That blog is hosted on an Amazon EC2 Instance, running Windows 2012 R2 Server. And our SSL certificated is provided by Let’s Encrypt.
Starting from that default configuration, we ran the SSL test, and we got a B note. We wanted to get the “A” Rating, and these are the 2 major warning we had to solve.
- “This server supports weak Diffie-Hellman (DH) key exchange parameters”
- “This server accepts RC4 cipher, but only with older protocols”
We were able to fix these issues with some simple registry tweaks that we describe in these articles
- How to solve Diffie-Hellman warning on Qualys SSLLabs Test
- How to solve RC4 warning on Qualys SSLLabs Test
- Disable SSL3 for more security
- (on older Windows servers)
Then, after we ran these steps, we now have our A Grade!
Now, if you want an even better grade, you can continue to solve these little warnings that the SSLLabs test can give you.
- Disable ALL Weak Ciphers
- Configure your DNS CAA