Re: CVE-2016-2183 vulnerability

Thu, 20 Oct 2016 09:43:50 -0700 

Try this to help you build a good config:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

On Thursday, October 20, 2016, Ed Guizar <[email protected]>
wrote:

> We are running HAProxy version 1.5.14.  Our external PCI can failed due to
> CVE-2016-2183 vulnerability.  Apparently we need to disable DES and 3DES,
> at least that is what I understand from reading the description.  How can I
> accomplish this?
>
>
>
> I have the following entry in the Global configuration:
>
>
>
> ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
> ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
> SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
> AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
> SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:
> DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!
> aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>
>
> ssl-default-server-ciphers ECDHE-RSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
> ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
> SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
> AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
> SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:
> DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!
> aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>
>
>
>
> *Ed Guizar*
>
>
>


-- 
Thanks,

Chris Short
https://chrisshort.net
Public PGP Key: http://cshort.co/pub_key
Keybase: http://cshort.co/keybaseio

Reply via email to