вс, 20 июн. 2021 г. в 11:43, Shawn Heisey <hapr...@elyograg.org>:
> On 6/17/2021 1:01 AM, Willy Tarreau wrote: > > I don't know if the config is responsible for this but I've just tested > > on haproxy.org and it does work there: > > > > Session resumption (caching) Yes > > Session resumption (tickets) Yes > > Many thanks to everyone who replied, and countless people who published > comments and articles on the Internet. You're awesome. > > I've managed to get my SSL Labs grade to A+. I really like testssl.sh. it is something loved by compliance people. for example, if you have to certify for PCI DSS, you have to setup A+ actually > > I've only got one remaining yellow item on the testssl report: > > BREACH (CVE-2013-3587) potentially NOT ok, "gzip" > HTTP compression detected. - only supplied "/" tested > > This is what SSL Labs now says for the thing that started this thread: > > Session resumption (caching) No (IDs assigned but not accepted) > Session resumption (tickets) Yes > > I'd like to get the caching item fixed, but I haven't figured that out > yet. Hoping that getting the tickets working is enough for most > clients. Not that I feel TLS is slow at all, seems zippy enough. Any > chance that the problem is my openssl library rather than haproxy? It's > stock Ubuntu 18. Here's the openssl info from haproxy -vv: > > Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018 > Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018 > > As for the list of functional clients that SSL Labs generates, people > using IE on anything older than Windows 10 are out of luck with my web > pages, as are those using Safari 8 and below. Java 6 and 7 are also > unsupported. I really do not care about people using those clients. > Upgrade your Java version or get a better browser. > unfortunately, TLS does not allow you to signal such properly. client will only see "unable to establish connection" without any clear reason for them. but you are right, it is completely up to you whether to choose compatibility and bigger client coverage or high SSL Labs rating. > > Thanks, > Shawn > >
