Decent TLS config for *.moz.tools

[Darkspirit]

Found in Phabricator (and #2031), https://eventlistener.moz.tools has a suboptimal TLS config.

• https://www.hardenize.com/report/eventlistener.moz.tools/1559004595#www_tls
• https://www.ssllabs.com/ssltest/analyze.html?d=eventlistener.moz.tools&s=54.152.127.232&hideResults=on&latest

Please configure:

• TLS 1.2-only
• only ECDHE with AES-GCM:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• only a reasonable set of curves (e.g. X25519:P-256:P-384): X25519 (OpenSSL 1.1.x) is likely not supported on that setup yet, so P-256-only (secp256r1) would be fine.
• Port 80 should generally be closed, if possible. The only purpose it serves is to redirect real end users of a website to https:// when HSTS couldn't kick in yet.

https://www.hardenize.com/report/coverage.testing.moz.tools/1559006499#www_tls

• same as above (TLS 1.2-only, only ECDHE with AES-GCM, selected list of curves)
• https should not redirect to http

https://www.hardenize.com/report/static-analysis.testing.moz.tools/1559006590#www_tls

• same as above (TLS 1.2-only, only ECDHE with AES-GCM)

Thank you :)

[La0]

Hello Jan,

Thanks for the report on our SSL certificate. We are currently using Heroku's automated SSL certs provided by Let's Encrypt, so we do not manage directly the certificate settings.

In the near future, we are moving to GCP with help from the Cloud Ops team, and should be able to use specific settings.