OPNsense NGINX reverse proxy A+ status in SSL test

[marcelmah]

Hi,

I'm trying to get the hights score in the SSL test: https://www.ssllabs.com/ssltest/index.html
I have it to a A status and everyting is green except this:
Cipher Suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   128

I Googled for solutions, and I found multiple requests and even a pull request on GitHub but no working solution. Can this be accomplished?

https://forum.opnsense.org/index.php?topic=19230.msg88253
https://forum.opnsense.org/index.php?topic=17151.msg86631
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11
https://forum.opnsense.org/index.php?topic=15701.msg71853

[muchacha_grande]

I have A+ and still the same cipher suites.
There must be another cause for the A.

My results:
Certificate: 100%
Protocol Support: 100%
Key Exchange: 90%
Cipher Strength: 90%

[Fright]

just wait a little 
I hope @franco will have time to take a look. request is approved by the maintainer (@fabian)
https://github.com/opnsense/plugins/pull/2478

[marcelmah]

Aaah great another pull request that looks on track for merging, I subscribed to get notified, thnx!

PS. I'm aiming for an all green output of the test, I assumed only all green would provide A+, if less does, thats great, aiming for perfect

[Fright]

yes, you can get A+ with current ciphers
try to enable HSTS

[marcelmah]

Hmm, so after some Googling I think I need to add a custom security header, but then I'm lost, so many options, none of them read HSTS, could you point me in the right direction?

[muchacha_grande]

I have a custom security header with these options:

XSS Protection: block
Don't Sniff Content Type: set
Strict Transport Security Time: 63072000
Strict Transport Security Include Subdomains: set
Content Security Policy Enable: set

Everything else is unset.

Try creating the custom security header with the options above and then select it on the "Security Header" option at the HTTP Server page.

These options were taken from the different advices I read for securing a Nextcloud installation.

[marcelmah]

Ah great, now have A+!

I hope the pull request will get all four bars to 100%

[marcelmah]

So this is merged into version 21.7.6

Unfortunately I am unable to find a combination of cipher suites (with TLS 1.3) where I score 100 on every bar.
I chose this one finally: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

It has no weak ciphers (according to SSL labs) but It's not scoring 100% because of breaking compatibility with older devices.

If someone knows a better one...

PS. you can enter this in: Services > Nginx > Configuration > HTTP(S) > HTTP Server
Edit your HTTP server enable advanced and find the value: TLS Ciphers

[Fright]

you can try leaving only 256 bit encryption
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#cipher-strength