Hi, On 23.06.2014 18:32, Vincent Bernat wrote: > ❦ 23 juin 2014 18:14 +0200, Markus Rietzler <w...@mrietzler.de> : > >> to switch off tls compression (because of beast/crime attack) with tls >> v1.0 and compression. can i deactivate it in haproxy too? You should not add add a new thread to a existing one. > haproxy disables SSL compression and there is no flag to enable > it. However, disabling SSL compression is not available in OpenSSL > 0.9.8. Which version of OpenSSL are you using?
Please have a look at http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ If you need support for PFS too, then try lines like this -- frontend fe_443 bind :443 name https ssl crt /etc/haproxy/certs/mycert.pem ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK mode http -- and in the global section -- tune.ssl.default-dh-param <private key length but min 1024> -- After that check your site again. cheers, thomas
