cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How to get better grades @ SSL Labs Certificate scan

Can any one here guide me on how to get a better score when I scan my firewall with the SSL Server Test (Powered by Qualys SSL Labs) ?

Is there a quick guide on how to enable forward secrecy, disable tls v1.0, 1.1 and weak ciphers etc. ?


Qualys SSL Scan


Smiley Happy  Best regards Keld Norman


Thanks for the anwsers so far - I have collected them all - testet and gotten better scores - here is what i did: 

#######################################################################

#          HOW TO GET BETTER GRADES IN THE SSLLABS.COM SSL TEST                #

#######################################################################

To get from the B to A I did the following: 

Alter the portal to only support TLS 1.2

In my 80.10 SmartConsole:    

  Global Properties -> AdvancedConfiguration -> Portal Properties: Altered minimum version to TLS 1.2

TLS

NB: Thanks to Claus Kjær for reminding me of this GUI way of doing things - I were trying to do achieve this by altering conf files with vim in expert shell.. 

Now to enable perfect forward support: 


REF: Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled (sk110883)

A note about the above sk110883

ECDHE is quite widely used and recommend. It works with elliptical keys and provides forward secrecy. It's used for the key exchange.

ECDSA is not widely used though, but it does also use elliptical keys. It it used for authentication

I logged on to the firewall via secure shell  (I have a standalone installation with the manager and firewall running in a VM) and in expert mode pasted the following 3 lines in: 

[Expert@firewall:0]# 
ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1
ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1
ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1

Then a reboot or just a cpstop/start is needed: 


[Expert@firewall:0]#   nohup $(cpstop ; cpstart) &

Now the grade went from B to A : 

SSLlabs scanning went from B to A rating

Now to look at the suggested link from Dameon Welch Abernathy Employee Smiley Happy 


Remove the weak ciphers related to TLS 1.2

(ref: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

So basically I just need to alter this in the file: /web/templates/httpd-ssl.conf.templ

ALTER: SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5
TO SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1

Again secure shell to the system - and in export mode paste the lines in purple below:  

# Backup the file you want to alter first

[Expert@firewall:0]#

cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ.backup

# Oneliner to replace the old line with the new using the SED util.


sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1/' /web/templates/httpd-ssl.conf.templ

# Test if the line was altered: 

grep -i ^SSLCipherSuite /web/templates/httpd-ssl.conf.templ

( it should return: SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1)

Then reboot the firewall.. 

[Expert@firewall:0]# reboot

The Qualys SSL scan still only shows an A - I still have some weak ciphers 😕 

Weak ciphers..

To be continued..

4 Replies
Admin
Admin

Re: How to get better grades in the SSL Labs Cert. scan

Re: How to get better grades @ SSL Labs Certificate scan

It was a good tip - I'll just need to investigate what impact disabling the last 4 weak ciphers would have if i turn them off: 

Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK112
0 Kudos
Alex_Weldon
Nickel

Re: How to get better grades @ SSL Labs Certificate scan

You should probably add !3DES to the list of modifications as well. 

Re: How to get better grades @ SSL Labs Certificate scan

One vulnerability scan shows we have weak dh groups. We don't use those groups...but it doesn't like the fact that we even have them available...? How would one go about fixing that.

0 Kudos