{"id":758,"date":"2019-11-21T23:09:14","date_gmt":"2019-11-22T05:09:14","guid":{"rendered":"http:\/\/zewwy.ca\/?p=758"},"modified":"2019-11-21T23:37:05","modified_gmt":"2019-11-22T05:37:05","slug":"getting-a-qualys-report","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2019\/11\/21\/getting-a-qualys-report\/","title":{"rendered":"Getting A+ Qualys Report"},"content":{"rendered":"<p>As some of you may know you can validate the security strength of your HTTPS secured website using <a href=\"https:\/\/www.ssllabs.com\/ssltest\/index.html\">https:\/\/www.ssllabs.com\/ssltest\/index.html<\/a><\/p>\n<p><a href=\"https:\/\/scotthelme.co.uk\/perfect-forward-secrecy\/\">A good read on Perfect Forward secrecy<\/a><\/p>\n<p>I use HA Proxy with Lets Encrypt for my sites security. While setting up those to plugins to work together apparently by <a href=\"https:\/\/github.com\/opnsense\/plugins\/issues\/375\">default it&#8217;s not using the most secure suites<\/a> ok the dev shows how you can adjust accordingly&#8230; but which ones? This what I get by default:<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/USR6FJB.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/USR6FJB.png\" alt=\"\" width=\"1138\" height=\"752\" \/><\/a><\/p>\n<p>Phhh only a B, lets get secure here.<\/p>\n<p>Little more searching I find the base ssl suites <a href=\"https:\/\/ssl-config.mozilla.org\/\">from mozilla config generator<\/a><\/p>\n<p>which gave me this for the string of suites<\/p>\n<pre>ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384<\/pre>\n<p>But then ssllab report still complained about weak DH&#8230; so had to remove the final two options in the list leaving me with this<\/p>\n<pre>ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305<\/pre>\n<p>Now after applying the setting on the listener I get this!<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/E0718Ms.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/E0718Ms.png\" alt=\"\" width=\"1129\" height=\"661\" \/><\/a><\/p>\n<p>Mhmmm yeah! A+ baby but looks like some poor saps may not be able to see my site:<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/mW0Qa9a.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/mW0Qa9a.png\" alt=\"\" width=\"948\" height=\"621\" \/><\/a><\/p>\n<p>Too bad so sad for IE on older OS&#8217;s, same with iOS (Macs) running older Safari.<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/N7q52Et.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/N7q52Et.png\" alt=\"\" width=\"644\" height=\"151\" \/><\/a><\/p>\n<p>Now let&#8217;s tackle <a href=\"https:\/\/sslmate.com\/caa\/about\">DNS CAA<\/a> well I was going to discuss how to set this up, but the linked site covers it well. Since my external DNS provider was listed in the supported providers, I logged into my providers portal to manage my DNS, and sure enough the wizard was straight forward to grant Lets Encrypt authority to sign my certificates! Finally one that was actually really easy! Wooo!<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/w7s2dgZ.png\" \/><\/p>\n<p>Now I suppose I can eventually play with experimental TLS1.3 but I&#8217;ll save that for another post! Cheers!<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As some of you may know you can validate the security strength of your HTTPS secured website using https:\/\/www.ssllabs.com\/ssltest\/index.html A good read on Perfect Forward secrecy I use HA Proxy with Lets Encrypt for my sites security. While setting up those to plugins to work together apparently by default it&#8217;s not using the most secure &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/zewwy.ca\/index.php\/2019\/11\/21\/getting-a-qualys-report\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Getting A+ Qualys Report&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[4,8],"tags":[258,256,257],"class_list":["post-758","post","type-post","status-publish","format-standard","hentry","category-infosec","category-server-administration","tag-secure-suites","tag-ssl","tag-tls"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/758","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=758"}],"version-history":[{"count":3,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/758\/revisions"}],"predecessor-version":[{"id":761,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/758\/revisions\/761"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}