Hi, On Sun, Sep 07, pablo platt wrote: > Hi, > > I'm using haproxy to terminate SSL and it works for most of my users. > I have alphassl wildcard certificate. > I'm using SSL to improve WebSockets and RTMP connections of port 443. > I don't have sensitive data or e-commerce. > > I have one user that see a warning in Chrome and can't use my website.
Do you know what warning chrome gives to that user ? > Is it possible that this the warning is because an antivirus is not happy > with the default ciphers or other ssl settings? > > When running a test https://sslcheck.globalsign.com/en_US I'm getting: > Sessions may be vulnerable to BEAST attack > Server has not enabled HTTP Strict-Transport-Security > Server has SSL v3 enabled > Server is using RC4-based ciphersuites which have known vulnerabilities > Server configuration does not meet FIPS guidelines > Server does not have OCSP stapling configured > Server has not yet upgraded to a Extended Validation certificate > Server does not have SPDY enabled > > I found one suggestion: > bind 10.0.0.9:443 name https ssl crt /path/to/domain.pem ciphers > RC4:HIGH:!aNULL:!MD5 > http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ > > And another: > bind 0.0.0.0:443 ssl crt /etc/cert.pem nosslv3 prefer-server-ciphers > ciphers RC4-SHA:AES128-SHA:AES256-SHA > > Both gives me other warnings. What other warnings ? (Does haproxy give you warnings/errors or client browsers) ? Perhaps you could try ciphersuite from: https://wiki.mozilla.org/Security/Server_Side_TLS for example in global: ssl-default-bind-ciphers ... or on bind: bind 0.0.0.0:443 ssl crt /path/to/crt ciphers ... To enable ocsp stapling see haproxy config: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20ssl%20ocsp-response -Jarno -- Jarno Huuskonen
