Dear, I have this scenario: Internet --> HAproxy Frontend --> HAproxy Backend --> Web servers
HAproxy version 1.5.8 in frontend (disabling protocols in the backend section connected to HAProxy backend): server HA-Backend 172.20.20.1:443 ssl verify none ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256+ECDHE:!AES256+DHE no-tlsv11 no-tlsv10 no-sslv3 HAproxy version 1.5.8 in backend (disabling protocols in the backend section connected to web server) --> server WEB01 10.12.12.1:443 ssl verify none ciphers DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256+ECDHE:!AES256+DHE cookie s1 no-tlsv11 no-tlsv10 no-sslv3 server WEB02 10.12.12.2:443 ssl verify none ciphers DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256+ECDHE:!AES256+DHE cookie s2 no-tlsv11 no-tlsv10 no-sslv3 Web Servers IIS (supporting TLS 1.0, TLS 1.1 and TLS 1.2) As it is impossible to disable TLS 1.0 and TLS 1.1 from the IIS web servers for specific functionality reasons (the web administrator doesn't let me do this), I suppose I can disable TLS 1.0 and TLS 1.1 from the HAProxy frontend and backend. But after that, I executed a test from SSL Labs from Qualys, and it said TLS 1.1 is still enabled. What can be the reason because the HAProxy frontend can't disable TLS 1.1 in connections from the Internet ? Is anything wrong? Thanks in advance, greetings!!!
