On Centos, after you update openssl, this is one choice ; .. .. bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/certs/yourkey.pem ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA .. ..
On another OS, he qualms page describes how to get the list of ciphers. Regards, ; Yuan > On Feb 21, 2015, at 9:53 PM, Lukas Tribus <[email protected]> wrote: > >> When I connect to haproxy the client uses: >> TLS_ECDHE_RSA_WITH_RC4_128_SHA >> >> When I connect to google.com the client uses: >> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > > A part from the RC4 vs AES difference here, which you can > probably fix by an appropriate ciphers string, as long as you > are using a recent openssl release, the difference between > RSA and ECDSA depends on the certificate. Google front-end > server will serve an ECC certificate, if the browser supports it, > and an RSA certificate otherwise. > > In other words, you can only connect using ECDSA if you have > a ECC certificate, not a RSA certificate. > > And since you can hardly only use ECC for compatibility reason > and haproxy (as well as nginx) can't really do ECC and RSA, you > will have to stick to RSA certificates for now. > > > Lukas > >
