Hi Norman, On Wed, Apr 22, 2020 at 03:29:28PM +0000, Branitsky, Norman wrote: > HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 > SSL Labs reports the CBC ciphers are "weak": > > [cid:[email protected]] > > I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to > no avail: > > > ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets > > ssl-default-bind-ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384 > > ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets > > ssl-default-server-ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384 > > How do I delete the "weak" ciphers? >
If you list all the ciphers you want to support, it does not make sense to negate those you don't want. just don't list them. You would use ! to exclude specific ciphers or ciphers "families", ie: ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA you can find additional information on this in the manpage for ciphers(1). regards, Jérôme
