Shawn, >From: Shawn Heisey <[email protected]> >Sent: Friday, May 19, 2023 3:33 PM > >I have a config that I have had in place for a while now. It did TLS >1.2 and 1.3, and got an A+ rating at SSL Labs. > >Today I was running the SSL test again and it only got an A rating >instead of A+. Looking deeper at the results, I saw that it was no >longer doing TLS 1.2 ... only TLS 1.3. > >Below are the global section, the defaults section, the bind lines from >the frontend, and haproxy -vv output. If there is something missing >that would shine a light on the issue, please let me know. > >I haven't changed any TLS-related config for a LONG time now. Is there >something I am doing wrong that has disabled TLS 1.2 in 2.8-dev? ... >HAProxy version 2.8-dev12-ffdf6a-1 2023/05/17 ... >Built with OpenSSL version : OpenSSL 3.1.0+quic 14 Mar 2023 >Running on OpenSSL version : OpenSSL 3.1.0+quic 14 Mar 2023
FWIW, I just tested 2.8-dev12-f48b23f (one commit behind yours, which is a doc patch) with statically linked quictls 3.0.8+quic (not 3.1.0+quic like yours, so could be relevant) and the following TLS-related configuration bits. Got A+ and both TLS v1.2 and v1.3 working (sorry, long lines): ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 ssl-default-bind-options no-tls-tickets ssl-min-ver TLSv1.2 # Don't think this affects TLSv1.2, just here for completeness tune.ssl.default-dh-param 2048 I'd suggest you try with ssl-default-bind-options as in my config, and maybe ssl-default-bind-ciphers as well as these are for TLS <v1.3 and if that doesn't help then downgrade quictls to 3.0.8+quic and see if that changes anything. Hope this helps, Bob
