OPNsense NGINX reverse proxy A+ status in SSL test

Started by marcelmah, October 15, 2021, 05:34:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 15, 2021, 05:34:14 PM
Hi,

I'm trying to get the hights score in the SSL test: https://www.ssllabs.com/ssltest/index.html
I have it to a A status and everyting is green except this:
Cipher Suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   128

I Googled for solutions, and I found multiple requests and even a pull request on GitHub but no working solution. Can this be accomplished?

https://forum.opnsense.org/index.php?topic=19230.msg88253
https://forum.opnsense.org/index.php?topic=17151.msg86631
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11
https://forum.opnsense.org/index.php?topic=15701.msg71853
October 15, 2021, 06:32:40 PM #1
I have A+ and still the same cipher suites.
There must be another cause for the A.

My results:
Certificate: 100%
Protocol Support: 100%
Key Exchange: 90%
Cipher Strength: 90%
October 15, 2021, 07:28:29 PM #2
just wait a little  ;)
I hope @franco will have time to take a look. request is approved by the maintainer (@fabian)
https://github.com/opnsense/plugins/pull/2478
October 15, 2021, 09:22:45 PM #3
Aaah great another pull request that looks on track for merging, I subscribed to get notified, thnx!

PS. I'm aiming for an all green output of the test, I assumed only all green would provide A+, if less does, thats great, aiming for perfect :)

October 15, 2021, 09:38:55 PM #4
yes, you can get A+ with current ciphers
try to enable HSTS
October 15, 2021, 11:29:14 PM #5
Hmm, so after some Googling I think I need to add a custom security header, but then I'm lost, so many options, none of them read HSTS, could you point me in the right direction?
October 16, 2021, 02:50:15 AM #6
I have a custom security header with these options:

XSS Protection: block
Don't Sniff Content Type: set
Strict Transport Security Time: 63072000
Strict Transport Security Include Subdomains: set
Content Security Policy Enable: set

Everything else is unset.

Try creating the custom security header with the options above and then select it on the "Security Header" option at the HTTP Server page.

These options were taken from the different advices I read for securing a Nextcloud installation.
October 16, 2021, 12:45:50 PM #7
Ah great, now have A+!

I hope the pull request will get all four bars to 100% :)

November 30, 2021, 04:21:50 PM #8
So this is merged into version 21.7.6 :)

Unfortunately I am unable to find a combination of cipher suites (with TLS 1.3) where I score 100 on every bar.
I chose this one finally: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

It has no weak ciphers (according to SSL labs) but It's not scoring 100% because of breaking compatibility with older devices.

If someone knows a better one...

PS. you can enter this in: Services > Nginx > Configuration > HTTP(S) > HTTP Server
Edit your HTTP server enable advanced and find the value: TLS Ciphers
November 30, 2021, 05:51:18 PM #9
Print
Go Up Pages1
User actions