Hi,
Am 05.06.2016 um 02:19 schrieb Igor Cicimov:
> In haproxy.cfg I used these cipher I found recommended:
> ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
I would not recommend this. Check [1] and [2] for some uptodate
recommendations.
Yes, removing ECDHE-RSA-AES256-SHA will force the server to use the
non-FS RC4 cipher.
Regarding the 408 problem, please have a look at the http-ignore-probes
option [3].
Regards,
Lukas
[1] https://wiki.mozilla.org/Security/Server_Side_TLS
[2]
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6&openssl=1.0.2&hsts=no&profile=intermediate
[3]
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4-option%20http-ignore-probes