feat: bump ssllabs rating guide to 2009r

[magnuslarsen]

Describe your changes

fixes #2829

Implements the necessary changes from SSLLabs:

• TLS_FALLBACK_SCSV is no longer considered for any grading. Earlier in 2009h, a warning was given for not supporting TLS_FALLBACK_SCSV.
• If TLS 1.3 is not supported, a warning is given and the minimum grade and protocol grade are capped at A-.
• HSTS disabled or invalid receives a warning. Grade is set to A-.

Since they now explicitly say HSTS gives a warning, I've updated the old grade_caps from my previous understanding of their prior ruling:

• New grade A+ is introduced for servers with exceptional configurations. At the moment, this grade is awarded to servers with good configuration, no warnings, and HTTP Strict Transport Security support with a max-age of at least 6 months.
  ~ https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#changes-in-2009e-21-january-2014

Tested on an internal host (which is misconfigured):

And on github.com:

What is your pull request about?

• Bug fix
• Improvement
• New feature (adds functionality)
• Breaking change (bug fix, feature or improvement that would cause existing functionality to not work as expected)
• Typo fix
• Documentation update
• Update of other files

If it's a code change please check the boxes which are applicable

• For the main program: My edits contain no tabs, indentation is five spaces and any line endings do not contain any blank chars
• I've read CONTRIBUTING.md and Coding_Convention.md
• I have tested this fix or improvement against >=2 hosts and I couldn't spot a problem
• I have tested this new feature against >=2 hosts which show this feature and >=2 host which does not (in order to avoid side effects) . I couldn't spot a problem
• For the new feature I have made corresponding changes to the documentation and / or to help()
• If it's a bigger change: I added myself to CREDITS.md (alphabetical order) and the change to CHANGELOG.md

[hoerup]

Tested it out and for the TLS1.3 part it seems fine, but i there's a discrepancy for hsts

It looks like ssllabs distinguish between hsts not configured which doesn't cap the grade, and hsts explicitly disabled (max-age=0 ??) which does cap to A-

but with this PR unconfigured hsts is also capped to A-

[magnuslarsen]

Fixed in latest commit 👍 it's not always to interpret their explanations..

[hoerup]

Latest:

No hsts: no cap ✅

hsts misconfigured/invalid value in max-age: warn and cap to A-✅

hsts disabled (max-age=0): treated as misconfigured -> cap to A- ✅ one could nitpick whether the text should be changed ?

hsts too low (max-age=1): warn "HSTS max-age is too short" -> cap to A-
SSL-labs doesn't cap this one - but is this more correct ??

[magnuslarsen]

The old rating (linked aboved) (highlight by me):

New grade A+ is introduced for servers with exceptional configurations. At the moment, this grade is awarded to servers with good configuration, no warnings, and HTTP Strict Transport Security support with a max-age of at least 6 months.

If you don't put a warning on HSTS max-age less than 6 months, it would get an A+ (if everything else is "good configuration"); so it seems weird that they don't put a warning on max-age to short?

[hoerup]

when the HSTS is too short, they do set a warning - but they don't cap to A-

[magnuslarsen]

Then I'd argue we have the more correct implementation. This is from SSLLabs themselves...:

• New grade A- is introduced for servers with generally good configuration that have one or more warnings.
  ~ https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#changes-in-2009e-21-january-2014

So no warnings = no cap (A+)
One or more warnings = capped at A-

[drwetter]

Thanks for the lively discussion! Enjoyed it...

Will merge it latest by tomorrow.

[drwetter]

Thanks!

Mind to backport it to 3.2 also?