Hi, it would be nice if the web frontend of openvpn-as could be able to reach A+ grade out of the box with ssllabs ssltest:
https://www.ssllabs.com/ssltest/
- ssl2 support should be removed, also from the GUI;
- ssl3 should also be safely removed, only browser requiring it is ie6 on winxp; most web server are disabling it: https://www.trustworthyinternet.org/ssl-pulse/
- also i get this: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-
- finally HSTS should also be enabled.
With this it should be able to get A+: <- bosses like that stuff!
Note I am a paying customer, I buy 5-years 40-licences on 2015-03-17.
Thanks!
Reaching A+ in web GUI ssltest
-
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Apr 05, 2015 7:52 pm
Re: Reaching A+ in web GUI ssltest
After upgrading to the latest version (2.0.21), setting the SSL Library to OpenSSL, setting minimum TLS protocol version to TLS 1.0, setting minimum SSL/TLS protocol version accepted by access server web server to TLS 1.0, checking support SSL/TLS renegotiation, I was able to get an A.
I also had to run this command on the server to remove the RC4 support in TLS:
./sacli -k cs.openssl_ciphersuites -v 'DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4:!kRSA' ConfigPut
./sacli start
Also, Chrome recognizes the cipher suite as a "modern cipher suite".
I also had to run this command on the server to remove the RC4 support in TLS:
./sacli -k cs.openssl_ciphersuites -v 'DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4:!kRSA' ConfigPut
./sacli start
Also, Chrome recognizes the cipher suite as a "modern cipher suite".
-
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Aug 14, 2015 4:20 pm
Re: Reaching A+ in web GUI ssltest
I was also using those settings indeed, but I just get A-. And RC4 is already disabled by default since 2.0.17. It would be nice to get A+ by default anyway, since it can also be get easily.
Happy holidays to everyone!
Happy holidays to everyone!
-
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Aug 14, 2015 4:20 pm
Re: Reaching A+ in web GUI ssltest
Specifically I am getting this:
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO »
-
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Aug 14, 2015 4:20 pm
Re: Reaching A+ in web GUI ssltest
Still getting A- after upgrade to 2.0.24.
-
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Aug 14, 2015 4:20 pm
Re: Reaching A+ in web GUI ssltest
Now (openvpn-as 2.8.7 on Debian 10), after setting "TLS options for Web Server" to "TLS 1.2" I am still at B with https://www.ssllabs.com/ssltest/ .
Open problems:
Open problems:
- This server does not support Forward Secrecy with the reference browsers. Grade capped to B;
- still missing HSTS (needed for A+);
- (and I think you should set TLS 1.2 as the default for the web server on new installations, currently it says it still defaults to unsafe TLS 1.1).