Get A+ on ssl labs test?
-
So get A with all 100s on the https://www.ssllabs.com/ssltest/index.html
I have HSTS setup, for 1 year age. have CAA setup. Have OCSP working..
Info I find about getting A+ all mention HSTS - which is setup and shows good.. So not sure what missing. Anyone have info on what else needs to be enabled/setup to get the A+?
For sure not a big deal - but now its bugging me ;)
Currently using haproxy-dev 0.62_2 on 21.02p1 - I see from other sites results that A+ is possible.. But as of yet have not figured out what they are doing that I am not that is keeping me from the A+
Using acme cert.. With ssl offloading being done on haproxy.
I would of put this is off topic, since its not really a pfsense issue for sure - but what looking for is what setting do I need in the haproxy package gui, be it a option I have to put in, or a acl? that will change this A to a A+.. Got to be something stupid missing.. hsts doesn't have to be preloaded does it?
-
@johnpoz
interesting,
same here
-
Well with yours I could see not getting the A+ because no HSTS.. that seems to be a requirement for A+.. But as you can see I have that, and still no.
Could you turn on hsts and see if you jump up to A+
-
See - for example this site is getting A+
https://www.ssllabs.com/ssltest/analyze.html?d=www.ezdrivema.comAnd all kinds of stuff not supported, no 1.3, no caa, weak ciphers.. I don't get it..
-
Ok this doesn't make a lot of sense to me.. But seems like if you set this intermediate vs modern
You than can get an A+
So you have to have 1.2 working to get an A+ that makes no sense at all.. I would think only doing 1.3 would be better than 1.3 and 1.2??
I guess the good thing that came from this little exercise is got hsts turned on, I also enabled ocsp staple in the certs and now its required. I renewed the acme certs with that checked.
I had found caa wasn't enabled on one of my fqdn.. So guess it does pay to play around a bit.. But I would think modern would be better score than allowing for 1.2.. odd..
-
@johnpoz
Here are some infos regarding the rating:
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
But it's not really explained how you get A+ at last. -
Yeah I found that - only thing I could find was you have to have hsts... But did that, and still no.. I might live with the A only and turn 1.2 back off to be honest.. It makes no sense to me that allowing for 1.2 is required to get an A+ score when everything else you have is 100 and secure setup..
-
@johnpoz
....
nice, thx for the advice
-
Nice - you might want to adjust a bit to bump your key exchange and cipher to 100 ;)
-
@johnpoz
yup, i had the default 2048, bumped to 4096
