OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: fbep on April 26, 2017, 09:55:52 pm
-
Hello, this is my first post here, so I'd like to start by saying thank-you for making such fantastic software available. I decided to give OPNsense a try after using PFsense for years, and I'm not looking back. Not only is the entire interface better, but the HAProxy and Let's Encrypt addons have blown me away--they're awesome!
My problem is that ssllabs.com is not liking the default HAProxy SSL configuration. I need to fix this for PCI compliance in my network. Mozilla's SSL Configuration Generator gives me the parameters I need to set, but I'm not sure where to set them. The file at /usr/local/etc/haproxy.conf warns not to edit...
Here's the configuration I'm trying to set: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.10&openssl=1.0.2&hsts=yes&profile=modern (https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.10&openssl=1.0.2&hsts=yes&profile=modern)
Specifically:
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
Thanks in advance for any direction.
-
Under the HAProxy config, there is a dropdown next to the General settings tab, from there, select global or default parameters (i don't know which one is the right choice), then enable advanced mode, and put the config under "Custom options"
-
Brilliant--that worked! Thank-you so much!