I have since set DH to 1024 in my configuration. Here is the results from cipherscan:
Target: 10.3.2.74:443 prio ciphersuite protocols pfs_keysize 1 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Server side cipher ordering On Sun, Feb 22, 2015 at 11:45 AM, Julien Vehent <jul...@linuxwall.info> wrote: > DH size is indeed an important factor with older java clients. Using a > certificate > with a SHA-256 signature will also break older clients. > > Could you run cipherscan against your haproxy endpoint and post the results > here? > https://github.com/jvehent/cipherscan > > - Julien >
