1
17.1 Legacy Series / Hardening SSL Ciphers on HAProxy
« on: April 26, 2017, 09:55:52 pm »
Hello, this is my first post here, so I'd like to start by saying thank-you for making such fantastic software available. I decided to give OPNsense a try after using PFsense for years, and I'm not looking back. Not only is the entire interface better, but the HAProxy and Let's Encrypt addons have blown me away--they're awesome!
My problem is that ssllabs.com is not liking the default HAProxy SSL configuration. I need to fix this for PCI compliance in my network. Mozilla's SSL Configuration Generator gives me the parameters I need to set, but I'm not sure where to set them. The file at /usr/local/etc/haproxy.conf warns not to edit...
Here's the configuration I'm trying to set: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.10&openssl=1.0.2&hsts=yes&profile=modern
Specifically:
Thanks in advance for any direction.
My problem is that ssllabs.com is not liking the default HAProxy SSL configuration. I need to fix this for PCI compliance in my network. Mozilla's SSL Configuration Generator gives me the parameters I need to set, but I'm not sure where to set them. The file at /usr/local/etc/haproxy.conf warns not to edit...
Here's the configuration I'm trying to set: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.10&openssl=1.0.2&hsts=yes&profile=modern
Specifically:
Code: [Select]
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
Thanks in advance for any direction.