How to buy "proper" SSL certificate?

Portal Home > Knowledgebase > Articles Database > How to buy "proper" SSL certificate?

Posted by GreenAce92, 09-24-2015, 12:21 PM
Maybe it's more like what can you afford... but I currently have SSL Certificates from GoDaddy... I'm not sure if I applied them incorrectly but when checking the certificates on a SSL certificate checking site, I get a C or so. Anyway, I have heard of SSL Certificates that cost say a few dollars vs. a thousand dollars... At this point these are primarily for small applications, a few years at best a hundred not thousands... I don't really know how to buy an SSL, I do want the "legitimacy" of having the green https/padlock and the higher bit-encryption count? Anyway I'd appreciate any relevant information. Thank you
Posted by RDO Servers, 09-24-2015, 03:53 PM
For the green address bar, make sure you get a EV certificate. As far as the grade "C", there is a lot more that goes into it then just what certificate you have, of where you get it from. Are you on a shared host, VPS, or dedicated? If your on shared, there may not be more you can do other then contact your host. If your on a VPS or Dedicated, you need to look at what point lowered your score, and fix the security holes.
Posted by NortheBridge, 09-25-2015, 04:10 PM
Yes, to get the green bar and not just the green padlock you require an EV or Extended Validation Certificate. These certificates take about 3-5 days to issue as the information provided requires, well, validation. If you can afford it, go with Wildcard EV Certificates which are available from any reputable certification authority like Symantec, GeoTrust, DigiCert, and even GoDaddy. As for the "C" grade, this is largely dependent on the configuration of the server. Usually, if you have a "C" grade it means your server likely has enabled non-recommended cipher suites (both the OS and cPanel defaults are really bad for doing business), you are running Apache 2.2 and not 2.4 (if you are running Apache), and you do not have HTTP Strict Transport Security (HSTS) enabled among a myriad of other things but those are the most common. On Dedicated or VPS, it's usually a 5 minute fix. On shared environments you will need to consult your host.
Posted by TheArmoAdmin, 09-25-2015, 05:22 PM
I'm using the below cipher suites. Getting an A at Qualys: SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256
Posted by NortheBridge, 09-25-2015, 11:00 PM
Our Cipher Suite directive is far longer than yours for all our servers but you can probably push that "A" to an "A+" by adding the following: # Header add Strict-Transport-Security “max-age=31536000″ # SSLHonorCipherOrder On # SSLCompression off To the pre-main includes (you already have honor cipher order).
Posted by GreenAce92, 09-26-2015, 02:19 AM
This is what SSLLabs says about my site: I'm on a Debian VPS This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO » This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO » This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO » The server does not support Forward Secrecy with the reference browsers. MORE INFO » This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
Posted by GreenAce92, 09-26-2015, 03:10 AM
Well that's what I'm saying, I don't know what is "proper" to buy. SSL Certificate... I bought one from GoDaddy but how do I know if it is good/how good it is. There was mention of coverage up to like $100,000.00 but it also depends on how well the SSL is implemented. I want the user to feel like the site is trustworthy but also that it is actually trustworthy by having a good SSL Cetificate, there are many out there, including your own self-signed. So I want to know which one should I buy depending on my purpose...
Posted by TmzHosting, 09-26-2015, 10:13 AM
Where and how are you checking the SSL rating? What type of SSL do you have with godaddy, brand? - Daniel
Posted by NortheBridge, 09-27-2015, 05:05 AM
This is not an issue with the certificate (unless you want the EV in which case it partially is) but this is an issue of a poorly configured SSL server configuration. To resolve this we'll need to know a little bit more about your server: cPanel or Plesk?Apache, NGINX, LightSpeed, etc.?If cPanel, What Is In Pre-Mains Include?General: What Cipher Suites and SSL Configuraitons Do You Have (in WHM, this is pretty easy to locate)? To sum it up, you pretty much need to configure your server properly for SSL and by the looks of it you are using cPanel defaults. If that is the case, it shouldn't be that hard to fix. A few modifications here and there and you'll be all set. You can have Qualys SSL Labs do a scan (https://ssllabs.com) of pretty much any accessible domain on the internet.
Posted by GreenAce92, 09-27-2015, 05:18 AM
I am using a VPS from OVH, I choose Debian 7 Wheezy 64 bit and I have installed a LAMP setup. I did some changes to improve my rating, I am up to a B now, I seem to be stuck on the RC4 cipher, I thought I fixed it. Here are the links I have visited / implemented to try and fix my problems. https://www.linode.com/docs/security...lv3-for-poodle http://serverfault.com/questions/693...n-apache-httpd https://www.sslshopper.com/article-h...in-apache.html http://blog.lowsnr.net/2014/10/26/co...rward-secrecy/ These are the messages I have left according to QualSYS I improved the DH to 2048 so I'm not sure why I still get that message, I thought this was the reason I jumped from a C to a B. I did restart Apache. This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO » This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO » The server does not support Forward Secrecy with the reference browsers. MORE INFO » This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. The last one regarding TLS_FALLBACK is in green, I guess that is good? I tried the RC4 fix mentioned in the configuring-apache-2 forward secrecy link where I paste this: SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDH E-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES2 56-SHAHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-SHA256HE-RSA-AES128-GCM-SHA256 HE-RSA-AES128-SHA256HE-RSA-AES256-SHAHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM- SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES1 28-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SR P !DSS !RC4" Which I realize blindly pasting something that you don't understand is pretty stupid, however as to support my thought, Apache would not restart so I did not implement that fix, I did however implement the other one which didn't seem to help the RC4 problem. This one worked, I'm not sure if I'm supposed to use quotes, I tried both and neither worked (for the longer ciphersuite above). SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" I don't have cPanel, I think I am using Webmin although I don't remember the last time I've logged into it. Otherwise I use PuTTY/Filezilla for any interaction with my vps. My SSL certificate will expire soon, I'm wondering if I should look to other vendors. Thank you very much for your time and help. There is a lot to this and I'm hoping to fix every aspect one part at a time to make a great overall whole.
