Just out of curiosity I ran Qualys’ SSL Labs Server Test on the EndeavourOS website, and noticed a few things that could be improved.
Here’s a direct link for scan results of the main site, and here’s one for the ARM site. Those result pages themselves have some details on what could be changed, but there’s a few things I’d highlight.
Firstly, the certificate for the ARM site is also being served when visiting the main site, which is unnecessary and adds to the size of the handshake.
Secondly, the supported cipher suites should probably be tightened more, because right now there’s a bunch and many of them are weak. More than half of the supported TLS 1.2 suites don’t support Forward Secrecy, which isn’t great; preferably all non-FS suites should be disabled.
Additionally, it would be great if TLS 1.3 support could be enabled!
I realize that webserver configuration is a balancing act between improving security/performance and maintaining broad compatibility. However, in general, it seems that at least these fairly minimal changes could be made without actually causing much change in compatibility.
In addition to the informational links in the ssllabs reports, I would highly recommend using the Mozilla TLS recommendations as a reference when configuring the server. There’s even a configuration generator that can at least give you a good starting point.
Anyways, thanks for all the amazing work on EndeavourOS, I’m happily using it every day!
