Hi All,
I'm running haproxy 1.6.2 and it seems it ignores the values given with
ssl-default-bind-options and/or ssl-default-server-options.
I have the following in my global conf:
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11
ssl-default-server-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
When testing this config I get:
[ALERT] 326/202736 (24201) : SSLv3 support requested but unavailable.
Configuration file is valid
After testing with ssllabs I also noticed tlsv10 and tlsv11 were still
enabled. Downgrading to haproxy 1.5.14 removes the error when testing
the config and shows the tls protocols as disabled when using ssllabs.
Did something change betweern 1.5 and 1.6 so my config doesn't work
anymore?
Greets,
Sander