Posted by GreenAce92, 09-27-2015, 05:24 AM
I have a standard ssl according to GoDaddy. The $69.99/yr with single domain, 256 bit encryption.
Posted by GreenAce92, 09-27-2015, 05:35 AM
I have three lines of SSLCipherSuites, two are uncommented, I probably should only have one right and what should it look like? I found from this qualys thread: https://community.qualys.com/thread/14141 to write this: ":!RC4:"
Posted by GreenAce92, 09-27-2015, 05:57 AM
So this is what my ssl.conf file has written in it, it's kind of a mess, I'm tempted to rewrite it by cutting/pasting particular parts.. I'm not sure if having duplicates is a bad thing like maybe the last line of that set of duplicate(s) is the only one listened to... I somewhat feel like it is stupid for me to paste this but at the same time there aren't really any self-identifying aspects of this relatively abstract set of information but... I guess you could track it down if you wanted/cared to. I'm now following this stackoverflow thread: http://security.stackexchange.com/qu...-configuration # # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AdcompdType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), # you might want to force clients to specific, performance # optimized ciphers. In this case, prepend those ciphers # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. # Caveat: by giving precedence to RC4-SHA and AES128-SHA # (as in the example below), most connections will no longer # have perfect forward secrecy - if the server's key is # compromised, captures of past or future traffic must be # considered compromised, too. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ssl_ciphers SSLHonorCipherOrder on SSLCompression off # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On SSLProtocol ALL -SSLv2 -SSLv3
Posted by GreenAce92, 09-27-2015, 06:15 AM
Jesus I'm sorry I keep posting. I just don't feel comfortable, I've been reading through some security sites and I feel like you have to really be an expert, and actually comprehend all from point a to b what is going on... I'm just blindly pasting stuff and restarting Apache to see if grade has changed. I changed to 2048 for DH and the error says "...supports..." so I guess I have to turn it off completely? Anyway, I guess one thing I will be doing as well is encrypting my content, thankfully my work at the moment is just for myself, I don't even have users yet or payment processing or anything like that... which I would probably just rely on some sort of platform for payment processing... Still a B Was looking at this site here: https://weakdh.org/sysadmin.html
Posted by netfreak, 09-27-2015, 03:33 PM
Check this site out: https://raymii.org/s/tutorials/Stron...n_Apache2.html I've been toying with my own SSL configuration and I pulled an "A" rating using the settings from that site.
Posted by NortheBridge, 09-27-2015, 09:31 PM
I only briefly looked over the information so there are parts I may have missed but that looks just about right. Especially for a basic LAMP install. You only use the server for small applications and those settings should cover everything for an "A" rating. You'd be amazed at how many people just don't care enough to configure their SSL properly which could potentially leave them in liability but that's a different discussions. Just follow the instructions on that site linked off to, restart the necessary services and you should be pretty well setup.
Posted by GreenAce92, 09-30-2015, 12:58 AM
Thanks guys I looked at this site as well, I will try the setup shown. I have been checking places that deal with my information and most places get a C, places that take down my credit card information... oh man...
Posted by GreenAce92, 09-30-2015, 01:11 AM
Well I am up to an A now thanks to the collective help found here. I increased the dhparams to 4096... not sure if that is overkill, it was a suggestion according to the link. Hmm... while the dhparams is running I triggered another qualys test (why?) and it dropped to a B, mentioning the DH... Anyway my other concern now is what SSL to buy. I guess that there isn't much of a difference between the green https vs. grey; the green is an EV certificate or something like that. I'm just wondering now if $69.99 for an SSL from Godaddy is reasonable or not... Where should I buy an SSL for my purposes which at this point does not involve payment processing?
Posted by GreenAce92, 09-30-2015, 02:52 AM
Ahh man after trying that 4098 pem I dropped to a B from an A I don't know why I'm so obsessed with getting that A back... ahhhh
Posted by GreenAce92, 09-30-2015, 03:32 AM
Oh my goodness finally back to an A I used this link for the DH part http://serverfault.com/questions/693...n-apache-httpd The first answer written by BE77Y I'm currently running Apache 2.2.22. The .pem bit-count has to match the ssl certificate. I created the dem through the terminal command dhparam -out dhparams.pem 2048 then used cat to append from the .pem file's location to the .crt file location. restarted apache2, using the configuration mentioned from the link and the CipherSuite... I had to comment some lines out as Apache would not start. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-DSS-AES128-SHA256HE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIAES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On # SSLSessionTickets Off # Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" # Header always set X-Frame-Options DENY # Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off # SSLUseStapling on # SSLStaplingCache "shmcb:logs/stapling-cache(150000)" So now that I'm at an A I wonder what I have to do to get an A+? haha greedy I know. This is the last message, however there are more below the grade. This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. For example when I connect to my website (view it) on an android device, I get this pop up message asking to "install a certificate" or something and indeed in the reports below the grade, there are red lines regarding Android and handshake. I realize this is verbose, I appreciate the help and I tried to write down exactly my steps for someone else to try if they need to.

Add to Favourites Print this Article