SSL checklist

[edoput]

We should aim for a A+ hence here are some resource to test and enhance our setup

• https://cipherli.st/ : a list of known A+ configuration for web, mail
• https://testssl.sh/ : a cli test suite for ssl
• https://www.ssllabs.com/ssltest/ : test suite in the browser

[zolfariot]

I made some test using https://www.ssllabs.com/ssltest/ and varying configuration.

To get an A+ you have to support browser that are not accepting TLSv1.3 protocol, with NGINX enhacement made in #26 (look for commits starting with 'roles/nginx') we get a rating of A in which the only failure are caused by older browser using broken TLSv1.3 early implementation.

Mozilla Guidelines for modern configuration suggests to disable TLSv1.2 if you don't need to support obsolete browsers.

So we have to decide if we want to comply with Mozilla SSL Guidelines or SSLLabs requirements for A+; IMHO - thinking at our user base - it's better to drop TLSv1.2 support and stay with A rating.