: /etc/ssl/certs/ .

Why?

Can I manually generate this file as other tutorials said to harden the SSL configuration of VestaCP?

I hope VestaCP will by default offer hardened SSL/TLS configurations.

Thank you.

Re: SSL test scored "B" due to Key Exchange very low, why?

Posted: Fri Dec 25, 2015 5:29 pm
by ttcttctw
Vesta Panel default a Self-Signed SSL File, because you need to buy your own SSL Certificate.
There is no such a Universal SSL Certificate, so it's impossible to make Vesta to do that.

Re: SSL test scored "B" due to Key Exchange very low, why?

Posted: Sat Dec 26, 2015 12:35 am
by baijianpeng
I think you did not understand what I said. The file "dhparam.pem" is not a certificate.

Re: SSL test scored "B" due to Key Exchange very low, why?

Posted: Sat Dec 26, 2015 10:47 am
by tjebbeke
You can generate your own dhparam.pem, It is possible to achieve an A + score.

Code: Select all

ssl_ciphers        "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_dhparam         /etc/nginx/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Re: SSL test scored "B" due to Key Exchange very low, why?

Posted: Sat Dec 26, 2015 4:30 pm
by baijianpeng
Yes, I generated new dhparams.pem file and added it to nginx.conf, now I get "A" score in SSL test!

Thank you!
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/