Hi Julian, > De: "Julian Zielke" <jzie...@next-level-integration.com> > Hi, > > I’m struggeling with enabling SSL forward secrecy in my haproxy 1.7 > setup. > > So far the global settings look like: > > tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits
> ssl-default-bind-options force-tlsv12 no-sslv3 > ssl-default-bind-ciphers > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE Please retry by replacing the RFC names with the openssl ones. Look at this page for details : https://wiki.openssl.org/index.php/Manual:Ciphers(1) For example with : ssl-default-bind-ciphers ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE I think that with this ciphers list, ECHDE ones should now be available. Cyril Bonté