On 17-08-30 09:33:23, Julian Zielke wrote: > Hi, > > I'm struggeling with enabling SSL forward secrecy in my haproxy 1.7 setup. > > So far the global settings look like: > > tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits > > ssl-default-bind-options force-tlsv12 no-sslv3 > ssl-default-bind-ciphers > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE > ssl-default-server-options force-tlsv12 no-sslv3 > ssl-default-server-ciphers > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE > > ssl-server-verify required > tune.ssl.cachesize 100000 > tune.ssl.lifetime 600 > tune.ssl.maxrecord 1460 > > and in my https UI I've set: > > ### ssl forward secrecy tweak > # Distinguish between secure and insecure requests > acl secure dst_port eq 443 > > # Mark all cookies as secure if sent over SSL > rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure > > # Add the HSTS header with a 1 year max-age > rspadd Strict-Transport-Security:\ max-age=31536000 if secure > > Still Qualys gives me an A- rating telling me: > The server does not support Forward Secrecy with the reference browsers. > Grade reduced to A-. > > Any clue how to fix this?
Try to add no-tls-tickets [1]. Cheers, Georg [1] https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#no-tls-tickets
signature.asc
Description: Digital signature
