How to suppress weak ciphers

Branitsky, Norman Wed, 22 Apr 2020 08:30:27 -0700

HA-Proxy version 1.7.10-a7dcc3b 2018/01/02
SSL Labs reports the CBC ciphers are "weak":


[cid:[email protected]]

I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to no 
avail:


    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-bind-ciphers 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384

    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384

How do I delete the "weak" ciphers?

Norman Branitsky
Senior Cloud Architect
Tyler Technologies, Inc.

P: 416-916-1752
C: 416.843.0670
www.tylertech.com<https://www.tylertech.com>

[Tyler Technologies]<https://www.tylertech.com/>

How to suppress weak ciphers

Reply via email to