There is a new beta release with all new SNMP installed. We went from ucd-snmp 188.8.131.52 to net-snmp 5.7.3 to allow things like snmp v2 and 64 bit network counters. It also may have fixed some long standing issues graphing memory and CPU. It also has the missing gif in the firewall rules, and some versions notes fixed in the SVN.
Not surprised at all. Keep in mind that we use a self signed certificate. That will set off a bunch of warning bells anyway, but even if I bought a real one it would be insecure on the first release. You have the server and access to it so you have the keys the second I release them!
However, you can add your own certificates, and a good and secure certificate will improve that grade3 a lot! (If anyone is doing this, I would LOVE to see a comparison!)
As for some of the other issues, it is because we are still on an older version of FreeBSD. When we go to 10.2 it will fix more...
All that aside, why did you open your firewall up to the internet at large anyway? If you are thinking security, just leave the inward face open, and use VPN.
But, based on my quick tests, this mini_httpd seems to have been compiled with openssl older than 1.0.2d. If I compile openssl-1.0.2d, I can use it and try to make connection like: ./apps/openssl s_client -connect www.google.com:443 -tls1_2 ./apps/openssl s_client -connect www.google.com:443 -tls1_1 ./apps/openssl s_client -connect www.google.com:443 -tls1
With OpenSSL 0.9.8zd only the last one works, but not the tls1_1 or tls1_2.
So, there is no command line option to enable tls1_1/tls1_2 on smallwall. Only way to use those is to recompile newest openssl and newest mini_httpd.
On the other hand, to have protocol support enable like beedsley mentioned, this needs to done while compiling the openssl and mini_httpd.
Sigh... I have a list of software that needs to be updated in SmallWall, and I just went through it a while ago and mini_httpd was current then. Of the short package list, here it was as of today;
dnsmasq-2.66.tar.gz Current dnsmasq-2.75 www.thekelleys.org.uk/dnsmasq/doc.html ez-ipupdate-3.0.11b8.tar.gz Current ez-ipupdate-3.0.11b8-13.4.dsc (Need to update yourself) ip_fil4.1.34.tar.gz -> ip_fil5.1.2.tar.gz (Fixed in 10) modem-stats-1.0.1.src.elf.tar.gz (Still needed?) nsupdate -> dudders-1.04.tar.bz2 (Fixed in 10) php-4.4.9.tar.bz2 Current php55-5.5.28 radius-1.2.5.tgz Current radius-1.2.7.tgz pecl.php.net/package/radius
This does not include openssl which I am not sure if I can update within FreeBSD8 and still have everything work. Note that as listed above, a lot of things are fixed in 10, but it is not yet ready for prime time. However, the fix I am looking for is a way to lock down mini_httpd directly without having to open the can of worms that is openssl yet. And, of course, testing mini_httpd 1.22 now. I hope it is a drop in. (But with the extensive patching, I doubt it...)
And right now I am in the middle of massively updating ez-ipupdate. It would be nice if a few services in the list still existed.
I've not long installed the new beta as I think the 64 bit interface counters could come in useful, but I've just checked and it looks like they're still rolling over at around the 4GB mark. Is there an option I need to enable somewhere or are you referring to different counters?