Configuring WebUI for A+ rating on SSL Labs

[bobpaul]

I don't normally have my WebUI accessible via the internet, but I allowed it through the firewall temporarily so I could test in on SSLLabs. It was surprisingly easy to get an A+ rating.

I'm using the ACME plugin to get a cert via Lets Encrypt. Everything else setup via System -> Settings -> Administration.

Disable TLS 1.0 and TLS 1.1

SSL Labs caps your rating at a B if you allow TLS 1.0 or 1.1. It looks like the only way to do this is by limiting the available ciphers. So limit to the following ciphers I've changed my ciphers from Default to the following:

Code: [Select]

# TLS 1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

# TLS 1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
This will prevent some archaic browsers from accessing the WebUI. Some examples:

• IE 11 works, but not IE 11 on some un-updated versions of Windows Phone OS
• Safari 9 on all platforms work, but Safari 8 and older will not work
• Android 4.4.2+ should work, but anything older will not

HSTS
Check the box for HTTP Strict Transport Security or you'll be limited to an A rating.

That's it!
Congrats! Your router now has a higher SSL rating than Amazon.com =D

[franco]

Nice, thanks for this! Should we move it to the tutorials section?


Cheers,
Franco

[banym]

+1 for the turorial section.

It would be nice to have such settings as default for future release.
Maybe add a console option to activate legacy settings for those who need use legacy browsers for administration.

[cguilford]

I second this for tutorial PLUS having it on future release as a viable check box option if able to turn on and off for those that need the older TLS options.

[Taomyn]

None of those cipher names match what I can see in the GUI of my v20.1 installation so have they changed or am I missing something?

Also, I cannot find the equivalents for TLS 1.3 with HAProxy and its cipher suite, I even tried the recommendation from Mozilla "ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" but they don't work either.

[jds]

Fantastic! Thanks! This should definitely be made more official.