Reaching A+ in web GUI ssltest

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
oibaf
OpenVpn Newbie
Posts: 6
Joined: Fri Aug 14, 2015 4:20 pm

Reaching A+ in web GUI ssltest

Post by oibaf » Fri Aug 14, 2015 4:44 pm

Hi, it would be nice if the web frontend of openvpn-as could be able to reach A+ grade out of the box with ssllabs ssltest:
https://www.ssllabs.com/ssltest/

- ssl2 support should be removed, also from the GUI;
- ssl3 should also be safely removed, only browser requiring it is ie6 on winxp; most web server are disabling it: https://www.trustworthyinternet.org/ssl-pulse/
- also i get this: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-
- finally HSTS should also be enabled.

With this it should be able to get A+: <- bosses like that stuff!

Note I am a paying customer, I buy 5-years 40-licences on 2015-03-17.

Thanks!

djengineer
OpenVpn Newbie
Posts: 3
Joined: Sun Apr 05, 2015 7:52 pm

Re: Reaching A+ in web GUI ssltest

Post by djengineer » Sat Dec 05, 2015 4:21 pm

After upgrading to the latest version (2.0.21), setting the SSL Library to OpenSSL, setting minimum TLS protocol version to TLS 1.0, setting minimum SSL/TLS protocol version accepted by access server web server to TLS 1.0, checking support SSL/TLS renegotiation, I was able to get an A.

I also had to run this command on the server to remove the RC4 support in TLS:
./sacli -k cs.openssl_ciphersuites -v 'DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4:!kRSA' ConfigPut
./sacli start

Also, Chrome recognizes the cipher suite as a "modern cipher suite".

oibaf
OpenVpn Newbie
Posts: 6
Joined: Fri Aug 14, 2015 4:20 pm

Re: Reaching A+ in web GUI ssltest

Post by oibaf » Fri Dec 25, 2015 4:38 pm

I was also using those settings indeed, but I just get A-. And RC4 is already disabled by default since 2.0.17. It would be nice to get A+ by default anyway, since it can also be get easily.

Happy holidays to everyone! :D

oibaf
OpenVpn Newbie
Posts: 6
Joined: Fri Aug 14, 2015 4:20 pm

Re: Reaching A+ in web GUI ssltest

Post by oibaf » Fri Dec 25, 2015 4:40 pm

Specifically I am getting this:
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO »

oibaf
OpenVpn Newbie
Posts: 6
Joined: Fri Aug 14, 2015 4:20 pm

Re: Reaching A+ in web GUI ssltest

Post by oibaf » Thu Jan 07, 2016 8:52 am

Still getting A- after upgrade to 2.0.24.

oibaf
OpenVpn Newbie
Posts: 6
Joined: Fri Aug 14, 2015 4:20 pm

Re: Reaching A+ in web GUI ssltest

Post by oibaf » Sun Jan 03, 2021 3:22 pm

Now (openvpn-as 2.8.7 on Debian 10), after setting "TLS options for Web Server" to "TLS 1.2" I am still at B with https://www.ssllabs.com/ssltest/ .

Open problems:
  • This server does not support Forward Secrecy with the reference browsers. Grade capped to B;
  • still missing HSTS (needed for A+);
  • (and I think you should set TLS 1.2 as the default for the web server on new installations, currently it says it still defaults to unsafe TLS 1.1).
Note: paying customer with "Licensed for 240 concurrent VPN connections".

Post Reply