Hi David, On Tue, Sep 04, 2012 at 03:15:13PM +0200, David BERARD wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > On 04/Sep - 01:37, Willy Tarreau <[email protected]> wrote: > >| Have a lot of fun and please report your success/failures, > >| Willy > > Thanks a lot for this useful feature. It works well on a dual PPC64 Linux > server.
Excellent, thanks for the report. > I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option > to frontend, if the 'prefer-server-ciphers' keyword is set. > > > https://0x1.fr/files/patchs/haproxy-ss-20120904_prefer_server_ciphers.patch > > Example : > > bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers > RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers > > This option mitigate the effect of the BEAST Attack (as I understand), and it > equivalent to : > - Apache HTTPd SSLHonorCipherOrder option. > - Nginx ssl_prefer_server_ciphers option. OK I did not know there was such a workaround. Thanks for the patch, I'm going to apply it now. > Maybe it can be useful to add OpenSSL option directly in the haproxy > configuration as the 'options' keyword in stunnel. No, your current solution is better, as we'd like to get such options for each "bind" line. So your patch is perfect :-) Best regards, Willy
