When I run ssllabs.com analysis on my domain that has SSL certificate generated by this tool, get low score:
1) This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
2) This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
3) This server accepts RC4 cipher, but only with older browsers. Grade capped to B.
4) This site works only in browsers with SNI support.
Anything I can do to improve on that?
idansh
All 5 comments
I recommend you run Nartac IIS Crypto and apply the fixes suggested using the "Best Practices" button. It's a dead-simple, one-click fix for most (if not all) of your bad grades on SSLLabs.
nul800sebastiaan
on 5 Mar 2017
Would I need to run lestencrypt tool again for both www.mysite.com and mysite.com to generate a new certificate after using IIS Crypto 2.0?
idansh
on 5 Mar 2017
Ah, no I should have clarified: this is a server problem, not a certificate problem. Once you update the protocols your server accepts, you should get an A grade on ssllabs.
nul800sebastiaan
on 5 Mar 2017
One last thing if I may please.
I get this in Chrome:
The connection to this site uses a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-384), and an obsolete cipher (AES_256_CBC with HMAC-SHA1).
Anyway to solve this. Thank in advance.
idansh
on 5 Mar 2017
SHA1 is now an insecure hashing algorithm Google (and co) recently generated a collision where two files hash to the same result. You need to disable that Cipher combination in IIS (with the nartac tool).
The LE certificates are fully trusted by ssllabs for example https://www.ssllabs.com/ssltest/analyze.html?d=slashdot.org
rdebath
on 5 Mar 2017
Related issues
SDedik
路
4Comments
dylanparry
路
5Comments
tasheyyla
路
3Comments
rickster2
路
3Comments
AHTUxPK
路
3Comments
Most helpful comment
I recommend you run Nartac IIS Crypto and apply the fixes suggested using the "Best Practices" button. It's a dead-simple, one-click fix for most (if not all) of your bad grades on SSLLabs.