Also my personal site describing my adventures in *NIX and cloudland: https://raymii.org/s/, plus a boatload of TLS related articles.
The mozilla guide is also very good, the ability to configure based on your server settings and browser support is a heck of a nice feature. Whenever I have time to learn javascript that's the first thing to implement.
Although, all my projects are open source (https://github.com/RaymiiOrg/) so merge requests are welcome. Ferm GPL believer here.
One of the things I noticed was that there is no rationale listed for the ssl_session_tickets disablement.
I assume your concern is something like https://www.imperialviolet.org/2013/06/27/botchingpfs.html which for most general use cases you're correct in saying that it should be disabled, but, it definitely deserves a nuanced explanation.
If you like that, check out the Nexx WT3020H. Very similar specs but you can get them from China for about $13 USD.
Best of all, they're based around a MediaTek CPU, which doesn't have the same USB quirks as the Atheros AR9330 used in the GL-iNet.
I've personally upgraded my 3020H units from 8MB SPI to 16MB, but I've also heard that you can order them directly from the factory with 16MB if your order is large enough, or they're willing to customize.
My side project tries to give secure default settings for all major webservers and other software (like haproxy, mysql, mailservers etc): https://cipherli.st/
From the start it has listed the suggestion to set up >SHA256 keys.
If you want to test your site for a SHA 1 cert, you can try my other side project: https://ssldecoder.org/ - you can also use the SSL labs test but mine is faster for just testing certificate type. (And it's open source, so you can use it internally as well).
My side project tries to give secure default settings for all major webservers and other software (like haproxy, mysql, mailservers etc): https://cipherli.st/
From the start it has listed the suggestion to set up >2048 DH keys.
If you want to test your site for export ciphers, you can try my other side project: https://tls.so/ - you can also use the SSL labs test but mine is faster for just testing ciphersuite. (And it's open source, so you can use it internally as well).
Thanks a bunch, it's fairly easy to find configs for HTTP servers (and SSL labs won't check non 443 ports), but I also run a dovecot server, and this made it easy to check; I had no clue SSLv3 was enabled by default, for example.
Sadly my current phone is stuck on SSLv3 so until I replace it I have no mail on my phone anymore.
In my experience, everything from Jupiter Broadcasting [0] is extrememly top-notch and informative. I'd highly recommend all of their shows (including BSD Now!)
Yeah, I've been Jupiter listerner for some time now mainly "Linux Action Show" http://www.jupiterbroadcasting.com/show/linuxactionshow/ they have a lot of useful info. Highly recommended podcast, and if you can support them with anything you can. I'm also thinking on building my own next DIY router. I'm tired of how limited the routers you buy off the shelf are. Currently running Asus RT-N56U with Padavan F/W https://code.google.com/p/rt-n56u/ I've also always wanted to switch to BSD distro but ports are not updated as often as "Arch Linux". If there where BSD rolling distro similar to well updated Arch Linux packages, I would consider switching.
Which ports system? I can't say anything about OpenBSD ports, but aside from some stuff that gets very little love from people, most of the FreeBSD ports tree is kept bang up to date, and binary packages appear shortly thereafter. pkgsrc, OTOH, is only released quarterly, though if you want, you can sync with their CVS repo, though, y'know, CVS.
The BSDs aren't distros, though some do have what might be called distros, such as PC BSD, pfSense, &c. being distros of FreeBSD, EdgeBSD being a distro of NetBSD.
The ports system is a rolling release system for non-base software though, though the base OS isn't. The closest BSD to come to having a rolling release schedule for the base OS is OpenBSD, with its six-month release cycle. The thing is that the BSDs can't have a rolling release schedule as is found in some Linux distros because the base OS is managed separately from the ports/packages: the core OS components aren't packaged, so there's no sense in which they can 'roll'.
Personally, I'd never use an OS with a rolling release cycle on a server. Too much can go wrong.
I'm also behind other projects like an SSL (site) test, a fast one: https://ssldecoder.org/ and a certificate monitoring service (reminds you before expiring): https://certificatemonitor.org/.
Also my personal site describing my adventures in *NIX and cloudland: https://raymii.org/s/, plus a boatload of TLS related articles.
The mozilla guide is also very good, the ability to configure based on your server settings and browser support is a heck of a nice feature. Whenever I have time to learn javascript that's the first thing to implement.
Although, all my projects are open source (https://github.com/RaymiiOrg/) so merge requests are welcome. Ferm GPL believer here.