Darn! Looking at the “openssl ciphers” Julian provided earlier, my mind
“autocompleted" the missing trailing “E” in ECDH (/me facepalms).
Thanks, Cyril, for pointing that out!
I was starting to doubt myself here :)
Cheers,
Daniel
--
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
[email protected] | www.centerdevice.de
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431
> On 30. Aug. 2017, at 15:41, Cyril Bonté <[email protected]> wrote:
>
>> De: "Julian Zielke" <[email protected]>
>> À: "Cyril Bonté" <[email protected]>
>> Cc: [email protected]
>> Envoyé: Mercredi 30 Août 2017 15:11:47
>> Objet: AW: Enable SSL Forward Secrecy
>>
>> Hi Cyril,
>>
>> tired it without success. Maybe HaProxy isn't just capable of doing
>> this.
>
> Oh well, indeed the "!kECDHE" excludes the ciphers from the list.
> You should retry without it (with or without RFC names in the ciphers list)
>
>>> ssl-default-bind-ciphers
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
>>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH
>>> :!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE
>
> Cyril Bonté
>
