I'd observe that this is testing the <i>default</i> TLS configuration when you ask net/http to "Just TLS that connection for me, will you?" with no further details. I imagine almost any version could get to A- if you configured it (PFS seems like it may have been a feature that had to be added), and per selectnull's point about Strict Transport Security, you probably should not output that header by default so an A+ with a default configuration would arguably actually be a bad thing.<p>I certainly do not mean this is an unfair question to ask; quite the contrary! (It has been said "defaults matter", but I'm really coming around to the idea that even <i>that</i> understates the truth. Options <i>almost</i> don't matter. They do. But just barely.) More people should ask this of more code. I just want to make sure non-Go programmers understand what is being said here, that this is the <i>default</i>, not the <i>top capability</i> of the built-in Go TLS stack of those versions.
For those who might not be aware, the highest SSL Labs grade is not A, but A+.<p>To score A+ you must score A and additionally set HSTS headers with long duration (I use 2 years, haven't tried with less). For example, with Nginx you use something like:<p><pre><code> add_header Strict-Transport-Security "max-age=63113904;";</code></pre>
It's amazing how much this line of code actually makes happen;<p><pre><code> http.ListenAndServeTLS(":443", "cert.pem", "key.pem", nil))
</code></pre>
A full HTTP and TLS stack ready to start dispatching requests to your callbacks. I know there are other languages that can do the same, but I still think it's impressive. I've written just a few thousand lines of Go and while I'm pretty sure I'm not really "doing it right" I was able to port some decent complexity C# and very easily had all cores processing data at a higher overall rate with the Go code. High level libraries like this, and managed memory makes it almost feel like a scripting language, but with all the advantages of a compiler.<p>Operational question... If you're terminating client-side TLS like this, then does that mean either it's a single server or you have L4 (or lower) load balancing in front of it? I assume it's more common to have haproxy or nginx or something like that in front terminating TLS, with the API servers sitting behind.
In addition to SSL Labs, I also find this useful for things that are not exposed to the internet. (firewalled)<p>[1] <a href="https://github.com/drwetter/testssl.sh" rel="nofollow">https://github.com/drwetter/testssl.sh</a><p>It only depends on OpenSSL and bash. I find it very useful for reviewing our systems before they go live.
Hmm what is HSTS preloading.<p>I have to catchup on the latest TLS stuff every few months.<p>So what is the default preferred cipher suite string for Go 1.6 ? I worked out my own a couple years ago and it still gets an A rating on SSL Labs
I wonder what the results would be for 1.5.2 (the version which had the bug in key generation). Has anyone check this? If not, I'll do it when I have time later today.