Author here, please let me know any comments, issues or anything else.

I'm also behind other projects like an SSL (site) test, a fast one: https://ssldecoder.org/ and a certificate monitoring service (reminds you before expiring): https://certificatemonitor.org/.

Also my personal site describing my adventures in *NIX and cloudland: https://raymii.org/s/, plus a boatload of TLS related articles.

The mozilla guide is also very good, the ability to configure based on your server settings and browser support is a heck of a nice feature. Whenever I have time to learn javascript that's the first thing to implement.

Although, all my projects are open source (https://github.com/RaymiiOrg/) so merge requests are welcome. Ferm GPL believer here.

One of the things I noticed was that there is no rationale listed for the ssl_session_tickets disablement.

I assume your concern is something like https://www.imperialviolet.org/2013/06/27/botchingpfs.html which for most general use cases you're correct in saying that it should be disabled, but, it definitely deserves a nuanced explanation.

How often are the recommendations on cipherli.st updated?

Not very often, mostly when someone sends a merge request with a new piece of software (like varnish).

Hi mdewinter, FYI, getting a cert error getting to cipherli.st

"Hier niet poepen zegmaar."

I'd remove that to prevent confusion as it did with me ;)

Here's a configurable version by Mozilla: https://mozilla.github.io/server-side-tls/ssl-config-generat...

I like this one better, can pick versions and backwards compatibility level.

Easier to read too, without a background image and transparency.

Why is there a giant heart-shaped lock obscuring most of the screen?

Aha, I remember now. I was puzzled by what this comment meant at first. This isn't the first time I've come across this site!

I recall being annoyed by this, too. Fortunately, uBlock Origin[1][2] came to my rescue back then. It's a great adblocker which requires minimal configuration out-of-the-box, but also offers a bunch of Power User options for the more discerning Internet user. One such option is a point-and-click tool[3] that allows you to block arbitrary elements loading on a given site, which I promptly used to obliterate this image on first sight. :-)

[1] Chrome - https://chrome.google.com/webstore/detail/ublock-origin/cjpa...

[2] Firefox - https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin...

[3] https://github.com/gorhill/uBlock/wiki/Element-picker

It's very distracting and makes website hard to read.

Agreed. After a few mins of reading, it became annoying enough that I felt an urge to remove it via dev-tools.

Nice content, nonetheless.

That was a spin on the Heartbleed theme and personally, I like it.

I know it may not be too interesting or relevant but it would be nice to have similar configurations for common/popular enterprise tools/platforms such as F5, Cisco, Juniper etc.

I see so many badly configured systems as part of the day job that it certainly would be great to help start socializing good configs.

PS. even for something like Tomcat (which changes features on minor versions?!?), it's hard to find good configs. I have a whole bunch of notes on things like this and happy to share if someone wants to codify it.

If you have the config or required format for config I'd be happy to add it. Create an issue with the config,, I can do the code then

See also: https://bettercrypto.org

The SSL config for dovecot on Debian Jessie (2.2.13-12~deb8u1) stops Thunderbird 45 from connecting.

(I did open an issue about this.)

Reposts are fine, especially when they haven't gotten much attention before.