Modern SSL Configuration

I was running some tests on Qualys’ ssllabs.com and comparing the SSL setup of my webserver to SimpleHelp. I was able to increase my grade from a “B” to an “A” by removing old ciphers from /opt/SimpleHelp/configuration/sslconfig/acceptedciphers and adding new ones, along with disabling all protocols except for TLS 1.2.

Is there any support for HSTS in SimpleHelp?

UPDATE - we went the whole day today and had no issues with connecting to computers, and then ran into a site that this config broke for some reason. Couldn’t get into windows 2008 server or a win10 1809 computer until I put the cipher/protocols back the way they were. Tested again after able to get access by putting my trimmed list back again and again lost access, so definitely related to the cipher/protocol stuff. So for now we are rolling back to stock.

For others that are looking to do this this is what we used on our linux server for settings to get an A grade.

**This will keep internet explorer 11 (other than on win10) from being able to see the site though, so keep that in mind.

In the “acceptedciphers” file:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

In the “acceptedprotocols” file (even though it doesn’t seem to enable TLS3.0 for now):

TLSv1.3
TLSv1.2

Did you ever figure out which ciphers need to be used? We ran into the same issue.

Unfortunately I didn’t take another crack at it. I’m hoping that they are trimming off old/unsupported ciphers as they upgrade, but I don’t really know.

My assumption is that something like ssllabs is just testing the webserver portion that allows for downloads of the client anyway. This isn’t something that needs to use very secure crypto anyway as there is no information exchange being done, no login, etc. I have no idea what the client/server communications is encrypted by and that may use a whole different type of crypto for all I know.