Running thet latest officially stable v0.13b under a domain covered with a Wosign certificate for 3 years, SSLLabs reports both the MiaB box.domain.win under IP 11.11.11.11 and the domain.win and www.domain.win under IP 22.22.22.22 as an A+ rating = That’s what we want!
Running thet latest dev. Master v0.13b-57-g3b91bc2 (tested over v0.13b-53-g5e7b783 too, and got same results) under a domain covered with a Wosign certificate for 3 years. SSLLabs reports MiaB box.domain2.xyz under IP 33.33.33.33 as a C rating because Poodle Attack (SSL v3 enabled) vulnerable but domain2.xyz and www.domain2.xyz under Ip 44.44.44.44 is being reported as A+ rating knowing same Wosign certificate has been used in both respective servers (the one used for Miab server + DNS management and the one using as web server for domain2.xyz | www.domain2.xyz
That results made me think the problem was not because the Wosign cetificate used but the server where being used…
TEST: Following recommendations as per this article: https://poodle.io/servers.html for nginx based server protection against Poddle Attack - disabling SSL v3 - by adding:
nginx Modify the ssl_protocols directive to only use TLSv1, TLSv1.1, and TLSv1.2. If you do not have a ssl_protocols directive, add it to the top of your configuration file.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Then I added (as a test only) the recommended: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; to the file /ssl/etc/nginx/conf.d/ssl.conf file, then sudo service nginx restart then ordered SSLLabs test again for the mentioned box.domain2.xyz and NOW the results is an A- (but not an A+ yet because Forward Secrecy still fails…!?).
CONCLUSION:
Can’t see why the one under last stable v.013b version reported as an A+ always (both servers) and not the one running over the latest Dev. Master one.
Worried if the current dev. Master v0.13b-57-g3b91bc2 could be made stable before you could see what happens with.
Hope this helps to debug it & thanks in advance for your comments,
Thanks for your time and for paying a look into that… but seems your recent changes must be applied too (additionally) to this file to get the desired A+ SSLLabs rating: /etc/nginx/conf.d/ssl.conf
Step-by-step of what I did:
Manually replaced the OLD /root/mailinabox/nginx-ssl.conf by the NEW one you provided now.
Manually edited the /etc/nginx/conf.d/ssl.conf lines 28 til 35:
From:
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
# ssl_prefer_server_ciphers on; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level.
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
# Cut out (the old, broken) SSLv3 entirely.
# This **excludes IE6 users** and (apparently) Yandexbot.
# Just comment out if you need to support IE6, bless your soul.
#ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level.
To:
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
# Cut out (the old, broken) SSLv3 entirely.
# This **excludes IE6 users** and (apparently) Yandexbot.
# Just comment out if you need to support IE6, bless your soul.
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
Then sudo service nginx restart , then sudo service mailinabox restart and finally ordered SSLLabs test again for my test/development-only MiaB server where I use the Master version box.domain2.xyz under IP 33.33.33.33 as mentioned before and now I GOT the A+ rate
Please, verify (double-check) provided info. at your end, too and apply those changes before to make the current master version officially stable.
Waiting your final confirmation / comments,
Rgrds!
Sorry, yes, it’s the same file but the Mail-in-a-Box installation has to be run again to update it. I should have mentioned that. Whenever you go to a new version (or commit on github) you (may) need to re-run the setup (e.g. sudo mailinabox).
Thanks! I guessed that but needed to post to be sure (I have sent you a private message with the real SSLLabs test over my real dev. domain server that gives now the A+ rating… hope this helps, too). I’ll flag this thread as [SOLVED] now. Thanks4All