I think is missing the line from the configuration was a silly thing to do on our part, without a doubt. Maybe Qualys' tests contain a test that is meant to crash the SSL implementation by design?
We're at the mercy of what version is available to use via the CentOS/EPEL mirrors, but I would actually like to see 1.6.1 in place, so perhaps I will take that route soon. Compiling from source is swift and our LBs are pretty static boxes. Thanks for the feedback! - Michael C. > On 3 Nov 2015, at 17:17, Marco Corte <[email protected]> wrote: > > Hi, Michael! > > The low Qualys rating is the problem, correct? > >> [root@(redacted) ~]# haproxy --version >> HA-Proxy version 1.5.4 2014/09/02 >> Copyright 2000-2014 Willy Tarreau <[email protected]> > > I would use a newer version. 1.5.15 has been released. > >> In the above configuration, the key component here is >> 'ssl-default-bind-ciphers'. With this line commented out, as it is >> above, Qualys SSL Server Test >> (https://www.ssllabs.com/ssltest/index.html) brings our HAProxy instance >> to its knees when it reaches the stage of, "Testing deprecated cipher >> suites". With the line uncommented, and HAProxy restarted, the tests >> pass fine and we come away with an A rating. > > Without that line, I believe you are actually offering to the connecting > client all cyphers provided by your OpenSSL library. > I am not sure, because I always specified the list of the cyphers that the > client should see. > > I found very interesting this pages to find the mix suiting my needs. > > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ > > Hope this helps > > .marcoc >
