SSL Server Test

SSL Server Test (ssllabs)

ssllabs deeply analyzes the SSL configuration of a web server using SSL Labs’ SSL Server Test.

Why is this important?

SSL/TLS is a deceptively simple technology. It is easy to deploy, and it just works–except when it does not. The main problem is that encryption is not often easy to deploy correctly. To ensure that TLS provides the necessary security, system administrators and developers must put extra effort into properly configuring their servers and developing their applications.

From SSL Labs’ SSL and TLS Deployment Best Practices

What does the rule check?

This rule uses the SSL Labs API via node-ssllabs to analyze the SSL configuration of a server and report a grade.

Please look at SSL Labs’ Methodology Overview if you want to know more about the process.

Notes:

  • Only servers on the public internet can be scanned by SSL Labs. Internal domains will fail.
  • SSL Labs might have decided not to allow scanning of a domain (if, for example, the owner has requested it).

Can the rule be configured?

By default the minimum grade is A- but you can configure it to any valid grade reported by SSL Labs by setting the grade option for the ssllabs rule.

E.g. The following configuration will change the minium grade to A+:

"ssllabs": [ "error", {
"grade": "A+"
}]

SSL Labs’ scanner also allows some configuration. By default the one used is:

{
"all": "done",
"fromCache": true,
"maxAge": 2
}

You can override the defaults with the following configuration:

"ssllabs": [ "error", {
"ssllabs": {
"fromCache": false,
//...
}
}]

The list of possible parameters is available in SSL Labs’ documentation with the difference that on/off parameters are booleans in our case as shown in node-ssllabs‘ advanced usage.

Further Reading