OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Reaching A+ in web GUI ssltest

https://forums.openvpn.net/viewtopic.php?t=19490

Page 1 of 1

Reaching A+ in web GUI ssltest

Posted: Fri Aug 14, 2015 4:44 pm
by oibaf
Hi, it would be nice if the web frontend of openvpn-as could be able to reach A+ grade out of the box with ssllabs ssltest:
https://www.ssllabs.com/ssltest/

- ssl2 support should be removed, also from the GUI;
- ssl3 should also be safely removed, only browser requiring it is ie6 on winxp; most web server are disabling it: https://www.trustworthyinternet.org/ssl-pulse/
- also i get this: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-
- finally HSTS should also be enabled.

With this it should be able to get A+: <- bosses like that stuff!

Note I am a paying customer, I buy 5-years 40-licences on 2015-03-17.

Thanks!

Re: Reaching A+ in web GUI ssltest

Posted: Sat Dec 05, 2015 4:21 pm
by djengineer
After upgrading to the latest version (2.0.21), setting the SSL Library to OpenSSL, setting minimum TLS protocol version to TLS 1.0, setting minimum SSL/TLS protocol version accepted by access server web server to TLS 1.0, checking support SSL/TLS renegotiation, I was able to get an A.

I also had to run this command on the server to remove the RC4 support in TLS:
./sacli -k cs.openssl_ciphersuites -v 'DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4:!kRSA' ConfigPut
./sacli start

Also, Chrome recognizes the cipher suite as a "modern cipher suite".

Re: Reaching A+ in web GUI ssltest

Posted: Fri Dec 25, 2015 4:38 pm
by oibaf
I was also using those settings indeed, but I just get A-. And RC4 is already disabled by default since 2.0.17. It would be nice to get A+ by default anyway, since it can also be get easily.

Happy holidays to everyone! :D

Re: Reaching A+ in web GUI ssltest

Posted: Fri Dec 25, 2015 4:40 pm
by oibaf
Specifically I am getting this:
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO ยป

Re: Reaching A+ in web GUI ssltest

Posted: Thu Jan 07, 2016 8:52 am
by oibaf
Still getting A- after upgrade to 2.0.24.

Re: Reaching A+ in web GUI ssltest

Posted: Sun Jan 03, 2021 3:22 pm
by oibaf
Now (openvpn-as 2.8.7 on Debian 10), after setting "TLS options for Web Server" to "TLS 1.2" I am still at B with https://www.ssllabs.com/ssltest/ .

Open problems:
  • This server does not support Forward Secrecy with the reference browsers. Grade capped to B;
  • still missing HSTS (needed for A+);
  • (and I think you should set TLS 1.2 as the default for the web server on new installations, currently it says it still defaults to unsafe TLS 1.1).
Note: paying customer with "Licensed for 240 concurrent VPN connections".
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/