The officially official Devuan Forum!

You are not logged in.

#1 2023-01-05 02:42:38

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

[SOLVED] SSL Report - What to Fix & Ignore

Suggestions as to what I should address vs ignore?

I just ran this free analysis ... https://www.ssllabs.com/ssltest/analyze.html

I'm guessing I need to figure out why DNS CAA isn't being reported ... DNS CAA     No (more info)

Should I just ignore the rest of this?

IE 11 / Win Phone 8.1  R		Server sent fatal alert: handshake_failure
Safari 6 / iOS 6.0.1 	Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1  R		Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9  R		Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4  R		Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10  R		Server sent fatal alert: handshake_failure

Offline

#2 2023-01-05 03:50:20

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] SSL Report - What to Fix & Ignore

These are the last few lines of output from https://unboundtest.com for CAA.

Jan 05 03:47:24 unbound[729481:0] info: reply from <com.> 192.41.162.30#53
Jan 05 03:47:24 unbound[729481:0] info: query response was ANSWER
Jan 05 03:47:24 unbound[729481:0] info: validated DNSKEY com. DNSKEY IN
Jan 05 03:47:24 unbound[729481:0] info: resolving realupnow.com. DS IN
Jan 05 03:47:24 unbound[729481:0] info: response for realupnow.com. DS IN
Jan 05 03:47:24 unbound[729481:0] info: reply from <com.> 2001:503:d2d::30#53
Jan 05 03:47:24 unbound[729481:0] info: query response was nodata ANSWER
Jan 05 03:47:24 unbound[729481:0] info: NSEC3s for the referral proved no DS.
Jan 05 03:47:24 unbound[729481:0] info: Verified that unsigned response is INSECURE
Jan 05 03:47:24 unbound[729481:0] info: 127.0.0.1 realupnow.com. CAA IN NOERROR 1.528696 0 101

Offline

#3 2023-01-05 03:57:35

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] SSL Report - What to Fix & Ignore

Shutting down for the night but will try this tomorrow ... unless directed elsewhere ...

https://www.linuxbabe.com/ubuntu/dns-over-tls-resolver-nginx

Step 3: Create DNS over TLS Proxy in Nginx

Offline

#4 2023-01-05 14:36:13

rbit
Member
Registered: 2018-06-12
Posts: 29  

Re: [SOLVED] SSL Report - What to Fix & Ignore

dcolburn wrote:

I'm guessing I need to figure out why DNS CAA isn't being reported ... DNS CAA     No (more info)

This is set by your domain registrar.  Log into the site that you registered the domain name, and add a CAA record using the issuer of your certificate.  https://letsencrypt.org/docs/caa/ may have more information.  One of my CAA records looks like this:
example.com 1799 IN CAA 0 issue "letsencrypt.org"

Unfortunately, I don't know what to make of those handshake failures.  That seems unrelated to caa.

Offline

Board footer