Print Page - Configuring WebUI for A+ rating on SSL Labs

Title: Configuring WebUI for A+ rating on SSL Labs
Post by: bobpaul on February 02, 2020, 03:54:42 AM

I don't normally have my WebUI accessible via the internet, but I allowed it through the firewall temporarily so I could test in on SSLLabs. It was surprisingly easy to get an A+ rating.

I'm using the ACME plugin to get a cert via Lets Encrypt. Everything else setup via System -> Settings -> Administration.

Disable TLS 1.0 and TLS 1.1

SSL Labs caps your rating at a B if you allow TLS 1.0 or 1.1. It looks like the only way to do this is by limiting the available ciphers (https://forum.opnsense.org/index.php?topic=7356.msg33738#msg33738). So limit to the following ciphers I've changed my ciphers from Default to the following:

Code Select

# TLS 1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

# TLS 1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

This will prevent some archaic browsers from accessing the WebUI. Some examples:

IE 11 works, but not IE 11 on some un-updated versions of Windows Phone OS
Safari 9 on all platforms work, but Safari 8 and older will not work
Android 4.4.2+ should work, but anything older will not

HSTS
Check the box for HTTP Strict Transport Security or you'll be limited to an A rating.

That's it!
Congrats! Your router now has a higher SSL rating than Amazon.com =D

Title: Re: Configuring WebUI for A+ rating on SSL Labs
Post by: franco on February 03, 2020, 01:18:45 PM

Nice, thanks for this! Should we move it to the tutorials section?

Cheers,
Franco

Title: Re: Configuring WebUI for A+ rating on SSL Labs
Post by: banym on February 03, 2020, 01:31:31 PM

+1 for the turorial section.

It would be nice to have such settings as default for future release.
Maybe add a console option to activate legacy settings for those who need use legacy browsers for administration.

Title: Re: Configuring WebUI for A+ rating on SSL Labs
Post by: cguilford on February 03, 2020, 02:16:33 PM

I second this for tutorial PLUS having it on future release as a viable check box option if able to turn on and off for those that need the older TLS options.

Title: Re: Configuring WebUI for A+ rating on SSL Labs
Post by: Taomyn on March 05, 2020, 02:41:14 PM

None of those cipher names match what I can see in the GUI of my v20.1 installation so have they changed or am I missing something?

Also, I cannot find the equivalents for TLS 1.3 with HAProxy and its cipher suite, I even tried the recommendation from Mozilla "ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" but they don't work either.

Title: Re: Configuring WebUI for A+ rating on SSL Labs
Post by: jds on March 07, 2020, 03:23:26 PM

Fantastic! Thanks! This should definitely be made more official.

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: bobpaul on February 02, 2020, 03:54:42 AM