Website TLS Configuration

Just out of curiosity I ran Qualys’ SSL Labs Server Test on the EndeavourOS website, and noticed a few things that could be improved.

Here’s a direct link for scan results of the main site, and here’s one for the ARM site. Those result pages themselves have some details on what could be changed, but there’s a few things I’d highlight.
Firstly, the certificate for the ARM site is also being served when visiting the main site, which is unnecessary and adds to the size of the handshake.
Secondly, the supported cipher suites should probably be tightened more, because right now there’s a bunch and many of them are weak. More than half of the supported TLS 1.2 suites don’t support Forward Secrecy, which isn’t great; preferably all non-FS suites should be disabled.
Additionally, it would be great if TLS 1.3 support could be enabled!

I realize that webserver configuration is a balancing act between improving security/performance and maintaining broad compatibility. However, in general, it seems that at least these fairly minimal changes could be made without actually causing much change in compatibility.

In addition to the informational links in the ssllabs reports, I would highly recommend using the Mozilla TLS recommendations as a reference when configuring the server. There’s even a configuration generator that can at least give you a good starting point.

Anyways, thanks for all the amazing work on EndeavourOS, I’m happily using it every day!

7 Likes

Welcome aboard!

3 Likes

I tested the forum with the same result (B) - I thought some of that might have been down to the Discourse defaults, but forum.garudalinux.org has an A+ rating so it can be done.

3 Likes

Good info. Welcome to the community :beers:

2 Likes

Thanks for looking into this. Welcome to the forum!

1 Like

Welcome to EndeavourOS :balloon: :tada:

1 Like

Thank you for bringing it to our attention. We’re going to look into it. (Probably coming weekend.)

3 Likes