Payara security rating

Technical Discussion
1

Hi,

Testing Payara server (default configuration) with https://www.ssllabs.com/ we have B rating because a Key exchange and Cipher strength. I’ve selected Cipher suites for http-listener-2:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS	256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS	128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS	256

and got A rating for cipher strength, but I don’t know if it is “enough” for a real life… Can anybody just tell how to get A rating not going deeply to technical details what is a Key exchange and Cipher strength and get green security rating for Payara?

2

Hi,

To have the A+ from SSL Lab may be divided to four parts as the following captured picture.

1639015166446
16390151664461034×570 70.5 KB

The Certificate, Protocol Support, Key Exchange and Cipher Strength.

Moreover, apart from the trusted and strong Certificate itself, the TLS 1.3 and HTTP Strict Transport Security (HSTS) also are the significant. The Payara also provides both already as the following link: -

1 Like
3

Of course I have SSL certificate, HSTS is enabled, I’ve enabled TLS 1.3, but my server still have B rating because Key Exchange B grade… If I select cipher suites mentioned in my first post, then TLS 1.3 shows not enabled, when I use all cipher suites provided in Payara, then TLS 1.3 is enabled, but I have B grade because:

This server supports weak Diffie-Hellman (DH) key exchange parameters.
This server does not support Forward Secrecy with the reference browsers.

image
image971×978 96.2 KB

So question remains the same - how to have A rating for Payara server?

4

To config the cipher suites can be done as the following steps: -

  • Firstly go to Admin Console → server-config → HTTP Service → Http Listener → http-listener-2

  • At the http-listener-2 screen, click at SSL tab

  • Then scroll down to the Cipher Suites section and choose only the strong the cipher suite.

    • Please take a big note that If no cipher suite is added, ALL cipher suites are chosen.