OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: fbep on April 26, 2017, 09:55:52 pm

Title: Hardening SSL Ciphers on HAProxy
Post by: fbep on April 26, 2017, 09:55:52 pm

Hello, this is my first post here, so I'd like to start by saying thank-you for making such fantastic software available. I decided to give OPNsense a try after using PFsense for years, and I'm not looking back. Not only is the entire interface better, but the HAProxy and Let's Encrypt addons have blown me away--they're awesome!

My problem is that ssllabs.com is not liking the default HAProxy SSL configuration. I need to fix this for PCI compliance in my network. Mozilla's SSL Configuration Generator gives me the parameters I need to set, but I'm not sure where to set them. The file at /usr/local/etc/haproxy.conf warns not to edit...

Here's the configuration I'm trying to set: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.10&openssl=1.0.2&hsts=yes&profile=modern (https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.10&openssl=1.0.2&hsts=yes&profile=modern)

Specifically:

Code: [Select]

    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

Thanks in advance for any direction.

Title: Re: Hardening SSL Ciphers on HAProxy
Post by: djGrrr on April 27, 2017, 06:02:22 am

Under the HAProxy config, there is a dropdown next to the General settings tab, from there, select global or default parameters (i don't know which one is the right choice), then enable advanced mode, and put the config under "Custom options"

Title: Re: Hardening SSL Ciphers on HAProxy
Post by: fbep on April 27, 2017, 04:47:08 pm

Brilliant--that worked! Thank-you so much!