I’ve run the testssl.sh script against an out of the box Sympl install and it comes out pretty well, with a score of A (90) before enabling HSTS. However, one thing that is flagged as negative is the lack of a server cipher order. Is this something to be concerned about? It’s not flagged up on the VM I’ve moved away from, which is a bespoke LEMP stack that I configured myself.
Your server and mine get A+ on the ssllabs tester at SSL Server Test (Powered by Qualys SSL Labs).
As all the supported protocols and ciphers are considered safe, I think the order of preference is somewhat academic.
I may be out of my depth, of course, for reasons I don’t even know about…
That’s not really anything to worry about, as all the cyphers are considered ‘safe’, at least at the moment.
The Mozilla SSL Config Generator only really suggests enforcing cypher ordering when you’re running an ‘old’ configuration which includes deprecated cypher suites which are considered less secure.
At some point one or more of the current ones will become deprecated, at which point we’ll probably turn in on during the transition period, but enabling it at the moment is more likely to cause issues with some obscure out-of-date applications which want a different order and can’t handle the server enforcing it.
No, not at all - it’s testssl.sh being a little OTT that’s all, but if you really want to enable it, you may be able to use an Apache include to turn it on.