Hi, On 09.09.2014 15:08, pablo platt wrote: > rspadd Strict-Transport-Security:\ max-age=31536000;\ > includeSubDomains if ssl-proxy > > Do I need to add it to the frontend or backend? so its response, so better do it in the backend but it will work in the frontend too. > Will it break raw TLS (not HTTPS)? > Iam not sure what you are asking. Try it and check it via ssllabs?
> Thanks > cheers thomas > On Tue, Sep 9, 2014 at 1:25 PM, Thomas Heil > <[email protected] <mailto:[email protected]>> wrote: > > Hi, > > > On 09.09.2014 11:43, pablo platt wrote: >> I've tried both options and I'm still not getting A+. >> >> Unfortunately, I can't ask the user what the error is. >> If I'll run into this again, I'll try to get this info. >> > To reach A+ you need > > rspadd Strict-Transport-Security:\ max-age=31536000;\ > includeSubDomains if ssl-proxy > ssl-proxy means here the connection is ssl. > > and a cipher list like > -- > > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384: > > > EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 > -- > > Together it should work. > > As you can see we have no longer RC4 ciphers, > > cheers > thomas > > >> Thanks >> >> On Mon, Sep 8, 2014 at 9:46 AM, Jarno Huuskonen >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hi, >> >> On Sun, Sep 07, pablo platt wrote: >> > Hi, >> > >> > I'm using haproxy to terminate SSL and it works for most of >> my users. >> > I have alphassl wildcard certificate. >> > I'm using SSL to improve WebSockets and RTMP connections of >> port 443. >> > I don't have sensitive data or e-commerce. >> > >> > I have one user that see a warning in Chrome and can't use >> my website. >> >> Do you know what warning chrome gives to that user ? >> >> > Is it possible that this the warning is because an >> antivirus is not happy >> > with the default ciphers or other ssl settings? >> > >> > When running a test https://sslcheck.globalsign.com/en_US >> I'm getting: >> > Sessions may be vulnerable to BEAST attack >> > Server has not enabled HTTP Strict-Transport-Security >> > Server has SSL v3 enabled >> > Server is using RC4-based ciphersuites which have known >> vulnerabilities >> > Server configuration does not meet FIPS guidelines >> > Server does not have OCSP stapling configured >> > Server has not yet upgraded to a Extended Validation >> certificate >> > Server does not have SPDY enabled >> > >> > I found one suggestion: >> > bind 10.0.0.9:443 <http://10.0.0.9:443> name https ssl crt >> /path/to/domain.pem ciphers >> > RC4:HIGH:!aNULL:!MD5 >> > >> >> http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ >> > >> > And another: >> > bind 0.0.0.0:443 <http://0.0.0.0:443> ssl crt /etc/cert.pem >> nosslv3 prefer-server-ciphers >> > ciphers RC4-SHA:AES128-SHA:AES256-SHA >> > >> > Both gives me other warnings. >> >> What other warnings ? (Does haproxy give you warnings/errors >> or client >> browsers) ? >> >> Perhaps you could try ciphersuite from: >> https://wiki.mozilla.org/Security/Server_Side_TLS >> >> for example in global: >> ssl-default-bind-ciphers ... >> >> or on bind: >> bind 0.0.0.0:443 <http://0.0.0.0:443> ssl crt /path/to/crt >> ciphers ... >> >> To enable ocsp stapling see haproxy config: >> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt >> >> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20ssl%20ocsp-response >> >> -Jarno >> >> -- >> Jarno Huuskonen >>
