Question about SSL score "B"

[buildingblocks]

Hi

A week or so ago I received an email alerting me to this thread

PayPal upgrading SSL Certificates in 2015

http://www.zen-cart.com/showthread.p...icates-in-2015

Since I don't have permission to reply to that thread I thought I would ask my question here.

I went to the link provided to test my sites ssl and it received a B. I provided the results link to my host. I also provided the above link to the original thread and asked what could be done to get my sites ssl score up to an A.

This is the response I received from support

" I do see that it is receiving a B, however, there is not any information included in the report to determine a direct fix. If ZenCart has information on this that they can provide to you, we would be more than happy to assist further, however, content and design work is not normally within our scope of support, and as the SSL is functioning, this does not appear to be an issue directly related to the server."

I don't think this has anything to do with content or design. I checked Apache and OpenSSL versions and they appear to be ok:

Apache: 2.2.29
OpenSSL:1.0.1e-fips

I am ready to respond to support and point out the link to paypals pdf file with advise for hosts. Is there anything else I should tell them?

[DrByte]

First, my apologies for implying in that post that you "must have an A score for PayPal to work". That's an incorrect interpretation of what I meant to convey. I'll update the article.

Receiving a B score, or any other score at https://www.ssllabs.com/ssltest/ has nothing to do with PayPal or Zen Cart. It's strictly a server-side configuration of your webserver and your domain's vhost within that server.

An "A" score isn't necessarily required, but anything less than an A could mean customers may occasionally encounter issues using your site in SSL mode. Again though, that's a server thing, and not specific to PayPal or Zen Cart.

Telling your hosting company to look at anything from PayPal or Zen Cart will not help them fix their optimal configuration of your server with respect to SSL.

[badarac]

I received the same score for my client's sites. In all cases the cause of the drop to a B was This server accepts the RC4 cipher, which is weak. Grade capped to B. The solution is for the hosting company to disable the RC4 cipher. Unfortunately in a shared hosting environment they may not be willing to do that. I doubt that just having the RC4 cipher enabled will cause Paypal to stop working.

[Merlinpa1969]

I doubt that just having the RC4 cipher enabled will cause Paypal to stop working.

Since the presence of RC4 ciphers are causing PCI compliance failure it might just stop paypal from working, Not sure just something to think about

[buildingblocks]

DrByte, I didn't take it that an A was required so no problem, but I figured why not shoot for an A if possible.

Thanks badarac, I'll pass that info along and see what they have to say.

Merlinpa1969, if that turns out to be the case, I imagine they will have to deal with it then.


thanks all for your input

[buildingblocks]

I received the same score for my client's sites. In all cases the cause of the drop to a B was This server accepts the RC4 cipher, which is weak. Grade capped to B. The solution is for the hosting company to disable the RC4 cipher. Unfortunately in a shared hosting environment they may not be willing to do that. I doubt that just having the RC4 cipher enabled will cause Paypal to stop working.

just wanted to come back and say that I passed on your comment to my host. I am on shared hosting and they did disable the RC4 cipher so my site is now getting an A. Thanks