Forum Discussion

Roy_Jee's avatar
Roy_Jee
Icon for Nimbostratus rankNimbostratus
Aug 27, 2019

Get A Grade on SSL LAB for VIP

HI ,

I am looking for Cipher string to get A grade on SSL lab for my VIP .Currently these are the ratings.Thanks in advance .

 

 

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    Try this one:

    !SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ADH-DES-CBC3-SHA:!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!SSLv3

    .

  • Try this one which I found in a thread on the old devcentral:

    !SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!3DES:-MD5:-SSLv3:-RC4

    I also have the following options enabled in the SSL client profile: no SSLV3, no TLSv1, and no TLSv1.1.

    Here's how it comes out on SSL labs:

    I find that I can get similar results locally using nmap's nse script to enum-ssl-ciphers like so:

    PS C:\Users\user\nmap-7.70> .\nmap.exe -sV --script ssl-enum-ciphers -p 443 hostname.organization.com
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-27 12:33 Eastern Daylight Time
    Nmap scan report for 123.123.123.123
    Host is up (0.00s latency).
     
    PORT    STATE SERVICE  VERSION
    443/tcp open  ssl/http httpd
    |_http-server-header: 
    | ssl-enum-ciphers:
    |   TLSv1.2:
    |     ciphers:
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
    |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    |     compressors:
    |       NULL
    |     cipher preference: server
    |_  least strength: A
    Service Info: OS: OS; CPE: cpe:/o:cpe
     
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds

    It's nice to not be dependent on an external resource for a quick, repeatable check and also not forget to hide the results.

    Good luck!

    • Roy_Jee's avatar
      Roy_Jee
      Icon for Nimbostratus rankNimbostratus

      Can u please suggest a cipher string for V 13.0 as grade has been changed but Weak Cipher s issue still persists .

      Here is the string :

      !SSLv2:!TLSv1:!TLSv1_1:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:!SSLv3

      • Mark_Gallagher's avatar
        Mark_Gallagher
        Icon for Altocumulus rankAltocumulus

        This works but I think you'll definitely see downlevel client failures:

        !SSLv2:!TLSv1:!TLSv1_1:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:!ECDHE+AES:!RSA+AES-GCM:!RSA+AES:!ECDHE+3DES:!RSA+3DES:!SSLv3