Re: Enable SSL Forward Secrecy

Cyril Bonté Wed, 30 Aug 2017 05:49:26 -0700

Hi Julian,

> De: "Julian Zielke" <jzie...@next-level-integration.com>
> Hi,
> 
> I’m struggeling with enabling SSL forward secrecy in my haproxy 1.7
> setup.
> 
> So far the global settings look like:
> 
> tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits


> ssl-default-bind-options force-tlsv12 no-sslv3
> ssl-default-bind-ciphers
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE

Please retry by replacing the RFC names with the openssl ones.
Look at this page for details : 
https://wiki.openssl.org/index.php/Manual:Ciphers(1)

For example with :
ssl-default-bind-ciphers 
ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE

I think that with this ciphers list, ECHDE ones should now be available.

Cyril Bonté

Re: Enable SSL Forward Secrecy

Reply via email to