you can start with https://ssl-config.mozilla.org/ however, high security also means lower compatibility, i.e. old browsers fail on high security (ssl labs provide handshake table for that)
ср, 22 апр. 2020 г. в 20:32, Branitsky, Norman < [email protected]>: > HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 > SSL Labs reports the CBC ciphers are “weak”: > > > > [image: cid:[email protected]] > > > > I’ve tried to explicitly negate these ciphers with an “!” in haproxy.cfg > to no avail: > > > > ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets > > ssl-default-bind-ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384 > > ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets > > ssl-default-server-ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA384 > > > > How do I delete the “weak” ciphers? > > > *Norman Branitsky* > Senior Cloud Architect > Tyler Technologies, Inc. > > P: 416-916-1752 > C: 416.843.0670 > www.tylertech.com > > > > [image: Tyler Technologies] <https://www.tylertech.com/> >
