In the current version Filr both documentation and configuration options with respect to SSL configuration shoud be improved. This is important for those administrators who chose not to offload SSL termination to an external security appliance but still have to follow the security advisories of their organization.
In addition to the current choice for SSL protocols (all TLS versions or TLSv2 only) one might expect at least the following options to be configurable on the appliance admin web interface:
- SSL versions: TLSv1, TLSv1.1, TLSv2 are any combination of these
- honor cipher order
- string for supported ciphers
- more control over intermediate certificates
Also the documentation should be improved: at the current state one has to rely on exernal tools like testssl or ssllabs in order fo find out which SSL configuration in implemented in Filr. In addiltion adding a table to the security section of the admin manual giving the supported SSL configuration for each Filr client version which has been published for the various platforms will be highly welcome. Without this every possible change in the SSL configuration for external SSL termination or SSL configuration within Filr has to be tested by the admins in a try and error style.
by: Günther S. | over a year ago | Administration
Comments
Second that.
In addition to the TLS protocol version it would be great to be able to at least set the TLS ciphers too. This would make it easier to deal with unsafe/outdated ciphers, get a better rating on SSL Labs, comply to organization regulations, etc.
An example of how this could look like can already be seen in SSPR.
Honor cipher order would sure make sense too.