guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zer0Cool <>
Subject Re: SSL
Date Fri, 18 Jan 2019 17:04:13 GMT
The directions given for setting up SSL are a good start but uses a
self-signed cert instead of a valid cert from say, LetsEncrypt.

The suggested guacamole_ssl.conf configuration is also far from secure for
many reasons. 

1. First your using TLS 1.0 and TLS 1.1. Unless needed for very legacy
clients and connections you should stick with TLS 1.2 and up.
2. Your ciphers list has some insecure ciphers in it from what I can tell.
3. There are many other steps you can use to tighten down security in Nginx
like OSCP Stapling, forward secrecy, etc.

I would highly recommend checking out:
- Mozilla's SSL Configuration Generator at:
- This config generator at:
- This example of a secure config at:

I found that using parts from each gave me the best results. For the
parameters I didnt understand or could not deduce what they did I checked
the Nginx documentation which pretty clearly details what each parameter

You can use a site like and to test
your configuration and ensure it meets your security requirements.

You did not mention what OS you are using, if its RHEL/CentOS I have written
an install script that is capable of settings everything up from scratch for
Guacamole included SSL using either a self signed cert or one from
LetsEncrypt (with automatic renewal) and many other features. If your
interested I have posted it on github at: If you decide to use
the script be aware that its intended to run from a clean install and should
be tested before trying to use in production.

I use my script at work, actually just setup a new Guac server today. Scores
an A= with 100% on all 4 categories on SSL Labs test using a cert from
Letsencrypt. I scheduled 4 hours to go from nothing to fully setup and
configured Guacamole server. Using my script I was done, including creating
the connections and assigning permissions manually, in about 1 hour :)

Sent from:

View raw message