FWIW, here's what we use in production with HAProxy 2.1.4 statically linked
with OpenSSL 1.1.1f, gives us an A rating with 90 score for cipher strength
from SSLLabs test:
# recommended modern ciphersuites. Qualys SSLLab reports some of them
# as weak due to use of inferior CBC mode, but disabling them breaks
# compatibility with quite a few browsers still in the wild.
ssl-default-bind-ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# TLSv1.3 ciphersuites: for now, the same as OpenSSL default
ssl-default-bind-ciphersuites
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
# Disable TLSv1.1 and down and TLS tickets
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
Here's what they report for TLS 1.2:
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519
(eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH x25519 (eq. 3072
bits RSA) FS 256(P)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519
(eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519
(eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519
(eq. 3072 bits RSA) FS WEAK 128
(P) This server prefers ChaCha20 suites with clients that don't have AES-NI
(e.g., Android devices)
Disabling the two weak ciphers knocks off too many browsers still in wide use,
so we ruled against it.
Bob
-----Original Message-----
From: Branitsky, Norman <[email protected]>
Sent: Wednesday, April 22, 2020 2:20 PM
To: Jerome Magnin <[email protected]>
Cc: [email protected]
Subject: RE: How to suppress weak ciphers
[Warning] This email comes from an external source. Be careful of any embedded
links and attachments.
As you can see from my pasted configuration, I was specifying exactly 4 ciphers.
The 2 weak CBC ciphers were magically appearing in the SSL Labs report.
I tried to explicitly delete them - but the delete request is ignored.
It seems that this entry, for example, must actually be a family:
ECDHE-RSA-AES256-SHA384
which includes
ECDHE-RSA-AES256-CBC-SHA384
Not clear why the explicit delete command doesn't delete the CBC cipher.
Do you use the following specification and do you find sufficient support of
existing browsers?
ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA Or is this too aggressive?
Norman Branitsky
Senior Cloud Architect
P: 416-916-1752
-----Original Message-----
From: Jerome Magnin <[email protected]>
Sent: Wednesday, April 22, 2020 11:50 AM
To: Branitsky, Norman <[email protected]>
Cc: [email protected]
Subject: Re: How to suppress weak ciphers
Hi Norman,
On Wed, Apr 22, 2020 at 03:29:28PM +0000, Branitsky, Norman wrote:
> HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 SSL Labs reports the CBC
> ciphers are "weak":
>
> [cid:[email protected]]
>
> I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to
> no avail:
>
>
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
> no-tls-tickets
>
> ssl-default-bind-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
>
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11
> no-tls-tickets
>
> ssl-default-server-ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-
> RSA-AES128-CBC-SHA384
>
> How do I delete the "weak" ciphers?
>
If you list all the ciphers you want to support, it does not make sense to
negate those you don't want. just don't list them.
You would use ! to exclude specific ciphers or ciphers "families", ie:
ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA
you can find additional information on this in the manpage for ciphers(1).
regards,
Jérôme
