Beyond analyze the main characteristics of the SSL certificate, these tests
- list the protocols and the ciphers supported
- simulate the handshake of a large number of browsers, reporting the protocol and cipher used
- detect the behavior related to the main security issues.
To avoid that a compromised long-term encryption key causes the consequent compromise of all session keys generated starting from it, it is necessary:
- drop obsolete SSL versions
- give priority to the safest ciphers, eliminating those most at risk.
As stated in digicert documentation you need to add the highlighted lines in your apache configuration:
SSLEngine on + + SSLProtocol all -SSLv2 -SSLv3 + SSLHonorCipherOrder on + SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" + SSLCACertificateFile ...
DNS Certification Authority Authorization
The history of RFC6844 began as Internet Draft in october 2017; the defacement of some CAs in 2011 was not enough to bring out this work, perhaps still immature (it will become RFC in 2013), until in 2017, [it was made mandatory for all CAs] (https: //blog.qualys. com / ssllabs / 2017/03/13 / caa-mandated-by-cabrowser-forum)
The addition of the new DNS Resource Records CAA (type 257) let you to protect your domain by specifying:
- which CAs are authorized to issue certificates for the domain
- which CAs are authorized to issue wildcard certificates for the domain
- who must be notified of requests that violate the published conditions
CAs, when receiving a certificate request for a domain protected by DNS CAA, must check if they are authorized to issue the certificate, otherwise notify the domain owner using the method published in the CAA record.
The configuration of CAA records is very flexible: it is possible, in fact, to allow multiple CAs to issue certificates for the entire domain, or specify that some less expensive CAs can issue certificates for the domain, but that some hosts must have certificates issued by other more expensive and secure CAs.
Thanks to these suggestions, the ranking of this site has gone from B to A.