Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
ssllabs.com gives my websites (IIS sites running behind HAProxy with Let's Encrypt certs) only a "B" rating because:
Anything I can do about this?
I found this: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ and this: https://mozilla.github.io/server-side-tls/ssl-config-generator/ - can I do this in the OPNsense GUI? Shouldn't it be the default to disable weak ciphers nowadays?
Technically this was already possible in advanced mode (hidden setting), but I understand that this was not user-friendly at all. I've introduced several new settings to make it easier:
Some settings can also be configured as global defaults:
You still need to know the cipher list, but now it's a simple copy'n'paste.
You're right and I've added new default values. However, I'm not enforcing these values as it would risk breaking existing setups. You'll have to enable the advanced SSL settings (see screenshot).