Feature #16584
open
Option to harden GUI security by choosing specific cipher suites
0%
Description
Customer would like to ask whether pfSense Plus could offer an officially supported, opt-in option for stricter WebGUI TLS hardening, for example:
- an option to allow ECDHE-only cipher suites
- an option to explicitly exclude SHA-1–based algorithms
- or a predefined “strict/hardened TLS profile” for the WebGUI
Updated by Matthias Laux 3 days ago
Additional Information / Reference (Germany, BSI TR-02102):
For environments requiring compliance with German security guidelines, the BSI Technical Guideline TR-02102 specifies recommended cryptographic algorithms for TLS.
Official references:
This provides guidance on secure TLS cipher suites that could be considered when implementing an optional hardened TLS profile for the WebGUI.
Updated by Patch Public 3 days ago
Does BSI Technical Guideline TR-02102 apply to internal or internet facing interfaces?
My understanding allowing direct access to the pfsense GUI from the internet has never been recommended.
Updated by Matthias Laux 3 days ago
We understand that direct Internet access to the WebGUI is not recommended.
Our request is based on general cryptographic best practices and focuses on the security of the TLS algorithms themselves, independent of whether the interface is exposed externally or only accessible internally.