Messages

Brilliant--that worked! Thank-you so much!

Hello, this is my first post here, so I'd like to start by saying thank-you for making such fantastic software available. I decided to give OPNsense a try after using PFsense for years, and I'm not looking back. Not only is the entire interface better, but the HAProxy and Let's Encrypt addons have blown me away--they're awesome!

My problem is that ssllabs.com is not liking the default HAProxy SSL configuration. I need to fix this for PCI compliance in my network. Mozilla's SSL Configuration Generator gives me the parameters I need to set, but I'm not sure where to set them. The file at /usr/local/etc/haproxy.conf warns not to edit...

Here's the configuration I'm trying to set: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.10&openssl=1.0.2&hsts=yes&profile=modern

Specifically:

Code Select Expand


    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets


Thanks in advance for any direction.