Post by lpotts » Thu Nov 27, 2014 8:40 pm

Hi all,

After first checking the Qualys SSL Labs test I was astonished to see how unsecure our site is and it has caused me to panic a little more than usual recently...

Part of this meant that I read about the update of SHA256 certificates coming into place, and it seemed that I should contact Trustwave (who issue our SSL certificate) to update from SHA1 to SHA2/SHA256... Please bare with me as I do not understand the technicalities of all this or anything much about web design and development.. But Trustwave were rather nice about sorting it out, however, I purchased the certificate through our hosts, and they stated that there is no need for us to update our certificate, with the low score we received on the test I want to ensure that our site is up to scratch and that we are doing what we can to ensure protection for the data and customers who shop with us.

Any assistance on this would be greatly appreciated, if you could advise if I should be going ahead with the update now that would be great,

Thanks for your time,

Luke

New member

Posts

Joined
Wed Jan 09, 2013 2:06 am

Post by Dhaupin » Sat Nov 29, 2014 12:17 am

Luke, the SHA1 sunset doesn't come into effect until 2015/2016, and even then if your cert expires before that, you shouldn't see warnings in browsers. The sunset warnings apply to long-term registered certs (3+ years), before which SHA256 will be the default (exp 2017). This may be why your host said "its not needed".

But you purchased a cert, it was upgraded, you want it installed RSA256 mode right? Does the SSLlabs test show the new SHA256 cert in place? Make sure when you re-run the scan you click the little "clear cache" button under the header for report page. This will force a re-scan.

If SSLlabs isnt showing SHA256, no matter if your hosts says its "needed" or not, they need to re-install it for you. You pay them money, they do their job, everyone is happy. Get them to make SHA256 show in Qualys test, thats their job.

As far as other things that fail a test, there are a variety. Except for cleanup + HSTS, most of these are host-side fixes: If you need help with OpenCart compliance things like forced 301, HSTS policy, and broken lock cleanup, we made a mod here: http://www.opencart.com/index.php?route ... n_id=19396

Hope that helps man. Most of these are at host level, show them the scan results and these suggestions if you like. If you want a bonus, try to get them to pass Qualys PCI compliance test...its like interrogating your server tied up under a hot light for 7 or so hours :D

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA
Who is online

Users browsing this forum: No registered users and 1 guest