Hi, I'm struggeling with enabling SSL forward secrecy in my haproxy 1.7 setup.
So far the global settings look like: tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits ssl-default-bind-options force-tlsv12 no-sslv3 ssl-default-bind-ciphers TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE ssl-default-server-options force-tlsv12 no-sslv3 ssl-default-server-ciphers TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE ssl-server-verify required tune.ssl.cachesize 100000 tune.ssl.lifetime 600 tune.ssl.maxrecord 1460 and in my https UI I've set: ### ssl forward secrecy tweak # Distinguish between secure and insecure requests acl secure dst_port eq 443 # Mark all cookies as secure if sent over SSL rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure # Add the HSTS header with a 1 year max-age rspadd Strict-Transport-Security:\ max-age=31536000 if secure Still Qualys gives me an A- rating telling me: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. Any clue how to fix this? * Julian Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschlie?lich f?r den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Ver?ffentlichung, Vervielf?ltigung oder Weitergabe des Inhalts dieser E-Mail unzul?ssig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir m?chten Sie au?erdem darauf hinweisen, dass die Kommunikation per E-Mail ?ber das Internet unsicher ist, da f?r unberechtigte Dritte grunds?tzlich die M?glichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
