Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
OPNsense NGINX reverse proxy A+ status in SSL test
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense NGINX reverse proxy A+ status in SSL test (Read 4596 times)
marcelmah
Jr. Member
Posts: 61
Karma: 3
OPNsense NGINX reverse proxy A+ status in SSL test
«
on:
October 15, 2021, 05:34:14 pm »
Hi,
I'm trying to get the hights score in the SSL test:
https://www.ssllabs.com/ssltest/index.html
I have it to a A status and everyting is green except this:
Cipher Suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
I Googled for solutions, and I found multiple requests and even a pull request on GitHub but no working solution. Can this be accomplished?
https://forum.opnsense.org/index.php?topic=19230.msg88253
https://forum.opnsense.org/index.php?topic=17151.msg86631
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11
https://forum.opnsense.org/index.php?topic=15701.msg71853
Logged
muchacha_grande
Full Member
Posts: 219
Karma: 19
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #1 on:
October 15, 2021, 06:32:40 pm »
I have A+ and still the same cipher suites.
There must be another cause for the A.
My results:
Certificate: 100%
Protocol Support: 100%
Key Exchange: 90%
Cipher Strength: 90%
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #2 on:
October 15, 2021, 07:28:29 pm »
just wait a little
I hope @franco will have time to take a look. request is approved by the maintainer (@fabian)
https://github.com/opnsense/plugins/pull/2478
Logged
marcelmah
Jr. Member
Posts: 61
Karma: 3
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #3 on:
October 15, 2021, 09:22:45 pm »
Aaah great another pull request that looks on track for merging, I subscribed to get notified, thnx!
PS. I'm aiming for an all green output of the test, I assumed only all green would provide A+, if less does, thats great, aiming for perfect
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #4 on:
October 15, 2021, 09:38:55 pm »
yes, you can get A+ with current ciphers
try to enable HSTS
Logged
marcelmah
Jr. Member
Posts: 61
Karma: 3
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #5 on:
October 15, 2021, 11:29:14 pm »
Hmm, so after some Googling I think I need to add a custom security header, but then I'm lost, so many options, none of them read HSTS, could you point me in the right direction?
Logged
muchacha_grande
Full Member
Posts: 219
Karma: 19
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #6 on:
October 16, 2021, 02:50:15 am »
I have a custom security header with these options:
XSS Protection: block
Don't Sniff Content Type: set
Strict Transport Security Time: 63072000
Strict Transport Security Include Subdomains: set
Content Security Policy Enable: set
Everything else is unset.
Try creating the custom security header with the options above and then select it on the "Security Header" option at the HTTP Server page.
These options were taken from the different advices I read for securing a Nextcloud installation.
Logged
marcelmah
Jr. Member
Posts: 61
Karma: 3
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #7 on:
October 16, 2021, 12:45:50 pm »
Ah great, now have A+!
I hope the pull request will get all four bars to 100%
Logged
marcelmah
Jr. Member
Posts: 61
Karma: 3
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #8 on:
November 30, 2021, 04:21:50 pm »
So this is merged into version 21.7.6
Unfortunately I am unable to find a combination of cipher suites (with TLS 1.3) where I score 100 on every bar.
I chose this one finally: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
It has no weak ciphers (according to SSL labs) but It's not scoring 100% because of breaking compatibility with older devices.
If someone knows a better one...
PS. you can enter this in: Services > Nginx > Configuration > HTTP(S) > HTTP Server
Edit your HTTP server enable advanced and find the value: TLS Ciphers
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: OPNsense NGINX reverse proxy A+ status in SSL test
«
Reply #9 on:
November 30, 2021, 05:51:18 pm »
you can try leaving only 256 bit encryption
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#cipher-strength
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
OPNsense NGINX reverse proxy A+ status in SSL test