The webui itself was already hardened a few release ago. It will only accept the following ciphers (with a few explicit rejections at the end of that list):
Code:
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-G
CM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-EC
DSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:
!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
OpenVPN allowed TLS are currently a bit wider, because of the need to inter operate with a variety of clients (for the server) and providers (for the client). I haven't decided yet on a good way to harden it without sacrificing compatibility. One solution I'm currently leaning toward is to have a specific suite of secure ciphers defined, and these would be allowed by default. There would probably be a webui option to enable support for weaker ciphers (which would be disabled by default).
I'm also tempted to make that a generic "Harden security" setting instead, which once enabled, would limit the available ciphers in addition to enforcing the use of TLS 1.0 or higher (currently it defaults to TLS 1.0 only for compatibility reasons - something that OpenVPN 2.3.7+ will be addressing in the future).
I'm still considering the available options there.