OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Hardening SSL Ciphers on HAProxy
« previous next »
  • Print
Pages: [1]

Author Topic: Hardening SSL Ciphers on HAProxy  (Read 6584 times)

fbep

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Hardening SSL Ciphers on HAProxy
« on: April 26, 2017, 09:55:52 pm »
Hello, this is my first post here, so I'd like to start by saying thank-you for making such fantastic software available. I decided to give OPNsense a try after using PFsense for years, and I'm not looking back. Not only is the entire interface better, but the HAProxy and Let's Encrypt addons have blown me away--they're awesome!

My problem is that ssllabs.com is not liking the default HAProxy SSL configuration. I need to fix this for PCI compliance in my network. Mozilla's SSL Configuration Generator gives me the parameters I need to set, but I'm not sure where to set them. The file at /usr/local/etc/haproxy.conf warns not to edit...

Here's the configuration I'm trying to set: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.10&openssl=1.0.2&hsts=yes&profile=modern

Specifically:
Code: [Select]
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

Thanks in advance for any direction.
Logged

djGrrr

  • Full Member
  • ***
  • Posts: 112
  • Karma: 22
    • View Profile
Re: Hardening SSL Ciphers on HAProxy
« Reply #1 on: April 27, 2017, 06:02:22 am »
Under the HAProxy config, there is a dropdown next to the General settings tab, from there, select global or default parameters (i don't know which one is the right choice), then enable advanced mode, and put the config under "Custom options"
Logged

fbep

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: Hardening SSL Ciphers on HAProxy
« Reply #2 on: April 27, 2017, 04:47:08 pm »
Brilliant--that worked! Thank-you so much!
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Hardening SSL Ciphers on HAProxy
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2