> > >>> Yes. There is nothing to do. It works out of the box. If you modify >> default ciphers, just ensure that they contain the appropriate DHE or >> ECDH ciphers. You can check this with `openssl ciphers`. >> > > > For example: > > frontend ft_test > mode http > bind 0.0.0.0:443 ssl crt /etc/ssl/private/<concat cert + privkey> > ciphers ECDHE-RSA-AES256-GCM-SHA384:**ECDHE-ECDSA-AES256-GCM-SHA384:** > ECDHE-RSA-AES128-GCM-SHA256:**ECDHE-ECDSA-AES128-GCM-SHA256:** > kEDH+AESGCM:ECDHE-RSA-RC4-SHA:**ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-** > AES256-SHA384:ECDHE-ECDSA-**AES256-SHA384:ECDHE-RSA-** > AES256-SHA:ECDHE-ECDSA-AES256-**SHA:ECDHE-RSA-AES128-SHA256:** > ECDHE-ECDSA-AES128-SHA256:**ECDHE-RSA-AES128-SHA:ECDHE-** > ECDSA-AES128-SHA:AES256-GCM-**SHA384:AES128-GCM-SHA256:RC4-** > SHA:HIGH:!aNULL:!eNULL:!**EXPORT:!DES:!3DES:!MD5:!PSK > # Enable this if your want HSTS (recommended, but be careful) > # rspadd Strict-Transport-Security:\ max-age=31536000
Great. Thank you. I will try it next week, when I'm in office again. Is it possible to define a cipher list, which is for all https services? Regards, Erwin Schliske
