Hi,
You might want to include a link to your Qualys results to help others see what
exactly they say.
At a casual glance the ciphers looks ok, but it would be easier to see the
SSLlabs output.
If you don’t want to share it, I suggest scrolling down and looking at the
results of the per-browser handshakes and go through them — IIRC there is some
“FS” vs. “No FS” marker there.
Regards,
Daniel
--
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
[email protected] | www.centerdevice.de
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431
> On 30. Aug. 2017, at 11:33, Julian Zielke
> <[email protected]> wrote:
>
> Hi,
>
> I’m struggeling with enabling SSL forward secrecy in my haproxy 1.7 setup.
>
> So far the global settings look like:
>
> tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits
>
> ssl-default-bind-options force-tlsv12 no-sslv3
> ssl-default-bind-ciphers
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE
> ssl-default-server-options force-tlsv12 no-sslv3
> ssl-default-server-ciphers
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE
>
> ssl-server-verify required
> tune.ssl.cachesize 100000
> tune.ssl.lifetime 600
> tune.ssl.maxrecord 1460
>
> and in my https UI I’ve set:
>
> ### ssl forward secrecy tweak
> # Distinguish between secure and insecure requests
> acl secure dst_port eq 443
>
> # Mark all cookies as secure if sent over SSL
> rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
>
> # Add the HSTS header with a 1 year max-age
> rspadd Strict-Transport-Security:\ max-age=31536000 if secure
>
> Still Qualys gives me an A- rating telling me:
> The server does not support Forward Secrecy with the reference browsers.
> Grade reduced to A-.
>
> Any clue how to fix this?
>
> Julian
>
>
> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der
> vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so
> beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung
> zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation
> per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte
> grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht
>
> Important Note: The information contained in this e-mail is confidential. It
> is intended solely for the addressee. Access to this e-mail by anyone else is
> unauthorized. If you are not the intended recipient, any form of disclosure,
> reproduction, distribution or any action taken or refrained from in reliance
> on it, is prohibited and may be unlawful. Please notify the sender
> immediately. We also would like to inform you that communication via e-mail
> over the internet is insecure because third parties may have the possibility
> to access and manipulate e-mails.
>
