Hi,
On 09.09.2014 11:43, pablo platt wrote:
> I've tried both options and I'm still not getting A+.
>
> Unfortunately, I can't ask the user what the error is.
> If I'll run into this again, I'll try to get this info.
>
To reach A+ you need
rspadd Strict-Transport-Security:\ max-age=31536000;\
includeSubDomains if ssl-proxy
ssl-proxy means here the connection is ssl.
and a cipher list like
--
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:
EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
--
Together it should work.
As you can see we have no longer RC4 ciphers,
cheers
thomas
> Thanks
>
> On Mon, Sep 8, 2014 at 9:46 AM, Jarno Huuskonen
> <[email protected] <mailto:[email protected]>> wrote:
>
> Hi,
>
> On Sun, Sep 07, pablo platt wrote:
> > Hi,
> >
> > I'm using haproxy to terminate SSL and it works for most of my
> users.
> > I have alphassl wildcard certificate.
> > I'm using SSL to improve WebSockets and RTMP connections of port
> 443.
> > I don't have sensitive data or e-commerce.
> >
> > I have one user that see a warning in Chrome and can't use my
> website.
>
> Do you know what warning chrome gives to that user ?
>
> > Is it possible that this the warning is because an antivirus is
> not happy
> > with the default ciphers or other ssl settings?
> >
> > When running a test https://sslcheck.globalsign.com/en_US I'm
> getting:
> > Sessions may be vulnerable to BEAST attack
> > Server has not enabled HTTP Strict-Transport-Security
> > Server has SSL v3 enabled
> > Server is using RC4-based ciphersuites which have known
> vulnerabilities
> > Server configuration does not meet FIPS guidelines
> > Server does not have OCSP stapling configured
> > Server has not yet upgraded to a Extended Validation certificate
> > Server does not have SPDY enabled
> >
> > I found one suggestion:
> > bind 10.0.0.9:443 <http://10.0.0.9:443> name https ssl crt
> /path/to/domain.pem ciphers
> > RC4:HIGH:!aNULL:!MD5
> >
>
> http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/
> >
> > And another:
> > bind 0.0.0.0:443 <http://0.0.0.0:443> ssl crt /etc/cert.pem
> nosslv3 prefer-server-ciphers
> > ciphers RC4-SHA:AES128-SHA:AES256-SHA
> >
> > Both gives me other warnings.
>
> What other warnings ? (Does haproxy give you warnings/errors or client
> browsers) ?
>
> Perhaps you could try ciphersuite from:
> https://wiki.mozilla.org/Security/Server_Side_TLS
>
> for example in global:
> ssl-default-bind-ciphers ...
>
> or on bind:
> bind 0.0.0.0:443 <http://0.0.0.0:443> ssl crt /path/to/crt ciphers ...
>
> To enable ocsp stapling see haproxy config:
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt
>
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20ssl%20ocsp-response
>
> -Jarno
>
> --
> Jarno Huuskonen
>
>
--
Thomas Heil
-
Email: [email protected]
Tel: 0176 / 44555622
--
