The TLS options config section allows various useful options, however, it's missing some important ones:
- prefer server cipher order
- cipher list
- disable Secure Client-Initiated Renegotiation
Nice-to-have options would be to allow the use of ECC (ECDSA) certificates, since they are smaller, stronger, and faster - there are some mentions of these in the release notes, but no comments in the documentation about how to use multiple certificates (e.g. RSA and ECC) for browser compatibility.
Testing monit with testssl.sh shows all these problems quite clearly.